Handling whistleblowing reports in the right way is key to complying with whistleblowing legislations and guidelines. It’s important to handle them with confidentiality and to implement the proper security measures, to avoid negative consequences that could expose the whistleblower to retaliation.
In this guide, we explain how organizations should handle whistleblowing reports, while preserving confidentiality and protection – in keeping with the EU Whistleblowing Directive.
Before explaining how to address a whistleblowing report, it’s important to highlight that the first thing to do is to foster an ethical workplace culture. By ethical, we mean a culture that encourages employees to speak up when problems arise. Employees should never fear any kind of retaliation, and should always feel safe in reporting their concerns.
It’s a good practice to implement training and a solid whistleblowing policy, to help employees understand whistleblowing. Having a standardized process in place also helps management to follow the whole whistleblowing procedure easily.
Each company will have to draft its own policy, depending on the size and nature of the organization, but here you can find a free template that you can customize or use as a starting point.
The protection of whistleblowers is not just a best practice, but it’s now law in the European Union. In particular, whistleblowing is regulated by Directive (EU) 2019/1937, also known as the Whistleblower Directive, which came into effect on December 16, 2019.
The Directive enhances protection for people reporting breaches of EU law in their work environment and it requires Member States to align their national laws to provide an adequate level of protection throughout the EU.
The Whistleblower Directive applies to:
In order to comply, companies must:
As a company, receiving a whistleblowing report is never easy, and for many the first reaction would be to ignore it and keep things as they are. Don’t do this! Ignoring a whistleblower complaint can have negative consequences, and can also put you in breach of the law.
So, if you receive a whistleblowing complaint, make sure to assign it to an impartial designated team or person, who will take care of investigating the complaint.
Once you receive a whistleblowing report, the designated team should start the investigations promptly. In the beginning, it’s important to get as much information as possible, to determine whether the complaint is an actual whistleblowing case or it’s a personal grievance. If the latter is the case, then you can dismiss the report and have the HR team handle the matter (but still, don’t ignore it!).
Every whistleblowing report usually contains all the necessary information and documentation to investigate the problem. However, if the report doesn’t contain sufficient grounds to suspect actual misconduct and is not anonymous, you can ask the whistleblower to provide additional information. Moreover, according to the EU Whistleblowing Directive, you should provide first feedback to the whistleblower within 7 days, letting them know that the report has been received.
The investigation generally consists of evaluating the documentation, interviewing the employees, and discussing with the whistleblower. Of course, anyone potentially connected to the allegation should not be involved in the investigation.
Once the investigation has been completed, the designated team should address the findings and summarize the results, including any corrective measures that have been taken or are planned. Every decision that could affect the organization should be transparently communicated to the whole team.
The designated team has also the duty to follow up with the whistleblower within 3 months, providing further feedback on the report and the investigation.
The key to successfully handling a whistleblowing report is always ensuring confidentiality and protection for the whistleblower. As we mentioned earlier, whistleblowers should never fear any kind of retaliation for speaking up.
One way of doing this is to use a digital system that allows for anonymous reports, like iubenda’s Whistleblowing Management Tool. In this way, the identity of the whistleblower remains protected and it’s still possible to provide the required feedback.
Anyway, whistleblowers can also choose to disclose their identity and confidentiality should still be observed. The European Data Protection Supervisor (EDPS) has issued a series of guidelines on how to process personal information within a whistleblowing procedure. According to these guidelines, companies need to apply the principles of the GDPR to whistleblowing procedures and, more specifically:
One of the best ways to handle whistleblowing reports is by using a safe whistleblowing platform, which allows you to streamline the whole process while ensuring confidentiality and data protection.
iubenda’s Whistleblowing Management Tool is designed just for that! It allows organizations to keep a safe reporting channel, where whistleblowers can submit their reports anonymously and Whistleblower Managers can keep track of every phase of the process, all from an intuitive dashboard.
Get set up in minutes