Does your current hotline provider — if you have one — stand up to the scrutiny necessary to comply with the EU Whistleblower Directive? Matching the Directive’s requirements to vendor features can be an overwhelming task.
As you evaluate vendors, consider how well they are positioned to adapt, evolve, and stay ahead of the ever-changing whistleblowing landscape. Beyond the requirements of this Directive in particular, whistleblower regulations and privacy regulations around the globe are evolving at a rate never seen before.
There are key elements that you can use to evaluate potential vendors or measure your current hotline provider, in order to ensure compliance:
- Local intake channels and case management
- Whistleblower communication: anonymous and named
- Data security and GDPR
- Call center
- Accessible intake methods
- Confidentiality and retaliation prevention
- Record keeping and retention
OneTrust can help you comply with the EU Whistleblower Directive. Click here to request a Helpline and Case Management demo with a member of our team.
Local intake channels and case management
Though Member States and EU-based companies have questioned this requirement, the EU Commission has been quite clear that subsidiaries with 250 or more workers may no longer rely solely on their parent company’s central whistleblowing systems. Instead, they must have the ability to investigate reports locally rather than at the group, or corporate, level. Central reporting channels and case management may still exist, but whistleblowers must also have the option to report at the local level.
Choose a hotline provider that can set up dedicated intake channels and case management for each subsidiary, in addition to the central/corporate-level intake and case management. Clarify with your vendor whether you will be able to maintain visibility into trends and company-wide risk areas while keeping case-level data separate and anonymous.
Whistleblower communication: anonymous and named
When it comes to communicating with whistleblowers, the EU Whistleblowing Directive requires:
- Acknowledgment of receipt within seven days
- The ability to take anonymous reports
- The ability to communicate with reporters, anonymous or not
- Resolution/feedback on the report within three months
- Diligent follow-up
- The ability for whistleblower to review, approve, or edit interview notes
Bear in mind that the Directive establishes the floor, carving out the minimum requirements for protecting whistleblowers. Your organization’s actual plan can (and perhaps should) go above and beyond the letter of the Directive. Your compliance team should be able to communicate with whistleblowers and document as much as possible in order to establish trust and transparency. A hotline provider should be able to automate some of the process using an automated workflow, making sure that your communication and documentation adheres to the Directive’s requirements without introducing an insurmountable workload.
Data security: How to comply with both the EU Whistleblower Directive and GDPR
Remember that 2016’s General Data Protection Regulation (GDPR) came from the same governing body, and the guidance adopted by all Member States also needs to be honored in your efforts to comply with the EU Whistleblower Protection Directive. This means prioritizing the same issues (secure communications, minimal personal identifying information, authorized access to records, etc.) and keeping up with the same standards. Your organization will have to scope out exactly how much necessary information you need to collect, and how long you archive that sensitive data, in order to process your reports, while remaining compliant with GDPR. Require the following of your hotline vendor:
- GDPR compliance
- Collection of only the necessary personal information required to handle the specific report
- Secure and confidential reporting channels
- Prevention of access by non-authorized employees
EU Whistleblower Directive call center requirements
The Directive requires that your whistleblowing intake channels are accessible to all protected parties. “Accessible” is up for interpretation, so choose a hotline vendor that uses a call center capable of processing reports in multiple languages, regardless of internet access or physical location. The Directive is clear that any person who acquires information from business activities can be a whistleblower, not just current full-time employees, so a well-trained and capable call center is key for expanded reporting. Require the following from your vendor’s call center:
- Language capabilities
- Competent, knowledgeable staff who are able to communicate the investigative protocol
- Accessible to employees, subsidiary employees, suppliers, agents, and any persons who acquire information through work-related activities
- Competent, independent, and empathetic staff
- Professional training for call center staff on how to handle whistleblowing reports
Accessible intake methods
