5 Steps to Get Ready for the EU Whistleblowing Directive

5 Steps to Get Ready for the EU Whistleblowing Directive

Whistleblowers are responsible for exposing some of the biggest scandals in history. Soon, they’ll receive the protections they deserve.

Under the EU Whistleblowing Directive, those who report workplace wrongdoing will soon have unprecedented protections. These will lead to cascading benefits.

The law's main goal is to protect whistleblowers from retaliation and lawsuits. With these protections in place, whistleblowers will be far more likely to come forward. In turn, organizations will be made aware of serious misconduct sooner, so they can minimize the amount of damage caused.

The deadline to comply with the EU Whistleblowing Directive is April 2021, but it’s not too soon to start making changes now. Do your part in protecting whistleblowers by following these five steps.

1. Assess Your Current Whistleblowing System

It’s up to each Member State to decide certain specific rules for whistleblower protections. However, no matter what happens in terms of implementation, the reporting process of most organizations will need to be reviewed and communicated adequately.

Learn how to get the most of your whistleblowing system with the tips in our free cheat sheet.

The Directive will bring about strict demands regarding internal reporting, and therefore any systems that support this reporting. To prepare for the upcoming changes, assess your current systems. Find the answers to questions such as:

  • What reporting systems do you offer now?
  • Do they meet the Directive’s standards?
  • Are they functional and easy to use?
  • Do they discourage potential whistleblowers?

2. Hire or Rejig Your Resources to Fill the Roles

To become compliant, you’ll likely have new roles to fill. Do you have enough resources in place to handle a potential influx of reports, and in the required timeframe? You may need to create new roles and hire someone to fill them. Or, you could train existing employees to take on the new tasks.

You will need someone to audit your organization’s current processes. You may need to hire a compliance professional who can help with training and awareness. Perhaps the IT department will need to grow to work on new security requirements.

And, of course, someone will need to operate your new and/or existing reporting channels, handle incoming reports, conduct investigations and follow-up with the whistleblower.

3. Become Familiar with Third-Party Channels

If your organization has a lot to learn and change, consider outsourcing some work to a third party. The EU Whistleblowing Directive will require an assessment of your entire whistleblowing process, which can be a longer, more complex project than it appears.

Plus, external reporting channels don’t necessarily mean a brand-new system and a significant investment. There are many ready-to-use solutions that may be more professional, compliant and cost-effective than a complete overhaul of your organization’s processes.

4. Update Associated Policies and Processes

Update your policies to address the anti-retaliation piece of the Directive. Your organization’s code of conduct should define retaliation, provide examples of retaliatory behavior, and list the consequences for violations.

Communicate these changes. Raise awareness about the changes and offer training to be sure everyone understands. Speak openly so that employees know senior management is open to whistleblowing, values the information and is committed to acting.

RELATED: 18 Of the Best Code of Conduct Examples

Then, change your procedures to work with the Directive’s timelines. Organizations will have to acknowledge they’ve received the report within a week. They must also provide feedback on a report within three months.

Build your processes so they automatically remind you on the seventh day to acknowledge the report, and send a reminder in three months’ time to follow up.

5. Make Sure You Comply with the GDPR Too

The EU Whistleblowing Directive is deeply intertwined with the GDPR. Since both are EU laws, all of the personal data retrieved from a report (such as the identity of the whistleblower and any identified third parties) has to be handled in accordance with the GDPR.

The way in which you collect, store, archive and delete personal data should follow the GDPR’s rules. Require consent before you collect personal data. Never store reports for longer than is necessary. Make sure your data security is adequate.

Double-check your GDPR compliance with our free resource: GDPR Compliance Checklist.

Bonus Step: Some specific details are being left up to each Member State, so make sure that you stay on top of updates and requirements.