Some companies and organisations have already implemented a whistleblower hotline, and others will be starting from ‘scratch’ in learning how to comply with the EU Whistleblower Protection Directive. Whatever your current position, consider the following actions that you need to take to comply with the directive. If you haven’t yet, read Part 1 of this series for a primer with absolutely everything you need to know about the Directive.
Action Planning for the EU Whistleblower Protection Directive
With the whistleblowing rules in Europe changing so fundamentally as a result of this directive— the law, for example, provides for minimum standards on whistleblower compliance — there is no question that companies and organisations (and local authorities) need to take action now. In particular, companies and organisations with more than 250 ‘workers’ (defined in Part 1) must comply with the legislation by 17th December 2021, and those with between 50 and 249 by 17th December 2023 i.e. two years later.
In EU parlance, a directive specifies legislative results that must be achieved by each Member State (country), but they are free to decide how to transpose the directive into national laws within the following two years. Because it is a directive and not a regulation, the EU Member States (countries) will be required to enshrine the EU Whistleblower Protection Directive into local law over what is currently the next fourteen months.
Because implementation of the directive will be undertaken on an EU Member State-by-State basis, this will inevitably mean that there will not be full harmonisation across the EU and, instead, timings, content and legal detail will vary across the current 27 countries. Arguably, this is ‘only’ an extension of the current position regarding whistleblowing—where there are, for example, significant variations regarding anonymity—but it nonetheless represents a further challenge to those multi-national companies that operate across the EU.
Unfortunately, there is no other option than to continue to monitor the position in each relevant country. If your company or organisation does not yet have a professional multi-channel whistleblower hotline in place. then now is a very good time to start, particularly given that language variants will clearly be a requirement for operating in the EU. We can help configure your helpline to meet the latest, most current requirements—connect with our Professional Services team to learn more.
The Practicalities of EU Whistleblower Directive Compliance
It is important to recognise that just because a company or organisation already has some form of internal or external whistleblower hotline, that does not necessarily mean that it will be compliant with the directive’s minimum standards and, indeed, it is more likely that it will not be.
Clearly, there are a number of ‘givens’ for a fully effective whistleblower hotline; these include communications/publicity about the hotline, assurance regarding confidentiality and impartiality, diligent investigation, reporter feedback (including acknowledgements), and demonstrable action and outcomes.
However, the directive will, for example, also require information about the hotline reporting process to be expanded (typically in policy documents, codes of conduct, posters, websites etc) to include external reporting to authorities. Clearly, the potential risks associated with this may concern companies and organisations, and that is why preparation and communication in good time for the directive is essential.
Linked to this, the significantly widened scope of whistleblowing reporting under the directive regarding violations of EU law needs to be communicated, as does the enhanced scope in specific Member States (such as the Netherlands) where it is already broader. Moreover, if the whistleblower hotline is only presently available to current employees, then the communications and infrastructure will need to be expanded to cover individuals such as contractors, sub-contractors, freelancers, suppliers, vendors, shareholders, customers, former employees and volunteers. At a minimum, this might require the hotline details to be placed outside the firewall, for example—this may then bring with it a host of customer complaint-type calls and reports, for example, and processes will clearly need to be established in order to respond.
It can be easy to dismiss some of the requirements in the directive with a wave of the hand—‘Yes, we do that/have that’—but, if tested, is that really the case for your company or organisation? For example, if someone requested a physical meeting where would that be held, and how would their identity be protected? Similarly, have report investigators been trained, has that training been regularly refreshed, are there investigative protocols in place and, also, do they have the personal ‘bandwidth’ to genuinely take on investigations?
It should be recognised that some of the EU Whistleblower Protection Directive’s requirements, such as formally acknowledging receipt of a whistleblower report, also already appear in the laws, regulations and guidance published by some individual Member States, including France. However, such well-intended routine actions do need to be properly considered, as an e-mail seen on a screen could tip off colleagues, compromise a report, and might also inadvertently lead to whistleblower retaliation.
Retaliation Guidelines in the EU Whistleblower Directive
Under the EU Whistleblower Protection Directive, appeals-type processes for whistleblowers will become more important than ever as a ‘safety-valve’ to provide a channel for complaints about the handling and recognition of their report, and also any retaliation. Almost uniquely, the directive incorporates a ‘reverse burden of proof’ regarding whistleblower retaliation—such that it is not up to the whistleblower to prove that they were retaliated against but, instead, the company or organisation has to prove that they did not retaliate. As highlighted in Part 1, given that in most companies and organisations whistleblower retaliation prevention extends only to a policy or, perhaps, periodic post-report follow-up, the reverse burden of proof will likely require a demonstrably more proactive and communicative approach to anti-retaliation, including analysis of whistleblower reports and their consequences for reporters, including effects on measures such as pay, bonus, annual review, overtime and shift allocations
There is no question that the directive brings with it major change for companies and organisations of all sizes, such that they will now need to address whistleblowing, helplines and whistleblowers in ways previously unseen, certainly in the EU.
The directive provides for minimum standards on how companies and organisations should handle and respond to reports made by whistleblowers, and given its associated deadlines, requires that action in response to the Directive’s requirements is taken now. To ensure whistleblower compliance, this includes reviewing the performance of any existing whistleblower hotlines and, critically, changing internal processes to align with the directive. Notwithstanding, it is clearly crucial that employees and other individuals are fully confident in, and comfortable with, reporting through the internal hotline. Failure to communicate, manage reports effectively, and take action could lead to external reporting, with all the risk that that potentially brings. It is for this, and related, reasons that hotline testing is an increased focus within the global ethics and compliance community, as it is one way of really understanding the reporter experience.
Read the full 131-page English text of the EU Whistleblower Protection Directive.
Need help laying the groundwork to comply with the EU Whistleblower Protection Directive? Connect with our Professional Services team for a Convercent Helpline demo today, or download my FAQ guide to the EU Whistleblower Protection Directive below.