by Frank Staelens
What is the scope and which extensions are already being considered?
- Applicability: all private and public organisations based in Europe, with exemptions for small organisations
- Deadline: Member States have up till 17 December 2021 to transpose the new whistleblower protection rules into national law
- Scope of protection: all internal and external persons related to the reporting of wrongdoing in a work related context
- Scope of breaches: protection of persons reporting on breaches of Union law and Member States are encouraged to extend the scope to national law breaches
- Some Member States have already decided to extend the scope to violations of accounting rules and shareholder rights
What are the key requirements?
- 3 tier structure for confidential reporting (internal, authorities and public)
- Respect the free choice of the reporter to either report internally or report to the authorities
- Protect the identity of the reporter
- Protect the reporter against retaliation and if a reporter is subject to sanctions, prove that there is no link with the reporting
- Feedback obligations: receipt confirmation within seven days, status report within three months
- Principles of governance (competence, diligence and impartiality) GDPR compliance
- Duty of documentation and information (employees, business partners and competent authorities)
- Access to reporting for third parties (former employees, contractors, subcontractors, suppliers
Why should organisations consider the outsourcing of whistleblowing management?
The new regulations come with a reversed burden of proof for organisations. Any decision with a negative impact on any whistleblower can lead to high costs to prove that there is no connection with the whistleblowing. As described in the following blog around the key whistleblowing management risks, an employee who learns that he/she is about to be dismissed could also evolve towards staged whistleblowing in order to create an obstruction for the dismissal. The solution to avoid this risk is the outsourcing of the whistleblower identity management. We are able to guarantee that we will not inform you about the identity of a whistleblower up till the time is right to disclose identities with the approval of both the whistleblower and the organisation.
The governance principles require for organisations to assign competent, diligent and impartial case managers. The internal handling of whistleblowing cases can create grounds for dissatisfied employees and third parties with reporting rights (former employees, contractors, suppliers) to openly question the respect of the governance principles and send complaints to competent authorities about it.
The new regulations come with formal deadlines, among which the notification of receipt within seven days and the status reporting within three months. Outsourcing whistleblowing management will guarantee your access to back up services to ensure compliance with the deadlines.
Non-compliance can have severe consequences, both financial and reputational. The first mainly because it can lead to high litigation costs. The latter mainly because it can lead to public disclosure immunity. In the next blog we explain that this could create circumstances where employees or former employees can go public using whatever channels they see fit including social media to report on the misconduct with full protection and with the organisation losing the right to sue for damages. Outsourcing to a specialised party will help you with managing the risk of non-compliance.
Key whistleblowing management risks to handle
Staged whistleblowing (threats)
If an employee learns about eminent sanctions/dismissal or missing out on promotions/salary increases in the future, it could trigger him/her to seek protection as a whistleblower. Although there should be a link between the reporting and the adverse treatment, it will be presumed to be related to the whistleblowing if the employer is unable to provide proof of the missing link. Whistleblowers are relieved from the burden of proof, but they should be able to explain the reasonable grounds for believing in the truthfulness of the reporting, and they are allowed to report on the basis of suspicions.
Public disclosure immunity
Not providing feedback within the deadline and not facilitating tier-1 internal reporting or improper communication on the three-tier reporting structure could lead to public disclosure immunity for the whistleblower. I expect that it will be difficult for EU organisations to deny the EU WPD, even if they are based in member states with little enforcement, due to the exposure to public disclosure immunity and the associated reputation risks. Organisations that decide to not implement the EU WPD will constantly run the risk of personnel going outside without having the ability to sue for damages because courts are likely to sanction them instead of the personnel member.
Abusive reporting coverage
The principle of free choice between tier-1 and tier-2 reporting and the reversed burden of proof around adverse treatments will lead to more abusive reporting. Though an organisation that can prove the intent to harm on the basis of lies will be able to sue for damages, it will remain difficult to recover substantial direct and indirect losses from individuals, and the risk of abusive reporting will remain difficult to cover by insurance carriers.
Why should small organisations consider whistleblowing management?
Organisations with more than 250 employees are expected to fully comply with the new regulations once they have been transposed into national law (deadline: 17 December 2021).
Organisations with less than 250 employees but more than 50 employees will have two more years before they need to organise their full compliance with the new regulations. Organisations with less than 50 are, opposed to the general belief, submitted to the main part of the new regulations.
They are exempted from installing internal reporting lines. However, our recommendation is to consider the implementation of internal reporting lines because otherwise employees might have no other choice than to report to competent authorities. Small organisations with less than 50 employees will have the obligation to inform their employees about their rights to report to the competent authorities.
Will today’s email reporting channels suffice?
Standard email systems are not secure and can lead to data leaks. Emails should at least be encrypted or integrated within a secure web-based platform.
The new regulations demand a confidential reporting setup, meaning that the recipient needs to protect the identity of the reporter and can only forward a report with the approval of the reporter. Emails are usually accessible to multiple persons within the company and are easily forwardable, which could lead to infringements.
GDPR compliance is also among the requirements. From a privacy by design perspective, web-based reporting channels are best practice.
Why should organisations consider allowing anonymous reporting?
The new regulations demand a 3 tier for confidential reporting setup. They do not require the facilitation of anonymous reporting. Nevertheless, we would like to emphasise the importance of allowing anonymous reporting.
Organisations should realise that whistleblowers will have the free choice for reporting either internally or directly to competent authorities. Without being able to force internal reporting upon employees, it will become important for organisations to create the ideal circumstances for it. Only giving employees and third parties with reporting rights the means to blow the whistle with full disclosure of identities will push them much quicker towards external reporting.
Why should organisations consider making a secure platform available for external reporting?
As explained before organisations have an interest to create the ideal environment for internal reporting without being able to oblige it. In case an employee still wants to go directly to the competent authorities, the employee will be able to do this with full protection and rights.
Even if an organisation cannot stop external reporting, it is in their interest to recommend the use of secure communication platforms, preferably with military grade protection. The latter means that there is an end to end 256bit encryption using the Advanced Encryption Standard which is believed to be un-hackable today.
The following real life case can be used to explain the need to recommend the use of secure communication platforms for any external reporting: an Exco member of a listed company wants to report on serious misconduct to the authorities. To transfer the sensitive information to the authorities, the Exco member sends regular emails using his home Wifi and the hotel Wifi when he is on holidays. Some of his emails get hacked, and cybercriminals start blackmailing him. After the first payment, they demand a second payment. After refusing the second payment, the information gets out to the public, and it immediately has a negative effect on the stock exchange. The CEO is asked to resign, the company decides to sue the Exco member for negligence, and they both end up in court for years of litigation.
The author, Frank Staelens, is the Co-Founder of Confidential Reporting Network and Whistleblower Protection Officer and based in Brussels. He has 30 years of working experience with whistleblowing management. He co-founded SpeakUPwise, a secure communication platform (https://speakupwise.com) and created WhistleblowingManagement.eu, a one stop services, technology and insurance provider for Whistleblowing Management (http://whistleblowingmanagement.eu).