Iubenda logo
Start generating


Table of Contents

Managing Whistleblowing: How Organizations Should Handle Reports

Handling whistleblowing reports in the right way is key to complying with whistleblowing legislations and guidelines. It’s important to handle them with confidentiality and to implement the proper security measures, to avoid negative consequences that could expose the whistleblower to retaliation.

In this guide, we explain how organizations should handle whistleblowing reports, while preserving confidentiality and protection – in keeping with the EU Whistleblowing Directive.

Fostering an ethical workplace culture

Before explaining how to address a whistleblowing report, it’s important to highlight that the first thing to do is to foster an ethical workplace culture. By ethical, we mean a culture that encourages employees to speak up when problems arise. Employees should never fear any kind of retaliation, and should always feel safe in reporting their concerns.

It’s a good practice to implement training and a solid whistleblowing policy, to help employees understand whistleblowing. Having a standardized process in place also helps management to follow the whole whistleblowing procedure easily.

Each company will have to draft its own policy, depending on the size and nature of the organization, but here you can find a free template that you can customize or use as a starting point.

Understanding the law: the EU Whistleblower Directive

The protection of whistleblowers is not just a best practice, but it’s now law in the European Union. In particular, whistleblowing is regulated by Directive (EU) 2019/1937, also known as the Whistleblower Directive, which came into effect on December 16, 2019.

The Directive enhances protection for people reporting breaches of EU law in their work environment and it requires Member States to align their national laws to provide an adequate level of protection throughout the EU.

The Whistleblower Directive applies to:

  • EU private companies with 50 or more employees;
  • non-EU companies with an EU branch, that have 50 or more employees within the EU;
  • local authorities serving over 10,000 people.

In order to comply, companies must:

  • Establish safe and confidential internal reporting channels. The deadline for complying with this requirement is December 17th, 2023.
  • Provide training for employees and stakeholders, to explain the directive, whistleblower rights, and reporting procedures.
  • Ensure the confidentiality and protection of the personal data of whistleblowers.
  • Implement anti-retaliation policies, conduct fair investigations, and support whistleblowers facing retaliation.
🇪🇺 Learn more about the Whistleblower Directive here

Receiving a whistleblowing report

As a company, receiving a whistleblowing report is never easy, and for many the first reaction would be to ignore it and keep things as they are. Don’t do this! Ignoring a whistleblower complaint can have negative consequences, and can also put you in breach of the law.

So, if you receive a whistleblowing complaint, make sure to assign it to an impartial designated team or person, who will take care of investigating the complaint.

Investigating the report

Once you receive a whistleblowing report, the designated team should start the investigations promptly. In the beginning, it’s important to get as much information as possible, to determine whether the complaint is an actual whistleblowing case or it’s a personal grievance. If the latter is the case, then you can dismiss the report and have the HR team handle the matter (but still, don’t ignore it!).

Every whistleblowing report usually contains all the necessary information and documentation to investigate the problem. However, if the report doesn’t contain sufficient grounds to suspect actual misconduct and is not anonymous, you can ask the whistleblower to provide additional information. Moreover, according to the EU Whistleblowing Directive, you should provide first feedback to the whistleblower within 7 days, letting them know that the report has been received.

The investigation generally consists of evaluating the documentation, interviewing the employees, and discussing with the whistleblower. Of course, anyone potentially connected to the allegation should not be involved in the investigation.

Addressing the findings

Once the investigation has been completed, the designated team should address the findings and summarize the results, including any corrective measures that have been taken or are planned. Every decision that could affect the organization should be transparently communicated to the whole team.

The designated team has also the duty to follow up with the whistleblower within 3 months, providing further feedback on the report and the investigation.

Ensuring confidentiality and protection

The key to successfully handling a whistleblowing report is always ensuring confidentiality and protection for the whistleblower. As we mentioned earlier, whistleblowers should never fear any kind of retaliation for speaking up.

One way of doing this is to use a digital system that allows for anonymous reports, like iubenda’s Whistleblowing Management Tool. In this way, the identity of the whistleblower remains protected and it’s still possible to provide the required feedback.

Anyway, whistleblowers can also choose to disclose their identity and confidentiality should still be observed. The European Data Protection Supervisor (EDPS) has issued a series of guidelines on how to process personal information within a whistleblowing procedure. According to these guidelines, companies need to apply the principles of the GDPR to whistleblowing procedures and, more specifically:

  • treat the information they receive with the utmost confidentiality;
  • do not process more personal data than what is needed;
  • inform the people involved on the way their personal data will be processed as soon as practically possible;
  • implement data security measures.

Manage whistleblowing reports with iubenda

One of the best ways to handle whistleblowing reports is by using a safe whistleblowing platform, which allows you to streamline the whole process while ensuring confidentiality and data protection.

iubenda’s Whistleblowing Management Tool is designed just for that! It allows organizations to keep a safe reporting channel, where whistleblowers can submit their reports anonymously and Whistleblower Managers can keep track of every phase of the process, all from an intuitive dashboard.

Handle Whistleblowing Reports with iubenda

Try it now

Get set up in minutes