The EU Whistleblower Protection Directive goes into effect on Dec. 17, 2021 — just two months from now. Most organizations have had the EU directive on their radar for some time, but understanding the necessary policies and procedures to comply with the directive can always be challenging.
Today, then, we begin a series of posts counting down the final preparations that compliance officers (both within the EU and without) should be making to assure that when Dec. 17 arrives, your program will enter this new era of whistleblower protections without disruption.
Summary of the EU Whistleblower Protection Directive
The European Union Parliament enacted the EU Whistleblower Protection Directive in 2019 both to strengthen whistleblower protections and to standardize those protections across the entire EU region. As a directive, each of the EU’s 27 member states must still “transpose” the language of the directive into national law — but all of those national laws must meet the minimum requirements for whistleblower protection spelled out in the directive.
As a practical matter, the EU Whistleblower Protection Directive is similar to the whistleblower protection laws that have existed in the United States for years. Namely, businesses will need to offer whistleblower reporting channels that employees can use to report allegations of misconduct; and businesses will need to protect those whistleblowers from retaliation after a report is filed. Those ideas should be nothing new to corporate compliance officers at large organizations.
Still, the implementation of policies and procedures to comply with the directive could be complicated, especially for organizations not previously experienced with implementing whistleblower protection programs.
What does the EU Whistleblower Protection Directive require?
The directive requires businesses and government agencies to establish internal whistleblower reporting programs, where the whistleblower can submit an allegation either in writing or verbally. Once an allegation is submitted, the company must also protect the identity of the whistleblower so he or she can avoid retaliation.
The EU directive itself does not specifically say that businesses should allow anonymous reporting. Individual EU states, however, can require businesses operating within their borders to accept anonymous reports — and if a member state does decide to allow anonymous reporting, then the same anti-retaliation protections would apply to that person if his or her identity was later disclosed.
Once an allegation is submitted to your internal whistleblower hotline, the company must also send an acknowledgment of receipt back to the whistleblower within one week; and companies must designate a specific person or team (such as the compliance officer) to look into the complaint. That person must also keep the whistleblower informed about the status of the report, such as letting him or her know within several months whether the report was substantiated.
Which businesses are covered?
Any business working in the EU with 250 or more employees will be covered by the EU Whistleblower Protection Directive starting Dec. 17, 2021. Businesses with 50 to 249 employees will be covered starting December 2023. Businesses with fewer than 50 employees will (as of today) be exempt from compliance.
It’s also important to know which people are covered: anyone working at a covered business who reasonably believes they witnessed a violation of EU law, and wants to report it. The Whistleblower Directive also casts a wide net with its definition: current and former employees, independent contractors working on your behalf, volunteers, shareholders, and so forth. They’re all protected by the directive, which means your whistleblower reporting program must accommodate them.
What will the penalties be for non-compliance?
The Whistleblower Directive doesn’t mention specific penalties; that’s left to the discretion of member states, although the directive does say there should be penalties of some kind for violations.
Why You Need a Strong Internal Reporting System
Companies will need strong internal reporting systems because, fundamentally, that's the whole point of the directive: to encourage internal reporting. EU regulators want to foster corporate cultures where employees feel comfortable speaking to management about misconduct the employees witness.
The directive also includes mechanisms to make non-compliance potentially quite painful for companies that ignore internal reporting and whistleblower protections. For example, if a whistleblower accuses his or her employer of retaliation and the case goes before regulators or the courts, the assumption will be that retaliation did happen, and the company will need to prove that any punitive measures the person suffered (demotion, termination, denial of training, harassment, and more) were justified and unrelated to the allegation.
Businesses will also need a strong internal reporting program because absent that effort, the employee will be able to report externally to regulators, law enforcement, or even the media. Once that happens, the company could lose control of the issue in question, and face scrutiny from regulators (with the potential for monetary damages) — and might still face retaliation claims from the whistleblower anyway.
On top of all that, always remember that internal whistleblowers are trying to bring problems to management’s attention. If management doesn’t have a strong internal reporting system, those problems could continue unchecked for the long term: corruption payments, privacy failures, anti-competition abuses, fair labor violations, and more. The longer a company is unaware of such problems, the more expensive they’ll be to resolve once they’re discovered. Plus the company could face additional penalties for a poor internal reporting program that didn’t meet EU Whistleblower Directive standards, too.
Is Your Company Ready for Enforcement of the EU Whistleblower Directive?
Now that the EU Whistleblower Directive is almost here, compliance officers should review the measures that your company should take — or, ideally, has already taken — to be in compliance by December.
Know the status of member states’ laws.
Individual EU states can always go beyond what the EU Whistleblower Directive requires. So know what whistleblower reporting and protection laws are in every EU state where you do business. Your organization will need to comply with all of them.
Update your reporting and anti-retaliation policies.
Your workplace policies should at least encourage, and perhaps even require, employees to report misconduct when they see it. Your policies should also clearly state that retaliation against whistleblowers is not allowed. Provide specific examples of misconduct employees should report and of retaliation that won’t be tolerated.
Conduct training as necessary.
Employees will need to know what reporting channels are available to them (telephone hotlines, online submissions, or even suggestion boxes nailed to the office wall) and how to submit an internal report. They’ll also need training about the importance of anti-retaliation — and managers might need additional training about their responsibility to prevent retaliation among their teams, too.
Prepare your own compliance or investigations team.
An important part of compliance with the directive will be your company’s ability to respond to whistleblower allegations: providing receipt of acknowledgement within one week, and providing an update (or, ideally, a resolution) within 90 days. So the team designated to respond to whistleblower reports will need its own procedures and workflows to keep pace with whatever reports come through the door.
Prepare for reporting and analytics.
Large organizations could potentially receive thousands of internal whistleblower reports a year. Compliance officers will need to be able to analyze trends within those complaints so you can identify deeper problems (say, weak policies or training); and you’ll need to be able to report on those trends to senior executives, regulators, or other stakeholders.
Rely on Technology for EU Whistleblower Protection Directive Compliance
Compliance with the EU Whistleblower Directive will encompass many moving parts: maintaining the reporting system itself; training employees on when and how to use the system; investigating complaints that are filed; analyzing trends in your whistleblower data; documenting your program’s policies and procedures; and much more.
Compliance officers will need technology to manage all that work. They will especially need technology or service providers to help with the reporting hotline itself and the intake of complaints from employees.
We’ve explored how compliance officers can choose a compliance hotline provider previously on this blog, and those points still hold true today. As the EU Whistleblower Directive comes into force, global businesses will need to rely on strong technology and vendors even more to maintain an effective compliance program.
Less than 60 days to go. Be sure your compliance program is in position before then!