The EU Whistleblower Protection Directive: Finding a Hotline Vendor That Will Help You Comply

Who will support you best? Evaluating hotline vendor compliance with the EU Whistleblower Protection Directive across all Member States 

Does your hotline provider stand up to the scrutiny necessary to comply with the EU Whistleblower Protection Directive? Let’s unpack what the Directive requires, some best practices for first-time implementation or establishing performance markers for current hotline providers, and how Convercent’s Helpline & Case Manager is configurable for every type of business, whether you just need the basics or a global-ready, enterprise hotline. 

How to Evaluate Vendors Against Directive Requirements 

Taking a critical eye to potential vendors and their offerings can be an overwhelming task. We’ve distilled it down to six key elements that you can bring to potential vendors or use to measure your current hotline provider, in order to ensure compliance. 

  1. Reporter Communication: Anonymous and Named  
  2. Data Security and GDPR 
  3. Call Center 
  4. Accessible Intake Methods 
  5. Confidentiality and Retaliation Prevention 
  6. Record Keeping and Retention 
  7. EU Whistleblowing Protection Directive Hotline Vendor Checklist 

Reporter Communication: Anonymous and Named  

Before we take a closer look at the core principles behind reporter communication, we must stress that there is a real human element to remember; nobody ever starts out wanting to be a whistleblower and coming forward is often fraught with fear of retaliation. The Directive may be laden with legal jargon and compliance can feel overwhelming, but if you and your compliance team stay connected to the heart and soul behind the legislation, you’ll remain grounded in its noble mission. Below, you’ll see a list of practical considerations to incorporate into your playbook, shaping your whistleblower communication plan.  

Practical considerations when communicating with whistleblowers:  

  • Acknowledgment of receipt within seven days 
  • Ability to take anonymous reports 
  • Ability to communicate with reporters, anonymous or not 
  • Resolution/feedback within three months 
  • Diligent follow-up 
  • Review, approval, or editing of interview notes 

Bear in mind that the Directive establishes the floor, carving out the minimum requirements for protecting whistleblowers. Your organization’s actual plan can (and perhaps should) go above and beyond the letter of the Directive. Your compliance team should communicate with whistleblowers and document as much as possible in order to establish trust and transparency. Be sure to make this emphasis clear in both your internal and external publications. A hotline provider should be able to automate some of the process in an automatic workflow, making sure that your communication and documentation adheres to the Directive’s requirements.  

Data Security & GDPR 

Remember that 2016’s General Data Protection Regulation (GDPR) came from the same governing body, and the guidance adopted by all Member States also needs to be honored in your efforts to comply with the EU Whistleblower Protection Directive. This means prioritizing the same issues (secure communications, minimal personal identifying information, authorized access to records, etc.) and keeping up with the same standards. Your organization will have to scope out exactly how much necessary information you need to collect, and how long you archive that sensitive data, in order to process your reports, while remaining compliant with GDPR.  

Practical data privacy considerations for your whistleblowing helpline: 

  • Complying with GDPR 
  • Only collecting the necessary personal information required to handle the specific report 
  • Secure & confidential reporting channels 
  • Prevention of access by non-authorized employees 

Call Center 

The easiest way you can comply with the Directive’s accessibility component is to establish a call center—or choose a hotline vendor that uses a call center—capable of processing reports in multiple languages, regardless of internet access or physical location. The Directive is clear that any person who acquires information from business activities can be a whistleblower, not just current full-time employees, so a well-trained and capable call center is key for expanded reporting.  

Practical considerations for your helpline vendor’s call center: 

  • Language capabilities 
  • GDPR-compliant 
  • Knowledgeable and able to communicate the investigative protocol 
  • Available and accessible to employees, subsidiary employees, suppliers, agents, and any persons who acquire information through work related activities 
  • Competent and empathetic 

Accessible Intake Methods 

A call center is one channel for establishing accessible intake. Depending on the size of your organization and the scope of your international operations, you may seek to establish more than one intake method. According to the Directive, your reporting channels “should be made available to employees, subsidiary employees, suppliers, agents, and any persons who acquire information through work related activities.” Establishing multiple routes for employees to speak up means that you’re honoring the accessibility component of the Directive, and you are also reinforcing trust and transparency at your organization. Be thoughtful when considering your vendor’s capabilities for report intake because they matter on multiple levels. 

Routes to speak-up
Routes to speak-up

Accessible intake options: 

  • Web 
  • Whistleblowing app 
  • Externally 
  • Email 
  • Line manager (proxy)/physical meeting 
  • Whistleblowing hotline – by telephone or voice messaging 

Accessible Resources 

Beyond establishing accessible intake methods, you must make sure that whistleblowers are provided with the necessary resources. Think your process through, from what initial intake looks like to how case resolution will be operationalized. Does the process include resources, education, and enablement for whistleblowers? In practice, all organizations should have a dedicated whistleblowing website or intranet page.  

This resource page should contain links to: 

  • An introduction from senior stakeholders/appointed representatives 
  • Contact and helpline information 
  • External resources and support 
  • Policies, procedures and training materials 
  • Positive testimonies 
  • Whistleblowing metrics 
  • Employee code of conduct 
  • Information on protection 
  • Frequently asked questions (FAQs) 

Confidentiality and Retaliation Prevention 

There is a strong tie between confidentiality and retaliation prevention. Inherently, the more confidential a whistleblower report can be kept, the less likely the reporter is to be retaliated against. There is a dual obligation here; does your helpline ensure confidentiality, and does it help you prevent retaliation? With the new emphasis on the reverse burden of proof for retaliation, your efforts here will end up saving you time and effort down the road and you may be navigating away from costly sanctions or legal sanctions at the same time.  

Practical considerations to protect confidentiality and prevent retaliation: 

  • Design, establish, and operate a whistleblowing helpline in a secure manner that ensures confidentiality of persons reporting and third parties mentioned 
  • Allow full confidentiality unless otherwise required by national law 
  • Provide for “diligent follow-up” with reporters, even if anonymous 
  • Confidentiality of whistleblower guaranteed 
  • Retaliation prevention and monitoring through follow-up and screening 

Record Keeping and Retention 

Have you ever tried to access the email inbox of a former employee, only to be met with impossible logins and roadblocks? The Directive emphasizes retrievability because of issues like this. Every report must be dealt with by competent staff, ensuring that sensitive documents are only accessed by trained individuals and competent authorities. The following points are best practices to ensure that your records are kept safe, compliant, and retrievable. 

Record Keeping: 

  • Every report is retrievable 
  • Report forwarded to competent staff without modification 
  • Complete and accurate meeting notes kept in durable and retrievable form (recording or staff notes) 
  • Should offer the reporting person the opportunity to check, rectify, and agree on the minutes of the meeting by signing them 

Retention: 

  • Every report is retrievable 
  • Reports can be used as evidence in enforcement actions 
  • If phone call is recorded, recording must be kept or transcribed 
  • If unrecorded, must be able to document the oral reporting in the form of accurate minutes of the conversation written by staff member 

EU Whistleblowing Protection Directive
Hotline Vendor Checklist
 

When you’re evaluating vendors to help you with everything mentioned above, there are some important tactical items to consider. The devil is, indeed, in the details and translating to-do items into action can be an uphill climb. Use the “Practical Considerations” listed above along with the best-practices checklist below, as you evaluate vendors between now and the deadline to ensure that your hotline vendor serves your organization’s unique plan and goals. 

  • Define roles & responsibilities and key milestones 
  • Geographical scope (territories, languages, entities) 
  • Define reporting topics. What is in, what is out? 
  • Decide anonymous reporting Y/N 
  • Decide on internal only or also opening to third parties and public 
  • Data privacy (GDPR), ask for certificate and pen test report
  • Translation option? 
  • Attachments possible? 
  • Dialogue possible? 
  • Decision on reporting channels (hotline only or email and external lawyer on top?) 
  • Ask for: territory credentials, industry credentials, local resources, benchmarking 
  • Ask for cost drivers and transparency
  • Dashboard for board reporting? 
  • Data upload possible from other sources? 
  • Customizing landing page 
  • Get buy-in of various stakeholders ASAP (workers, counsel, supervisory board, owners, C-Suite) 
  • Recommended: Seek external advice on concept on whistleblowing system 
  • Recommended: Legal opinion re data privacy and labor law 

Convercent by OneTrust is committed to helping companies abide by Directive requirements, not just through content like this post and our masterclasses, but also by providing a helpline for every size of business. Want to learn more about our Helpline and Case Manager? See how it works here. 

This is the second edition of our eight-part EU Whistleblower Protection Directive Masterclass series! If you missed our first entry, check it out here, and learn about the key requirements of the Directive, myths and common misperceptions, and the vital few actions you must take to comply. Ready to move on to something a little more advanced? Stick with us over the weeks leading up to December 17, 2021 for a rigorous course on how to comply with the Directive. 

Master the Requirements of the EU Whistleblower Protection Directive   

Prepare to comply with the requirements of the EU Whistleblower Protection Directive by the deadline of December 17, 2021 with this free series of eight expert-led webinars.   

Sign up for the Masterclass Series