A call center is one channel for establishing accessible intake. Depending on the size of your organization and the scope of your international operations, you may seek to establish more than one intake method. According to the EU Whistleblower Directive, your reporting channels “should be made available to employees, subsidiary employees, suppliers, agents, and any persons who acquire information through work-related activities.” Establishing multiple routes for employees to speak up means that you’re honoring the accessibility component of the Directive, and you are also reinforcing trust and transparency at your organization. Be thoughtful when considering your vendor’s capabilities for report intake, because flexibility will be key as Member States may choose to require different approaches to intake options. For example. OneTrust’s Helpline and Case Management includes these flexible intake options:
- Web
- Line manager (proxy)/physical meeting
- Whistleblowing hotline, available by telephone or voice messaging
Accessible resources on whistleblowing processes, outcomes, and protections under the EU Whistleblower Directive
Beyond establishing accessible intake methods, you must make sure that whistleblowers are provided with the necessary resources. Think your process through, from what initial intake looks like to how case resolution will be operationalized. Does the process include resources, education, and enablement for whistleblowers? In practice, all organizations should have a dedicated whistleblowing website or intranet page. Does the vendor you’re considering offer such a feature? This resource page should contain, or link to:
- An introduction from senior stakeholders/appointed representatives
- Contact and helpline information
- External resources and support
- Policies, procedures and training materials
- Positive testimonies
- Whistleblowing metrics
- Employee code of conduct
- Information on whistleblower protection
- Frequently asked questions (FAQs)
Confidentiality and preventing retaliation
There is a strong tie between confidentiality and retaliation prevention. Inherently, the more confidential a whistleblower report can be kept, the less likely the reporter is to be retaliated against. There is a dual obligation here; does your helpline ensure confidentiality, and does it help you prevent retaliation? With the Directive’s emphasis on the reverse burden of proof for retaliation, your efforts here could prevent costly sanctions.
Require the following of your hotline vendor:
- Ensures confidentiality of whistleblowers and named parties
- Allows full confidentiality, unless otherwise required by Member State law
- Enables “diligent follow-up” with reporters, even if anonymous
- Retaliation prevention and monitoring through follow-up and screening
Record keeping and retention under the EU Whistleblower Directive
Under the EU Whistleblower Directive, every report must be dealt with by competent staff, ensuring that sensitive documents are only accessed by trained individuals and competent authorities. The following points are best practices to ensure that your records are kept safe, compliant, and retrievable, so consider these when evaluating vendors:
- Every report is retrievable
- Reports can be forwarded to competent staff without modification
- Complete and accurate meeting notes kept in durable and retrievable form
(recording or staff notes) - Whistleblower can check, edit, and agree on the minutes of the meeting by signing them
- Reports can be used as evidence in enforcement actions
- If phone call is recorded, recording must be kept or transcribed
- If unrecorded, must be able to document the oral reporting in the form of accurate minutes of the conversation written by staff member
EU Whistleblower Directive hotline vendor checklist
When you’re evaluating vendors to help you with everything mentioned above, there are some additional tactical items to consider. Use the lists in each section above, along with the best-practices checklist below, as you evaluate vendors between now and the deadline to ensure that your hotline vendor serves your organization’s unique plan and goals.
- Define roles & responsibilities and key milestones
- Geographical scope (territories, languages, entities)
- Define reporting categories
- Decide on level of anonymity
- Data privacy (GDPR): ask for certificate and pen test reports
- Translation options
- Attachments possible
- Two-way communication possible
- Available reporting channels (hotline only or email and external lawyer on top?)
- Territory credentials, industry credentials, local resources, and benchmarking
- Cost drivers and transparency
- Hotline metrics dashboard for board reporting
- Data upload possible from other sources
- Customized landing page
See OneTrust’s helpline and case management in action
OneTrust’s Helpline and Case Management solution can help you comply with the requirements of the EU Whistleblower Directive. Click here to request a Helpline and Case Management demo with a member of our team.
