Required Features for internal Whistleblowing Systems
by Markus Costabiei
& Sascha Maschek
3. September 2021
The deadline for implementing the European Whistleblower Directive1 is set for 17 December 2021. By then, the provisions contained therein must be transposed into na-tional law by all member states. The establishment of internal whistleblowing systems will then become mandatory for companies with more than 249 employees.
The mandatory establishment of whistleblowing systems is intended to create an internal communication channel between the whistleblower and the company concerned. Such channel may be established in the form of a hotline, an e-mail inbox or an online reporting platform. The confidentiality of the whistleblower and the third parties named in the report must always be ensured. An e-mail inbox will therefore not satisfy the confidentiality requirements in most cases.2 The company concerned must take appropriate measures after receiving a report and inform the whistleblower of the receipt of the report and the measures taken.
The whistleblower may freely choose if he/she wants to report the information through the internal whistleblowing channel or directly to the responsible authority or an external body (e.g. ombund office). Companies will prefer a report via the internal channel since internal problems will be brought to their attention immediately and without possible PR disasters. Appropriate measures could be implemented quickly after the report.
Companies should therefore be keen to motivate their employees to use internal reporting systems. According to a recent survey on whistleblowing , employees are encouraged to use internal whistleblowing systems in particular by (i) the guarantee of their anonymity, (ii) the certainty of not having to fear reprisals as a result of whistleblowing, and (iii) the processing of the report by an independent person.
In short: An internal whistleblowing system should therefore record and manage all reports in a clear and anonymous manner. In addition, reports received should be easy to manage so that both the response deadlines met and the steps taken by those responsible within the company can be objectively verified at any time by means of reports. In addition, technical measures should be taken to ensure audit compliance. Finally, the technical hurdle for whistleblowers should be kept as low as possible by means of simple reporting forms and for employees by means of an intuitive user interface.
We kept all of these factors in our minds when developing our ACC whistleblowing module. The module is based on four basic principles: Security, transparency, revision security and usability.
Although the anonymity of whistleblowers is not explicitly required by the Whistleblower Directive, it is the most important factor in encouraging the own employees. We have therefore taken numerous technical measures to ensure anonymity in our whistleblowing module. For example, all metadata is proactively removed from reports so that no personal data of the whistleblower is processed. In addition to the system's inherent prevention of personal references, our secure transmission protocol prevents the unintentional publication of reports and the disclosure of information to third parties. The module has also a flexible rights and role concept that prevents unauthorized access from inside the company. Thanks to effective provider shielding, we are also unable to view or process the reports and the whistleblower's data.
Making a report of internal corporate malpractice via an internal whistleblowing channel requires courage. Trust in the whistleblowing platform is therefore essential. For this reason, our module gives whistleblowers the opportunity to call up their report at any time, check the content and make additions, but without being able to change the original report. The addition appears as a separate data entry.
Furthermore, the whistleblower can view the status of his/her report at any time and - if necessary - anonymously communicate with the processor of the report. Our 2-way communication system ensures the permanent anonymity of the whistleblower.
Our whistleblowing module can be extended with our Trust Layer. It uses the unique capabilities to notarize the records of the whistleblowing module. Through this, companies can ensure that the reports, the report’s receipt, and the documented steps are tamper-proof. In addition, transparent reports can be generated which can be objectively verified by anyone thanks to the tamper-proof stamp of our ACC Trust Database. In the notarization process, the data is processed in an encrypted and thus unreadable manner.
For whistleblowing systems to be used, the usability must be right for both, the company and the whistleblower. In this context, our module stands out for its intuitive and consistent menu navigation, well thoughtout features such as the anonym 2-way communication system, the customizability of the menus and forms, and the built-in translation function.
Conclusion: Companies must act by the end of the year and implement a suitable whistleblowing system. In doing so, it will be crucial to focus on security, transparency, revisionsecurity and usability.
Want to learn more? Get in touch with us!
1 Directive (EU) 2019/1937.
2 Possible access of admins is just one exemplary risk.
3 EY Austria, Whistleblowing: Neue EU-Richtlinie fordert vertrauliche Meldekanäle | EY - Österreich (Stand: 31.08.2021)
ABOUT THE AUTHOR
Markus Costabiei is Co-Founder & Head of Sales at AKARION.
Sascha Maschek is Co-Founder and CTO at AKARION, Software Architecture & Blockchain Expert