Blog

Comparing ISO 37002 and the EU Whistleblower Directive

How the voluntary ISO guidelines differ from the EU’s new whistleblower protection requirements

Kelly Maxwell, Content Marketing Specialist, OneTrust
July 19, 2022

What is ISO 37002?
Why should my company adopt ISO 37002?
ISO 37002 vs the EU Whistleblower Directive
Establishing a compliant hotline

The European whistleblowing landscape has seen massive progress with the passage of the EU Whistleblowing Directive — and the ripple effects are being felt far beyond the EU’s borders. Take, for example, ISO 37002. Published within two years of the EU Whistleblowing Directive, this standard applies to a wide range of companies across the globe and provides best practices for a whistleblower management system.

What is ISO 37002?

ISO 37002 is a framework for setting up and maintaining a whistleblowing hotline that adheres to the highest standards as outlined by the International Organization for Standardization (ISO). In their own language, it provides “guidelines for establishing, implementing and maintaining an effective whistleblowing management system” based on the principles of trust, impartiality and protection in the following four steps:

Receiving reports of wrongdoing
Assessing reports of wrongdoing
Addressing reports of wrongdoing
Concluding whistleblowing cases

The ISO is an independent, non-governmental international organization, bringing together global experts to “share knowledge and develop voluntary, consensus-based, market relevant International Standards that support innovation and provide solutions to global challenges.” Its standards, including ISO 37002: Whistleblowing Management Systems, represent guidelines or best practices that organizations can adopt voluntarily. This sets ISO standards apart from regulations like the EU Whistleblower Directive, Sarbanes-Oxley in the United States, or Sapin II in France which companies are legally obligated to comply with.

Why should my company adopt ISO 37002?

The ISO recommends the adoption of ISO 37002 stating, “It can assist an organization to improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing legislation.” This means ISO 37002 is a holistic and adaptable approach to establishing a whistleblowing management system that meets or exceeds regulatory requirements.

According to the ISO, adopting ISO 37002 will encourage whistleblowers to come forward and make case handling much more effective – improving your organization’s culture and governance, while reducing the risk of wrongdoing.

How does ISO 37002 differ from the EU Whistleblower Protection Directive?

The EU Whistleblower Protection Directive outlines a minimum set of protections for whistleblowers in Member States of the European Union, which must be implemented by organizations with 250+ workers (and by organizations with 50+ workers by December 17, 2023). The EU Directive focuses on whistleblower protections and empowerment; ISO 37002 focuses on the processes and systems a company uses to enable whistleblowers. Plus, the EU Whistleblower Directive is (as the name implies) a directive which must be transposed into law in all 27 EU Member States, while ISO 37002 is a set of guidelines that companies may voluntarily adopt.

From a tactical perspective, ISO 37002 recommends standards for processes, systems, and technology an organization must meet in order to follow through with whistleblower protections. ISO 37002 details voluntary guidelines for organizations who wish to establish their own compliant whistleblower management system anywhere in the world.

The two sets of guidelines complement one another, ensuring that any whistleblower protection standards put into place between now and the adoption of the EU Whistleblower Protection Directive will work together. Following both sets of guidelines could prevent companies from a costly whistleblower hotline implementation that ends up being non-compliant.

Both the EU Whistleblower Directive and ISO 37002 aim to protect whistleblowers and the confidentiality of the subsequent reports. Private, public, and not-for-profit organizations, regardless of employee count or geographic location, can adopt the ISO 37002’s guidance.

Want to learn more about the EU Whistleblower Directive? Check out our ultimate guide.

Establishing a compliant hotline

Whether your organization is a global enterprise with thousands of EU-based employees or a growing start-up that wants to set their hotline up according to the highest standards, OneTrust can help.

Request a free Helpline and Case Management demo today.

Your partner in trust transformation

Privacy Matters

Our privacy center makes it easy to see how
we collect and use your information.

Your privacy

When we collect your personal information, we always inform you of your rights and make it easy for you to exercise them. Where possible, we also let you manage your preferences about how much information you choose to share with us, or our partners.

Blog

Comparing ISO 37002 and the EU Whistleblower Directive

Table of contents

What is ISO 37002?

