While the implementation of the EU Directive into German law slowly moves forward, there has been criticism surrounding the new draft. The perceived lack of consultation with industry has led to frustrations around implementation challenges and timeframes.
Highlights of this new legislation worth noting include the following:
- Challenges for multinational organizations
Variations in EU Member State implementation laws and regulations of the EU Directive are creating challenges and questions around implementation for multinational employers who want to apply a consistent approach across all their regions. There are two main approaches that companies can take:
Firstly, a top down approach, starting with the implementation of the EU directive and then widening and adapting it to other relevant countries where they operate.
Secondly, a bottom up approach, starting with the implementation of the individual requirements from the different countries and then tiering back up to the EU directive.
For companies ahead of the curve that have already implemented a whistleblower system, the challenge now is to identify and close any regional gaps.
- Challenges for smaller organizations
Small businesses and startups are facing particular challenges around resourcing the appropriate team structure and also the amount of reporting required. In this case, engaging an ombudsman or external counsel may be beneficial. At the planning stage, priority topics are to be defined and communicated to ensure they are captured in the reporting. As well as whether UK and US regulations are to also be included.
- The right to anonymity
The Directive leaves it to each member state to decide whether or not it requires the processing of anonymous reports. Confidentiality remains a crucial requirement to protect both the identity of the whistleblower as well as individuals named in the report or tip off. Non anonymous reports take priority, according to §16 of the German draft, regardless of the urgency or nature of the matter. However, there is no obligation to design the reporting channels to capture anonymous reports.
- Communications with the whistleblower
Usually the first misconduct reports contain very basic details. It is important to secure clarification and further details around the alleged misconduct in a secure and confidential way in order to fully protect the whistleblower and ensure compliance. For example, it may be helpful for the whistleblowing team to be located in an office with enhanced privacy. All systems should be on a separate shared drive with controlled access and monitoring and a secure safe with limited access will also be required.
- Access to information
Changes in the law around transparency will provide challenges around managing the investigation. Particularly in balancing the privacy of the accused party and the whistleblowers right to be kept informed on the progress of the investigation. Here clear process descriptions and documentation of all communication may be key.
- Training will be central to success
To ensure that all whistleblowing red flags are captured, enhanced training should be provided for all managers and key personnel in line with whistleblowing policies and procedures.
- Group privilege
In accordance with the separation of duties principle, the current German draft allows for designing a central group solution for the whistleblower reporting and investigative functions within a group for entities/companies with 250+ workers (e.g., parent company, affiliated company or subsidiary). As this principle is not applicable to all Member States this will cause a substantial increase in effort for corporates.
To discuss any of the above in more detail, please reach out to a colleague.