My organization already has a whistleblowing tool. Do I need to take action?
Under the Whistleblowing Directive, every legal entity employing more than 50 people and operating in Europe must set up an internal channel for reporting breaches of Union law. Entities that already have a whistleblowing tool must review their current system and implement action points to make their tools compliant with the minimum standards and requirements set out in the Whistleblowing Directive. Assessment of the current system can be performed through a comprehensive checklist based on the minimum standards.
The Whistleblowing Directive requires companies to implement procedures that are designed, established and operated in a secure manner to ensure that the whistleblower’s identity and any other third party mentioned in the report remains confidential. Those procedures must also prevent unauthorized access by staff members. The procedures in place should permit companies to communicate an acknowledgment of receipt of the report to the whistleblower within 7 days of the report. Once a report is filed, the Whistleblowing Directive requires that it must be investigated by the ‘most appropriate person or department’ to ensure independence and absence of conflict of interest.
Follow-up steps must be taken to address the report and appropriate feedback should be given to the reporting person within a reasonable timeframe, not exceeding three months. Such feedback can be information on the actions taken to address the report, closure of the case for lack of evidence, etc. When the internal investigation is closed the whistleblower must be informed of its outcome. Records of every report received must be stored in compliance with confidentiality standards and for no longer than is necessary and proportionate to comply with the Whistleblowing Directive. Furthermore, the Whistleblowing Directive prohibits retaliation and attempt of retaliation such as dismissal, change of employment conditions, blacklisting against the whistleblower, etc..
When setting up a whistleblowing tool for your organization, or reviewing your existing whistleblowing tool, compliance against the minimum standards included in the Whistleblowing Directive can be checked via a checklist for instance.
Such checklist should/could include questions such as :
The above is of course not a full checklist however performing such an assessment is the starting point of your compliance exercise. Needless to say that depending on how large your organization is and which tool you are using for your whistleblowing system this first action in itself can be quite time-consuming and burdensome.
Please feel free to reach out to us should you like to receive a more comprehensive checklist or for further information on this topic. Would you like to read more? Our next post on this topic will address the key data protection considerations for your whistleblowing tool.
#Whistleblowing Directive #GDPR #employment #EYLaw #digitallawteam