EU Whistleblowing Rules, a short recap

When the EU Whistleblowing Protection Directive came into force on 21st December 2021, governments and organisations across EU countries began to introduce the rules into their national laws.

In addition, organisations in countries outside the EU, such as the UK, also began trying to understand how the new EU directive might affect them too. For instance, if the Brexit protocols called for a 'level playing field', then it is obvious that any new EU whistleblowing rules would also have to be replicated in some manner.

Equally, there are thousands of businesses and organisations that have their head offices within the UK but have regional offices or supply chains within the EU. How might the whistleblowing protection directive affect these?

Six months on, we are starting to understand.

What are the main guidelines again? What do businesses and organisations need to do?

The main guidelines of the EU whistleblowing Protection Directive asked businesses and organisations to:

  • Provide multiple channels for making a whistleblowing report, ie: telephone, web, writing, face-to-face verbal, etc.
  • Protect a whistleblowers' confidentiality
  • Protect whistleblowers from retaliation or negative consequences arising from their report
  • Acknowledge receiving the whistleblowing report within seven days
  • Confirm they have taken appropriate action to handle the whistleblowers' report
  • Respond to the whistleblower with an update on their report within three months
  • Promote easily accessible and confidential reporting channels or systems so that the whistleblower is aware of which will be the most effective for them or their issue

Of course, as with the introduction of most rules and regulations, these changes are easier said than done, especially when the solutions vary from industry to industry, country to country, and employee numbers.

Here are the answers to the most frequently asked questions about EU whistleblowing directive implementation, six months down the line from the introduction of the rules.

How do we handle whistleblowing reporting at the group entities level and how does it differ from the subsidiary level?

The EU Commission has made it clear1 that the Directive requires larger companies with 250 employees or more to implement local reporting channels, and this includes Group subsidiaries.

So, if an organisation has multiple subsidiaries across multiple countries, there must be a local confidential whistleblowing reporting system in each country.

However, the EU Whistleblowing Protection Directive does allow for companies with between 50 and 249 employees to share reporting channels.

What does this mean in practice?

It means that companies with more that 250 employees have no choice. If you have subsidiaries within the EU, you must implement a local – ie: national, local to that country – set of confidential reporting channels, even if your head office is outside the EU, and this obviously applies to UK companies too.

Equally, even if you are a UK based company, with no subsidiaries in the EU, but that has dealings with supply chains within the EU, then by implementing a British version of a whistleblower reporting system, you are providing an equivalent process, and this will be seen as simply good business practice.

It is clear then, no matter how many subsidiaries are involved, any whistleblower reporting solution should be the same one used across all countries. This allows you to receive reports at the national level, and also allows aggregation of reports at the group level too.

This explains why outsourcing of a whistleblowing hotline vendor has increased in 2022. These provide whistleblowing solutions that can be applied across national boundaries.

Are there any exemptions to the employee rule obligations?

Yes, there are a small number of organisations that are required to follow the EU Whistblowing Directive no matter what number of employees they have. Chief amongst these are financial services and credit institutions.

What level of communication is needed to communicate the EU Whistleblowing Protection Directive to my employees?

A good rule of thumb is 'the more is better'.

Whistleblowing can be fraught with trust issues. In surveys we regularly see employees reluctant to make whistleblowing reports for fear of retaliation, so by openly providing detailed information about the EU whistleblowing Directive, it helps employees see the organisation takes their whistleblowing duty seriously.

The place to start is by providing a central whistleblower area for employees within the organisation, where the following can be located:

  • Whistleblowing policy
  • Codes of conduct
  • Information on how to access whistleblowing channels
  • The whistleblowing process
  • Information on expectations following reporting
  • Feedback on the whistleblowing process mechanism
  • Reference Documentation on the EU Whistleblowing Protection Directive

This needs to be followed up by a launch project involving multiple communication channels – email, posters, intranet, internal newsletter articles, etc.

But one of the things we have learnt is that the level of communications needs to be continued with a regular drip-feed of reminders.

If reminders of what the whistleblowing process is, and how to use it, are not continually added into the internal communications and training, then HR departments and senior managers can often believe they are achieving their objective.

In reality, employee turn-over and an 'out of sight out of mind' attitude begins to degrade the effectiveness of any whistleblower communications that have taken place. And if this happens, then despite there being a confidential reporting process in place, it might lead to the public reporting of issues rather than internal reporting, making the issue less controllable.

The best of the whistleblowing solution providers will be able to help you with your internal communications. Ask them what support they can provide to you.

Should I handle anonymous whistleblowing reports differently?

If anything, anonymous reports should be handled in exactly the same manner as named or semi-anonymous whistleblowing reports. Only by taking anonymous reports seriously and investing in resolving them will the organisation be seen as being authentic and trustworthy by their employees.

It is not always necessary to know the personal details of a whistleblower in order to recognise, understand and implement a solution to an issue, and the best whistleblowing hotline solution providers will provide reports that allow you to do this. For instance, Safecall offer the ability for organisations to communicate with anonymous and semi-anonymous whistleblowers through their confidential online management system. Every communication is logged and time stamped.

So, what happens if an EU member state has yet to incorporate the EU Whistleblowing Protection Directive into their national laws?

The best advice that we can give is to go for the more comprehensive reporting systems available.

The reason for suggesting this is that the EU Directive only states each country should adopt the minimum protection standards required, but that each member state should feel empowered to expand the rules as they see fit.

This means that each country could go further than the EU Directive, so the more comprehensive the ethics reporting system you have, the more likely you are to comply with a country's laws when they are eventually transposed.

Need to know more?

To find out more about how Safecall can help keep your business or organisation remain compliant with the EU Whistleblower Protection Directive, download our EU Whistleblowing Directive Whitepaper, and take a look at our Safecall whistleblowing overview and whistleblowing process page.

Footnote

1. EU Commission statements published on June 2, 2021 and June 29, 2021

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.