Why should my company adopt ISO 37002?

How does ISO 37002 differ from the EU Whistleblower Protection Directive?

Establishing a compliant hotline

You may also like

Privacy Management

Understanding data transfers under the GDPR ebook

In the ebook, we delve into the fallout from Schrems II and explore how organizations based in Europe can best navigate international data transfers under the GDPR.

June 05, 2024

Privacy Management

Navigating data privacy in 2024: Global regulatory updates & compliance strategies

Join our webinar for a comprehensive overview of the latest global data privacy regulations and updates impacting businesses in 2024 and how to prepare.

March 20, 2024

Privacy Management

OneTrust announces partnership with Europrivacy

Learn how OneTrust and Europrivacy's partnership can help your organization achieve GDPR compliance and build trust with your customers.

December 06, 2023

Technology Risk & Compliance

Demonstrating GDPR compliance with Europrivacy criteria: The European Data Protection Seal

Join our webinar to learn more about the European Data Protection Seal and to find out what the key advantages of getting certified.

November 30, 2023

Speak-Up Program Management

Navigating the EU Whistleblower Protection Directive: New rules, new risks

Join our expert-led webinar where we explore the EU Whistleblower Protection Directive and practical steps towards compliance.

November 02, 2023

Privacy Management

Revisiting the ICO Data Protection Practitioner's Conference: Addressing your top challenges

Join OneTrust and KPMG UK to discuss the challenges of employee SARs, managing your breach response with third parties, and incident management.

October 25, 2023

Privacy & Data Governance

Understanding the EU Data Boundary

Download our free infographic and get the information you need to understand the EU Data Boundary and how to properly handle data in the European Union.

September 22, 2023

Privacy Management

Privacy in practice: PIA & DPIA with PA Consulting

Join OneTrust and PA Consulting as we discuss what makes an effective PIA, best practices, and the benefits of automation.

September 21, 2023

Privacy & Data Governance

Privacy in practice for data mapping: With PA Consulting and Syngenta

Join OneTrust and panelists from PA Consulting and Syngenta as we explore practical ways to build an effective data mapping program, best practices, and the need for automation.

September 14, 2023

Privacy Management

India's DPDPA: What you need to know

In this webinar, legal experts discuss India's newly enacted comprehensive privacy law, the Digital Personal Data Protection Act, 2023 ('DPDPA')

September 12, 2023

Governance & Policy Management

EU-US DPF: What next for UK businesses?

Join our expert webinar as we discuss the upcoming UK-US DPF Extension and what UK businesses need to prepare to become DPF-certified.

September 06, 2023

Privacy Management

Unpacking the EU-US DPF

In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

June 28, 2023

Privacy Management

New states, new dates: Preparing for Indiana, Montana, Tennessee and Florida state privacy laws

Join our expert panel where we examine upcoming privacy legislation in Indiana, Montana, Tennessee, and Florida and the key requirements of each law.

June 20, 2023

Privacy Management

The Revised FADP: 7 steps toward preparedness

Prepare for Switzerland’s Revised Federal Act on Data Protection (Revised FADP) when it comes into force on September 1, 2023 with our free compliance checklist.

June 15, 2023

Privacy & Data Governance

The 3 priorities of the French DPO: Gain visibility, take action, automate

Download our infographic and learn about the 3 priorities of the French DPO.

May 30, 2023

Privacy Management

Saudi Arabia's PDPL latest amendments: Are you ready?

Join OneTrust and Deloitte Middle East as we cover the latest changes to Saudia Arabia's Personal Data Protection Law (PDPL) and what it means for organizations in the KSA region.

May 30, 2023

Privacy Management

GDPR turns 5: Celebrating data protection

Northern Europe panel - Join our panel of experts as they recap the GDPR, its key concepts, and what it means for organizations and compliance.

May 25, 2023

Privacy Management

Global Panel — GDPR & Tech: Key considerations of Privacy by Design and AI in tech

Join our panel of experts as we discuss the impact GDPR had on the tech industry during the past five years, the importance of privacy by design, and what to expect with AI and regulation.

May 25, 2023