The kick-off for whistleblowing is going to be extended: According to the EU directive, all companies with 50 employees or more will have to implement a whistleblowing system in the future. Gottfried Berger, Managing Director of GRC Experts GmbH, explains what to look for. […]
On December 16, 2019, the EU Directive on the protection of whistleblowers – the much–discussed “Whistleblower Directive” – came into force. On 17 December 2021, the deadline for transposition into national law was. Or rather: it would have been, because Austria is still in arrears. The European Union has therefore already initiated an infringement procedure.
Nevertheless, this directive will sooner or later affect most companies in Austria. As a first step, companies and institutions with more than 250 employees as well as cities and municipalities with more than 10,000 inhabitants must implement a whistleblowing system. In the second step – as planned from 2023 – companies with more than 50 employees and smaller municipalities will also be legally obliged to do so.
Come to stay
Delay or not, the fact is: the directive will come. And, above all: after many scandals and scandals, a rethinking towards more transparency, honesty and less corruption has already begun in Austria. And this awareness has come to stay.
For all those who are just about to implement a whistleblower tool, many questions arise. How to implement such a system in the best possible way? What are the options? Can I afford this? How can such a platform be operated with as little effort as possible?
In some companies, the directive certainly causes worries and trouble. But: Even when it comes to fulfilling a legal requirement, one should not lose sight of the fact that whistleblower tools also offer advantages for companies. Internal reporting systems can prevent employees from contacting the press or supervisory authorities with their information in the event of an emergency. Whether it’s corruption or #metoo cases: this is how you keep the chance to settle problems internally without making negative headlines.
Which tool is the right one?
In theory, information could also be received via e-mail, hotline, mailbox or even in person. But: Only a web-based whistleblowing tool can fulfil the dialogue function (e.g. for the required confirmation of receipt, queries or for the exchange of documents) – and at the same time guarantee the essential factors of anonymity, data protection and security of all parties involved. The identity of the whistleblowers and those affected by the notice must remain strictly confidential, technical traceability must not be possible. Tamper-proof, easy handling and documentation (in an emergency, even in court) are just a few other aspects that speak in favor of this.
Even in the case of anonymous information, attention must be paid to compliance with the GDPR. This is because data must be stored to document the reports and case processing. Deletion deadlines and processes in the sense of the GDPR should therefore be defined and (automatically) adhered to in advance. Therefore, investing in a good system is definitely worth it.
What the whistleblower system must also offer may vary from case to case – should service providers, suppliers, stakeholders, for example, also be given the opportunity to report? Does the system have to be available in several languages? Due to these different requirements, we at GRC Experts have opted for a cloud–based web application – developed in Austria – that is individually adaptable, can be used from any Internet-enabled device and thus guarantees maximum security as well as maximum flexibility.
In-house or outsourcing? A question of resources
Choosing the right provider is also a question of resources – and more of personnel than monetary ones. Do you just need a technical solution or is it advantageous to outsource the operation to objective experts (which is quite permissible according to the EU)? Because the implementation of the tool alone is not enough.
Whistleblowers must receive confirmation of receipt of their report within seven days and feedback on the status quo within three months. In between, it is necessary to check the information, to initiate necessary follow-up measures, to involve (legal) support from outside under certain circumstances. Regular monitoring and documentation are also necessary. For all this, roles, responsibilities and standardized procedures must be defined in advance – or you can outsource the ongoing support to professionals such as the GRC experts, who take care of the ongoing case management (including reporting), respond to incoming reports within 24 hours and, if necessary, also support communication with investigating authorities.
*The author Gottfried Berger is Managing Director of GRC Experts GmbH, which, as a full-service provider for all governance issues, places a special focus on whistleblowing.