May 23, 2022
The new whistleblower directive places a lot of new demands on organizations regarding whistleblowing. Many existing whistleblower solutions also need to be reviewed or reworked to meet the new requirements, but do you know what the 6 minimum requirements are for you as an employer? This is something we take a closer look at below.
If your organization has more than 49 employees and you do not meet the requirements below, you should implement changes to ensure that you meet the requirements as soon as possible, but no later than 17 July 2022 if you are over 250 employees and 17 December 2023 if you are 50- 250 employees.
The requirements below are the absolute minimum you who are covered by the Whistleblower Act need to do, but just because a whistleblower solution meets the requirements does not necessarily mean that it is as good as it could have been. This simply means that you meet the statutory minimum requirements.
Tips on how to further improve your whistleblower solution can be found in the posts Checklist for a good whistleblower solution and How to make sure that your whistleblower solution is user-friendly.
1. Internal reporting channels
Offering internal reporting channels is a requirement under the EU Directive for all organizations with more than 50 employees. This internal reporting channel must offer sufficient confidentiality and security.
Although it is possible to refuse to allow anonymous whistling, it is strongly recommended to allow this.
2. Protection against retaliation
Whistleblowers need to be protected from retaliation / retaliation as a result of choosing to blow the whistle. The protection is extensive and includes not only termination, but e.g. also a negative assessment, non-promotion or demotion, change of working conditions, disciplinary sanctions, non-renewal of an employment contract, threats or harassment and so on.
Legal or contractual obligations imposed on employees, such as loyalty clauses or confidentiality obligations, can not prevent the application of protection against retaliation.
3. Data protection
As whistleblowing involves the handling of personal information, the GDPR also applies to whistleblowing. These requirements must be met to avoid violations of the GDPR Act.
Remember that violations of the GDPR Act can result in fines equivalent to up to 20 million euros or four percent of the global annual turnover of your organization.
4. Whistleblower system for reports
Whistleblower systems for whistleblower reports need to allow full confidentiality of the whistleblower's identity. Regardless of whether only internal personnel handle the case or if external parties become involved, the whistleblower's identity should be able to remain protected.
Visslan offers external case management that can help with this. It should also be possible for the whistleblower to follow his case, as well as the possibility to delete data if necessary or in agreement with the GDPR.
5. Feedback and follow-up
After a report has been received, there are guidelines for how to handle it. Timelines, feedback and follow-up are something that is extremely important to comply with the requirements in whistleblowing.
Within 7 days
A confirmation that the case has been received must be sent to the whistleblower within 7 days. This is one of the reasons why it is good to have more than one case manager, because if a person is ill or on holiday, a confirmation can always be sent out within 7 days.
Within 3 months
Within 3 months, there must be follow-up on the investigation's results. One should inform about measures that have been taken or will be taken. If the case has been closed, this can also be announced in this follow-up. Even if the investigation is not completely completed, a longer follow-up must be given within 3 months with information about what is happening in the case.
After 2 years
2 years after the information in a case is no longer needed, it must be deleted from the whistleblower system. What applies is thus not 2 years from the time the information came in, but 2 years from the time the information is no longer needed. Different countries within the EU have different regulations for how long a case and information may be stored, but in Sweden it is 2 years.
6. Whistleblower policy
A whistleblower policy should include all the relevant information that employees within the organization need to know. Secondly, which channels they can use to blow the whistle. But also all other relevant information that can be good to know.
Here, too, Visslan can help as we offer a standardized whistleblower policy that offers routines, step-by-step guides and much more.
Bonus - Communication & education
This is not a minimum requirement, but it can be a good idea to keep in mind, namely how you choose to communicate whistleblowing to employees and how you train them. Even if your whistleblower solution covers the minimum requirements, there is still the risk that no one dares to use it, either due to uncertainty or ignorance.
A couple of simple methods to remedy this is to regularly remind employees of your whistleblower policy. You can also hold quizzes or role-plays between colleagues to further get the knowledge stuck. The exact methodology differs between different organizations, but the important thing is that your whistleblower solution is used and that the employees feel safe in the workplace. Anonymity can be a key to this, but do not forget that you still have to be able to follow up with the whistleblower.
Also read: Fostering a Speak Up Culture