ISO 37002 and the EU Whistleblower Protection Directive: Building on a Strong Foundation

By the end of 2021, specifically, December 17, 2021, European companies and organizations with more than 250 workers must comply with the EU Whistleblower Protection Directive (Directive 2019/1937). This means, for the first time, many EU-based companies will need to actualize and enforce a whistleblowing program. The deadline for EU Whistleblower Protection Directive compliance is set, but organizations who want to prepare for their respective deadlines can adopt ISO 37002 before the deadline. Think of ISO 37002 as an expandable roadmap to compliance and a way to set your organization up for success before the deadline and beyond.

Before taking a deep dive into the differences between ISO 37002 and the EU Directive, take a moment to catch up on everything you need to know about the EU Whistleblower Directive and how to comply with the EU Whistleblower Protection Directive.

What is ISO 37002?

The International Organization for Standardization (ISO) is an independent, non-governmental international organization, bringing together global experts to “share knowledge and develop voluntary, consensus-based, market relevant International Standards that support innovation and provide solutions to global challenges.” The ISO recently published ISO 37002: Whistleblowing Management Systems as a standard for voluntary guidance. ISO 37002 provides “guidelines for establishing, implementing and maintaining an effective whistleblowing management system” based on the principles of trust, impartiality and protection in the following four steps:

  1. Receiving reports of wrongdoing
  2. Assessing reports of wrongdoing
  3. Addressing reports of wrongdoing
  4. Concluding whistleblowing cases

What Does Adopting ISO 37002 Guidance Look Like?

Figure 1 — Overview of a whistleblowing management system
A conceptual overview of a recommended whistleblowing management system showing how the principles of trust, impartiality and protection overlay all elements of such a system.

The ISO recommends the adoption of ISO 37002 stating, “It can assist an organization to improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing legislation.” This means ISO 37002 is a holistic and adaptable approach to “establishing, implementing, maintaining and improving a whistleblowing management system.”

Adoption of the ISO guidance will support the following outcomes:

  • Encouraging and facilitating reporting of wrongdoing
  • Supporting and protecting whistleblowers and other interested parties involved
  • Ensuring reports of wrongdoing are dealt with in a proper and timely manner
  • Improving organizational culture and governance
  • Reducing the risks of wrongdoing.

Potential benefits for the organization include:

  • Allowing the organization to identify and address wrongdoing at the earliest opportunity
  • Helping prevent or minimize loss of assets and aiding recovery of lost assets
  • Ensuring compliance with organizational policies, procedures, and legal and social obligations
  • Attracting and retaining personnel committed to the organization’s values and culture
  • Demonstrating sound, ethical governance practices to society, markets, regulators, owners, and other interested parties

An effective whistleblowing management system will build organizational trust by:

  • Demonstrating leadership commitment to preventing and addressing wrongdoing
  • Encouraging people to come forward early with reports of wrongdoing
  • Reducing and preventing detrimental treatment of whistleblowers and others involved
  • Encouraging a culture of openness, transparency, integrity, and accountability

Now that we know what ISO 37002 is, how does it relate to the EU Whistleblower Protection Directive? How can the ISO guidelines help companies build a strong foundation for the EU Whistleblower Protection Directive?

How does it differ from the EU Whistleblower Protection Directive?

The EU Whistleblower Protection Directive outlines a minimum set of protections for whistleblowers in member states of the European Union, which must be implemented by organizations with 250+ workers by December 17, 2021. Over the following two years, organizations with 50-249 workers will need to comply as well. The EU Directive focuses on the human impact of whistleblowing, setting up protections and empowering whistleblowers. ISO 37002 focuses on the “how” of empowering and protecting whistleblowers. From a tactical perspective, ISO 37002 recommends standards for processes, systems, and technology an organization must meet in order to follow through with whistleblower protections. ISO 37002 details voluntary guidelines for organizations who wish to establish their own compliant whistleblower management system anywhere in the world.

The EU Whistleblower Protection Directive, set to become the standard for all member state organizations over the next two years, can act as a best-practice foundation for the voluntary guidance outlined in ISO 37002. The two sets of guidelines complement one another, ensuring that any whistleblower protection standards put into place between now and the adoption of the EU Whistleblower Protection Directive will work together. This pairing will prevent any costly non-compliant implementation.

How do ISO 37002 and the EU Whistleblower Protection Directive Compare?

The two sets of guidelines are complementary and are designed to work together, preventing wasted time and resources on the path to compliance. Below, we outline the main intended outcomes of the two documents:

ISO 37002

EU Whistleblower Protection Directive

Encouraging and facilitating reporting of wrongdoing

Creates internal and external channels for safe reporting

Supporting and protecting whistleblowers and other interested parties involved

Makes sure workers know where/how to report wrongdoing

Ensuring reports of wrongdoing are dealt with
in a proper and timely manner

Provide timely feedback and acknowledge receipt of reports

Improving organizational culture and governance

Protects confidentiality of both whistleblowers and parties’ names in reports

Reducing the risks of wrongdoing

Protects workers from retaliation

Note that both ISO 37002 and the EU Directive identify and detail reporting guidance and protecting individuals involved in reporting. Both aim to protect whistleblowers and the confidentiality of the subsequent reports, providing guidelines for managing, evaluating, maintaining and implementing effective systems for whistleblowing. ISO 37002 is built on the principles of trust, impartiality and protection; private, public, and not-for-profit organizations, regardless of employee count, can adopt the ISO 37002’s guidance.

You’re already on a deadline to comply with the EU Whistleblower Protection Directive. Download our comprehensive guide here and make sure your organization is prepared.

Download the EU Whistleblower Directive FAQ Guide