© WHISTLEB WHISTLEBLOWING CENTRE 2019 info@whistleb.com www.whistleb.com

How ready is your organisation to comply with the new EU Whistleblower Protection law?

A checklist Read through the checklist obligation by obligation. Then contact us so we can help

you turn your no’s into yes’s to comply with the EU Whistleblower Protection law.

Do you already have a whistle­blower system in place?

Yes You are off to a good start. Continue to the checklist against legal obligations on the next page.

No Contact WhistleB to discuss the best whistleblowing system option for your needs.

© WHISTLEB WHISTLEBLOWING CENTRE 2019 info@whistleb.com www.whistleb.com

Confidentiality of the identity of the whistleblowerThe law says: The procedures for reporting and following-up of reports shall include channels for receiving the reports which are designed, set up and operated in a secure manner that ensures the confidentiality of the identity of the reporting person and any third party mentioned in the report, and prevents access to non-authorised staff members.

1. Does your whistleblower system allow a whistleblower’s identity to remain confidential? YES NO

2. Can you open up the system to external parties such that it also protects their identities? YES NO

3. Are identities protected all the way from reporting to archiving of cases? YES NO

4. Is access to your case management system adequately secure, for example with multifactor authentication for staff members?

YES NO

5. Is your system vulnerability and penetration tested by external parties? YES NO

Response timesThe law says: The procedures for reporting and following-up of reports shall include an acknowledgment of receipt of the report to the reporting person within no more than seven days of that receipt.

6. Does your whistleblower system automatically and immediately give a notification to the whistle-blower confirming receipt, while maintaining anonymity of the whistleblower?

YES NO

7. Can the whistleblower team be notified immediately that a report has been received? YES NO

8. Can your system scale up to take an increase in the number of reports if needed? YES NO

9. Are you able to create standard response messages? YES NO

10. Do you have a dedicated person/team to receive the reports? YES NO

HOW READY IS YOUR ORGANISATION TO COMPLY WITH THE NEW EU WHISTLEBLOWER PROTECTION LAW? A CHECKLIST.

© WHISTLEB WHISTLEBLOWING CENTRE 2019 info@whistleb.com www.whistleb.com

WHISTLEB´S BEST ADVICE ON HOW TO COMPLY WITH THE EU WHISTLEBLOWER PROTECTION DIRECTIVE

Contact personsThe law says: The procedures for reporting and following-up of reports shall include the designation of an impartial person or department competent for following up on the reports (…) and which will maintain communication with and, where necessary, ask for further information from and provide feedback to the reporting person.

11. Do you have competent resources in place for following up on reports in an appropriate manner? YES NO

12. Does your system allow you to add the competences you need per case? YES NO

13. Do you have a system and the skills and routines in place to handle investigations? YES NO

14. Does your whistleblower channel allow you to add external experts securely into the case handling process?

YES NO

Follow­upThe law says: The procedures for reporting and following-up of reports shall include diligent follow-up to the report by the designated person or department, diligent follow-up where provided for in national law as regards anonymous reporting, and a reasonable timeframe to provide feedback to the reporting person about the follow-up to the report.

15. Do you have a channel through which the whistleblower can add pictures, videos, text documents and other file formats, and that cleanses meta data?

YES NO

16. Does your whistleblower system include a case management tool that is integrated with the reporting channel?

YES NO

17. Does your whistleblower channel allow for a dialogue with either an anonymous or non-anonymous whistleblower?

YES NO

18. Does your system allow secure translation support for communication in multiple languages? YES NO

© WHISTLEB WHISTLEBLOWING CENTRE 2019 info@whistleb.com www.whistleb.com

Communication & informationThe law says: The procedures for reporting and following-up of reports shall include clear and easily accessible infor-mation regarding the conditions and procedures for reporting externally to competent authorities and, where relevant, to institutions, bodies, offices or agencies of the Union.

19. Do you provide clear and easily available information to employees about how and where they can report concerns, including their options for external reporting?

YES NO

20. Is such information adapted for each country in which you operate? YES NO

21. Is the information available automatically when people access your whistleblower system? YES NO

22. Are your policy documents, Code of Conduct and related training materials updated to inform employees on behaviour, such as “retaliation”, that would be in breach of the EU Whistleblower Protection Directive?

YES NO

GDPR ComplianceThe law says: Any processing of personal data carried out pursuant to the Directive must comply with the GDPR.

23. Is your whistleblower system fully compliant with the GDPR in all EU countries in which you operate? YES NO

24. Does your system automatically allow deletion of personal data when the case is closed? YES NO

25. Do you inform potential users correctly about national differences in reporting? YES NO

Record keeping of the reportsThe law says: Authorities, private and public legal entities must keep records of every report received, in compliance with the confidentiality requirements provided for. Reports shall be stored for no longer than it is necessary and pro-portionate.

26. Does your system keep a user and case log of each case? YES NO

27. Does your system allow for deleting personal data in line with the GDPR? YES NO

© WHISTLEB WHISTLEBLOWING CENTRE 2019 info@whistleb.com www.whistleb.com

WHISTLEB´S BEST ADVICE ON HOW TO COMPLY WITH THE EU WHISTLEBLOWER PROTECTION DIRECTIVE

Karin HenrikssonFounding Partnerkarin.henriksson@whistleb.com +46 70 444 32 16

Contact us if you would like a free consultation on your readiness for compliance.

Join the WhistleB webinar to find out what the EU Whistleblower Protection Directive means for you.

WhistleB is a global whistleblowing service provider and business ethics & compliance expert. We help customers to foster a safe and more transparent work environment. The WhistleB system is currently used in more than 150 countries.

For more information about the EU Whistleblower Protection Directive, or if you have further questions concerning corporate whistleblowing, please contact: