When developing a whistleblower policy and managing their whistleblowing program, the Directive recommends employers include these important elements. Since the EU Whistleblower Directive was adopted in December 2019, businesses and public organisations have been working hard to develop their whistleblowing programs and implement effective internal reporting channels. This article makes 10 recommendations for how to encourage internal whistleblowing, improve your whistleblowing program, become (and stay) compliant, and effectively respond to whistleblowing reports of wrongdoing.
1. Keep Whistleblower Identity Confidential
Any data collected in the context of whistleblowing must be handled in accordance with the General Data Protection Regulation (GDPR). Allowing whistleblowers to report anonymously is the best way to protect their identity and show employees that your reporting channel is trustworthy. The identity of employees who blow the whistle on misconduct should be kept confidential. Any information that could potentially reveal the whistleblower’s identity could lead to reprisals and must not be disclosed to anyone beyond authorized staff members unless the employee consents. Information about the whistleblower should only be revealed if it is necessary for investigations conducted by national authorities or court proceedings.
2. Empower and Protect Internal Facilitators
A facilitator is a person who guides and assists the whistleblower through the process of reporting a breach. Facilitators are often the first person to hear about the disclosure of misconduct but are not always employees. Third parties such as legal representatives, journalists, and others connected to the whistleblower such as family or partners are likely to suffer retaliation. While facilitators are often lawyers or union employees, they can also be a colleague, managers, or persons appointed to receive and investigate the wrongdoing from within the work-related context. Businesses should attempt to protect and empower internal facilitators to ensure internal reporting channels continue to work properly and should prevent retaliation against facilitators in general.
3. Keep Records About Whistleblowing Cases
All private and public sector organisations must keep records of every report they receive, regardless of whether they are investigated or found to be true. Employees who report wrongdoings should be able to see and verify the transcript of their disclosure if they ask for it. Any record-keeping related to whistleblower cases should comply with existing confidentiality and data management requirements like the GDPR and should be stored only for the legally required amount of time. These practices should align with national laws and regional union agreements. Members States are required to collect data about the outcome of each case, including the number of investigations and legal proceedings that take place and how many reports are received. It also is a good idea to record any financial damage incurred as a result of the wrongdoing and amounts recovered following investigations into breaches.
4. Protect Whistleblowers from Retaliation
The EU Directive directs Member States to establish a ‘duty of care’ for whistleblowers by ensuring businesses and organisations implement procedures for protecting employees who disclose internally. Not doing so is considered negligent. The whistleblower must be informed of any disclosure about their identity and is not disqualified from protection if their identity is made public, since the risk of retaliation increases. Whistleblowers are deemed eligible for whistleblower rights and protection against legal proceedings if they legitimately believe the information to be true and report the breach correctly. Remedial measures covering the potential consequences of retaliation can differ among Member States, however, businesses that try to prevent employees from reporting wrongdoings or punishing are likely to face penalties.
5. Whistleblowers May Not Be Sued
As long as whistleblowers use the proper reporting channels, they are not liable for having acquired and shared information about their employer with authorities or the public. There are three reporting channels available to whistleblowers: Internal, External, and Public (I-E-P). To qualify for protection, employees must first attempt to report the wrongdoing internally. If no action is taken by the organisation, employees may report the misconduct to an independent external authority. If neither of these reporting channels leads to an appropriate and timely response, the employee may pursue a public channel such as a news outlet. The EU Directive supersedes any non-disclosure agreement, policy, or condition for employment established internally by the employer. The rights of whistleblowers are not limited by any such prior agreement as long as they follow the I-E-P sequence.
6. Understand National Whistleblowing Rules
Not all national laws are currently in line with the EU Whistleblowing Directive. Many EU countries are working towards aligning with the European Union rules and there are likely to be many changes in the coming months or years. There may be areas identified in the directive that are not currently at issue in your country. Make sure to research and understand any relevant national or local rules around whistleblowing. As of November 2022, the directive gives protection to people who report breaches in specific areas of EU law. They include tax fraud, money laundering related to public procurement, transport and product safety, public health and data protection, and consumer and environmental protection.
7. Work with External Whistleblowing Authorities
The EU Directive states that Member States must identify an independent administrative authority to lead whistleblowing efforts nationally and guide entities in developing and maintaining effective whistleblowing programs. This means support measures will likely be available by a national organisation assigned to deal with whistleblowing cases that meet the threshold for external referral. Even if they don’t, you should consider these agencies as your allies. They can offer businesses resources for determining whether a case should or shouldn’t be investigated and can be useful for significant investigations. External whistleblowing authorities will likely have the power to implement sanctions when entities neglect their responsibility, don’t make an effective reporting channel available to their employees, or fail to protect the whistleblower from retaliation.
8. Create Transparency by Sharing Trends
Most Member States collect data from employers and send it to the EU Commission for transparency. This statistical information is regularly made available to the public. Businesses should make whistleblowing a part of their annual reporting practice by aggregating data about cases and making them available to the public and to external authorities. These reports should capture trends in reporting rather than providing details that can identify whistleblowers. Using standardized disclosure and investigation reports to summarize the process at each step can assist with the collection of essential data while avoiding information that is unneeded.
9. Develop a Seemless Reporting/Escalation Policy
To ensure disclosures are consistently and appropriately addressed and followed up on, businesses should consider having a central channel for reporting all issues, such as environmental, health, safety, and fraud. Businesses should develop a mechanism for aggregating all reports coming in from different departments or channels, as they may be connected. They should also have a strong escalation policy across departments and hierarchical levels to ensure transparency. Creating a single investigation system can make responding to disclosures and maintaining records about cases easier while helping identify potential issues with the process. “By creating one system with minor caveats, there are downstream benefits, including that it is easier to keep metrics and spot deviations from processes.” (Carino, Kaplan, & Menor, 2022).
10. Know Your Rights as A Company
Businesses and public organisations receive protection under the directive while the investigation is underway. For example, any trade secrets contained in whistleblower reports may not be used or disclosed for purposes beyond what is necessary for following up on reports. The identity of all persons concerned, including those accused of misconduct, must be protected during the investigation. Any individual accused of misconduct should have access to a fair trial and to any available remedies until proven guilty. Their personal information should also be handled in accordance with the GDPR and kept confidential unless required for legal proceedings.
