Skip to content


EUWD Expert Talk Series - Whistleblower Protection Rules: Just Focus on the Whistleblower

By Matt Kelly

A funny thing happened on the way to the EU Whistleblower Protection Directive: most members of the European Union haven’t yet “transposed” the directive into national law, a final step that brings the directive into effect in each EU state.

That does not mean that companies can ignore the Whistleblower Directive, or that your risks around the EU Whistleblower Directive are low. For most large businesses, the slow pace of the directive’s implementation actually reveals a deeper truth.

The simplest way to avoid trouble with whistleblower protection statutes is to focus on the whistleblower. 

That is, even if you face low whistleblower enforcement risk in some EU states, you most likely face higher enforcement risk in other EU states or in other jurisdictions entirely, such as the United States or the United Kingdom. The United States alone has more than 20 whistleblower statutes at the federal level, and dozens more at the state level. For all practical purposes, the modern global company must comply with a host of whistleblower protection statutes — all of them mostly the same, but none of them exactly the same.

So rather than re-inventing the wheel for each whistleblower statute, compliance officers are better off developing whistleblower protection fundamentals that can endure even as your company enters one new jurisdiction after another.

What Are the Whistleblower Protection Fundamentals?

When we focus on whistleblower protection, several fundamentals become clear. Even if you need to modify precise internal reporting procedures later, when EU states finally do transpose the Whistleblower Directive into national law — you won’t go wrong by cultivating these fundamentals now. They’ll always be capabilities your organization needs to have for effective whistleblower compliance.

The internal hotline is accessible

That is, employees (and potentially other parties) will need to know that the whistleblower hotline exists, and where they should go to use it. You might even (and probably should) offer internal reporting across multiple channels, such as a telephone line, email submissions, or even text message. Above all, employees must be able to use the hotline. For example, if the telephone hotline you list in your employee manual doesn’t work in countries where you  have offices, or is staffed by operators who don’t understand the employees’ language, that’s not accessible.

Employees are trained on how to use the hotline

This is a corollary to the previous point. Even when the hotline exists and works, you can’t assume employees know what they should report, or how quickly. Nor can you assume that with an online reporting system, they’ll know how to navigate the software. The compliance department should develop clear, practical procedures for employees to submit a complaint, and then train employees on what those procedures are.

Anonymous reporting is allowed

This one may be controversial, because some jurisdictions might not encourage anonymous reporting. The EU directive, for example, doesn’t expressly say that anonymous reporting is allowed; member states can decide that for themselves. Still, it is far better to have an anonymous reporting capability and then choose to leave it inactive, rather than not have that capability at all and need to add it into your program later.

The identity of the reporter is protected

At all times, your whistleblower program must protect the identity of the reporter so he or she is shielded from retaliation — which very much is a requirement under the EU directive, U.S. law, and just about all other whistleblower protection statutes. That means your program should adopt investigation protocols that keep the reporter’s true identity highly confidential, even as a complaint is passed along to other departments for investigation. Those protocols could include technical controls to keep the identity shielded, policies about handing off investigations to neutral parties, and procedures to assure that the reporter’s name isn’t accidentally blurted out during witness interviews.

All cases are handled objectively

Another crucial way to protect whistleblowers (beyond keeping their identities confidential) is to investigate their allegation competently and objectively. That means your program should have policies about who investigates complaints, to avoid conflicts of interest; how to document evidence and conclusions; and what disciplinary actions follow when a complaint is proven true or when coworkers are found to have retaliated against the whistleblower.

Will the details of these five fundamentals need to be fine-tuned as new whistleblower protection statutes are adopted, or as you enter new jurisdictions? Yes. But successful compliance at a global scale will always depend on these five fundamentals, too. Develop them all.

What Else Should You Do?

Compliance officers and business leaders can take other steps to improve whistleblower protection too, steps that are more about supporting the company’s overall business environment and corporate culture rather than about whistleblowers specifically.

Talk about the importance of speaking up

The single best way to convince employees that internal reporting matters is for managers and senior executives to talk about the importance of speaking up. Deliver that message  in employee town halls, company newsletters, or just chit-chat around the water cooler. The important point is that managers talk about internal reporting and ethical conduct generally, not just during dedicated meetings or training sessions. The more managers work internal reporting into casual workplace discussions, the more the message resonates with employees.

Show how a strong program helps the business

Business professors have shown that companies with more internal reporting tend to enjoy better business outcomes, across numerous performance metrics. Those companies that receive more internal reports (relative to peer companies) tend to see fewer lawsuits, lower settlement amounts when lawsuits do arrive, fewer negative headlines in the press, and even higher return on assets (an important metric of financial performance).

None of that should be surprising. A company with a robust internal reporting culture is a company that tries to raise and resolve problems more efficiently. So stress that message to employees, board directors, and other stakeholders, too: a strong internal reporting culture is good for business.

Be proud of your speakup culture

The term “corporate whistleblower” still has a stigma attached to it. So in addition to the specific steps we mentioned above to protect whistleblowers — praise the role that whistleblowers play, and the corporate culture that you develop to encourage internal reporting. Not only will that encourage would-be whistleblowers to step forward; it will discourage potential retaliators from engaging in whatever retaliation might be on their minds.

This duty will fall to senior managers and the C-suite, since they are ones who guide corporate culture. They need to emphasize not only that whistleblowers are welcome, but also that the company values internal reporting.

Then you’ll be in good shape to comply with the EU Whistleblower Directive in all its forms, and whatever other whistleblower protection statutes come next.

Related reading

Join the E&C Community

Get the latest news from GAN Integrity in your inbox.