The Stress-Free Guide To Implementing A Whistleblowing System

The EU Whistleblowing Directive aims to encourage whistleblowing while protecting individuals from retaliation. Whistleblowers are crucial in exposing illegal activities, saving public money and maintaining corporate integrity. This article provides a detailed guide for businesses on implementing an effective whistleblowing reporting system in accordance with the directive.

Why do we need a whistleblowing directive?

A whistleblower is someone who reports illegal behaviour within a business or governmental organisation. However, the fear of retaliation can deter potential whistleblowers from coming forward. 

The EU Whistleblowing Directive, together with the various iterations of the directive that are now transposed into law in EU member states, seeks to promote whistleblowing and protections for whistleblowers for several reasons:

• Saving public money: Corruption diverts taxpayers' money away from public services or increases their cost. Protecting whistleblowers can help prevent losses estimated at billions of euros in the EU.
• Benefits for businesses: Companies with existing reporting systems have reported improved morale and cost savings. This approach not only maintains compliance with the law but also enhances efficiency and staff morale.

What is an internal whistleblowing system?

An internal whistleblowing system offers a secure and confidential way for individuals to report illegal activities within their organisations. The directive mandates the establishment of such systems in the private and public sectors and provides mandatory protections for reporting persons. 

Having a robust internal reporting system means that complaints can be made in good time, before misconduct can spread too far. Companies can also deal with issues in-house, showing that they are proactive about tackling wrongdoing. 

Requirements of the EU Whistleblowing Directive

Key requirements outlined by the EU Whistleblowing Directive for whistleblowing systems include:

• Reporting system: Organisations must establish a system for whistleblowers to file reports in writing, orally or both, encouraging them to report internally first.

• Confidentiality: Whistleblowers should have the option to report confidentially, protecting the identities of all involved parties.

• Impartiality: The investigation of reports should be carried out by an impartial entity or department.

• Timelines: Acknowledgement of reports should occur within seven days, and follow-up should take place within three months of acknowledgement.

• Protection from retaliation: Whistleblowers cannot face punishment for exposing wrongdoing, even if that involves breaking contracts or non-disclosure agreements, as long as they report the truth or what they believe to be the truth at the time.

• Support: Reporting persons should receive information about their rights, legal aid, financial assistance and access to psychological support if they wish.

• Data security: Information must be recorded, stored and secured in compliance with GDPR regulations.

6 steps to implement a whistleblowing system

1. Understand who is protected: Recognise that protection extends to not just current employees, but also various individuals associated with the organisation, including former employees, volunteers, suppliers, and shareholders. This means the system must be available to all.
2. Implement support and protection measures: Develop policies for maintaining confidentiality (and anonymity if your country’s law and the company’s policy allows it) and protecting whistleblowers and their supporters from retaliation. Review and update disciplinary procedures to prevent retaliation.
3. Set up reporting channels: Establish reporting channels that allow written, oral or digital reports. Consider options like postboxes, emails, phone hotlines or digital whistleblowing systems like IntegrityLog.
4. Set up case management: Designate an impartial individual or department to receive and act on reports. Establish communication processes with reporting persons and adhere to acknowledgement and follow-up timeframes.
5. Ensure data privacy:Select reporting channels that ensure data privacy and integrity in a GDPR-compliant manner.
6. Inform and train employees: Educate employees on reporting procedures, protections and obligations towards whistleblowers. Emphasise the benefits of transparency and a zero-tolerance attitude toward illegal activities.