Checklist for Implementing a Successful Whistleblowing Programme

Euronext Corporate Services hosted a webinar about the EU Whistleblowing Directive with a panel of experts from Allen & Overy Brussels. Although the focus remained on how the directive will work in Belgium, the content is relevant to all EU member states and the organisations that operate within them. 

Preparing for whistleblowing rules

Allen & Overy partner, Inge Vanderreken, spoke about the preparations required for the EU Whistleblowing Directive. 

Vanderreken began with details of the scope of the directive, which aims to create minimum standards across the union for reporting breaches of EU law by employees, contractors, shareholders and other stakeholders who uncover wrongdoing in a work-related context. 

Elements of the EU Whistleblowing Directive

• There are three reporting channels – internal, external and public. Disclosure through a public channel will only be protected in certain circumstances.
• Companies should encourage internal reporting in the first instance.
• Confidentiality is mandated for all reporting and reported persons.
• The directive protects whistleblowers against retaliation.
• Authorities must give support to whistleblowers.
• Member states must implement appropriate penalties for retaliation and for misuse of the whistleblowing process. 
• Member states can make the laws more robust if they wish.
• Member states can choose whether to accept anonymous reports.

Data protection GDPR and whistleblowing

IT and IP expert, and partner at Allen & Overy, Peter Van Dyck, discussed how the directive interacts with EU data protection laws.

When your whistleblowing system involves the processing of personal data, the General Data Protection Regulation (GDPR) applies. If the name of the reporting or reported person is included in the report, this is classed as personal data. Additionally, if an anonymous report with no names could indirectly identify a person, it still counts as personal data, with GDPR applying. Van Dyck suggests that this means GDPR will apply in almost all cases. 

The result of this is that you must adhere to the principles of GDPR and take into account whether your reporting system complies with the regulation. You should also delete irrelevant data from your reports and only keep data for two months after resolving a case, or longer if there are legal grounds to do so. 

The directive allows you to postpone the usual principle of data access rights requirement that would otherwise force you to inform the subject of a pending investigation about the fact you are holding information about them. The reason for the allowable delay is that informing them early could lead to them destroying vital evidence before the investigation starts.

As whistleblowing systems constitute a high-risk processing activity, you will need to undertake a data protection impact assessment (DPIA) to identify and mitigate risk. 

Whistleblowing and employees

In the first instance, issuers should consult on the whistleblowing system with employee representative bodies. This allows you to craft your whistleblowing policies and the methods through which you will inform employees of your policy. 

The elements of the directive that relate to employment law include: 

• Preventing retaliation
• Reversal of proof of retaliation (The company must prove it did not happen)
• Compensation for retaliation
• Transparent information on procedures

Impact on financial institutions

Sylvia Kierszenbaum, a partner in banking and finance at Allen & Overy, discussed the impact of the EU Whistleblowing Directive on financial institutions. Many in the sector already have whistleblowing systems in place due to legislation introduced after the financial crisis of the late 2000s.

However, this does not mean that the directive doesn’t affect financial services firms. There is a non-regression stipulation that means, in adopting the directive, EU member states and institutions with their own reporting channels cannot provide a less robust protection regime than they previously offered. 

The new directive applies beyond what is already required as a result of existing rules governing the financial sector, such as the Markets in Financial Instruments Directive (MiFID II).

FI compliance departments must check that their current policies are suitable to adhere to the new directive. 

Investigations

Senior associate for litigation at Allen & Overy, Thomas Declerck, discussed the potential for an increase in investigations and their place in a healthy speak-up culture. 

Impartiality and objectivity are key when following up on a whistleblowing report. Investigators must always work on the principle that their decision will be challenged legally, meaning you must document every step of the investigation to justify your decisions. 

Due process is key for the smooth running of your policy:

• The investigator maintains the presumption of innocence
• The reported person has a right to be heard
• The reporting person may break contractual obligations to provide evidence of wrongdoing without recourse 

According to Declerck, there is less certainty when a reporting person breaks the law to present evidence. He also admitted there is a tension between confidentiality and giving the subject of the investigation enough information to be able to defend themselves properly.