LEO logo linking to homepage

Home The LEO Learning Blog

3 Things You Should Know About the New EU Whistleblower Protection Directive

This article, authored by Principal Consultant Liz Hornby, is the second in a three-part series of articles from LEO GRC that takes an in-depth look at whistleblowing. In this article, we continue with a look at the new EU Whistleblower Protection Directive and the ways in which your organization can manage the changes.

With headline-grabbing cases involving all sectors, from healthcare to Hollywood and financial services to manufacturing, whistleblowing is rarely out of the media. As a result, the encouragement and protection of whistleblowers is a priority for legislators and organizations across the globe.

Whistleblowing is a complex area that spans law, regulation, and culture. The complexity is increased for organizations with a global presence, staff, and policies. The cost of non-compliance is high for everyone involved, especially for the whistleblowers themselves.

This article focuses on the new EU Whistleblower Protection Directive (the Directive) and highlights three facts that all organizations need to know in order to prepare for its implementation next year.

Related reading: ‘Effective Whistleblowing Arrangements: A Global GRC Priority for the Financial Services Sector and Beyond

What Is the EU’s Whistleblower Protection Directive?

In October 2019, the EU’s Whistleblower Protection Directive was adopted by the European Council. The Directive’s central aim is to provide better protection for those who seek to expose, corporate wrongdoing. These protections are extended to anyone working in the public or private sector who could acquire information about wrongdoing in a work-specific context.

These protections don’t just cover employees. They’re also in place to protect job applicants, former employees, supporters of the whistleblower, and journalists. The protections are there to support again dismissal, retaliation, and any other form of discrimination, such a being denied training or receiving poor evaluations as a result of whistleblowing.

While the scope of the Directive is limited to wrongdoing specific to EU law, it’s still broad. It includes:

  • Tax evasion
  • Money laundering
  • Public procurement offices
  • Product and road safety
  • Environment protection
  • Public health
  • Consumer and data protection

Beyond the scope of the Directive, national legislators are encouraged to extend the coverage to cover their national laws as well.

Recommended reading: ‘Whistleblowing Solutions: The Importance of a Speak-Up Culture

Below are three facts all organizations need to know about the EU Directive.

1. It Applies to All Organizations Operating in the EU

The directive will impact all private and public sector organizations with over 50 employees operating within the EU. It covers all sectors, including financial services, pharmaceutical, manufacturing, and hospitality. Non-EU organizations that operate within the EU will also be affected, including UK organizations post-Brexit.

Relevant organizations with over 250 employees must comply with the Directive (in the form it has been implemented through relevant national legislation) from the end of 2021. There is, however, an extension on this deadline for organizations with between 50 and 250 employees.

2. It Requires Real Change

The Directive requires organizations to make material changes to their whistleblowing arrangement and policies. For some, this may simply be updates. For others, it will require setting up an entirely new framework for reporting and processing disclosures.

Reporting channels must be in place for individuals to make reports, either in writing (through an online reporting platform, email, or letter) or orally (via a telephone hotline, voice messaging, or in person). These channels must be clearly outlined in policies and processes that inform individuals how their report will be handled. This includes:

  • What an investigation looks like
  • Who will conduct the investigation
  • Who will decide if wrongdoing has occurred

Organizations will then have a window of three months, or six in exceptional cases, in which to respond to and follow up on reports.

Protective measures must also be put in place relating to confidentiality. These must prevent an individual’s identity from being disclosed without their consent to anyone beyond authorized staff members. The Directive leaves it to each Member State to decide whether anonymous reports should be accepted and, therefore, anonymity will be subject to local legislation.

3. Communication and Training Are Vital

Affected organizations must also provide clear, easily accessible, and transparent information about their whistleblowing arrangements to employees about the reporting channels open to them and the process that they should follow.

Line managers, HR, legal/compliance departments, and those involved in any whistleblowing investigations must receive tailored training regarding the handling of reports. This training should include:

  • How to respond to whistleblowing reports
  • Who to inform once a report has been made
  • How to ensure confidentiality (and, if applicable, anonymity)

More widely, organizations are expected to take steps to encourage reporting by promoting a supportive and open culture. This may involve:

  • Reviewing Codes of Conduct
  • Considering ‘tone from the top’ messaging
  • Undertaking cultural surveys

You may also like: ‘FCA CASS Rules: Top Tips for Setting Training Targets

It’s Important to Act Now - What Are The Next Steps?

These procedural and cultural changes will take time to implement. We encourage organizations to start as soon as possible to make sure they can meet the implementation deadline.

Put simply, you need to act now. Whistleblowing arrangements and processes are fast becoming a global GRC priority. They are vital to protect employees, whistleblowers, customers, and other stakeholders as well as meeting your legal and regulatory obligations.

Are you looking for expert-led support on whistleblowing to support your organization’s learning goals? Our friendly team is on hand to offer fully tailored support to match your needs. Get in touch.

Liz Hornby, Compliance Expert

Liz joined LEO GRC in 2010 and works as an in-house Subject Matter Expert. Since joining LEO GRC, Liz has completed a Masters Degree in International Business Ethics and Corporate Governance from the University of London and recently completed a PhD on whistleblowing in the UK banking industry.

After studying at Nottingham and Cambridge Universities, Liz qualified as a barrister and went on to work for both the London Stock Exchange and The Securities Association (a predecessor of the Financial Conduct Authority). She then moved into compliance, working for Nomura International plc and Goldman Sachs, before becoming a compliance consultant in 1994. As a consultant, she advised and worked with a broad range of financial services firms.

Liz was Deputy Chairman of the Compliance Forum Committee of the Chartered Institute for Securities and Investments (CISI) for many years and is a part-time lecturer in Corporate Governance and Ethics at the University of London.

We use cookies to give you the best website experience possible, and by browsing our website you consent to this use. Non-essential cookies are currently blocked, but certain functionality on this website won't work without them. For full site access, please accept these cookies below. To reset your cookie settings, please see our privacy and cookie policy page.