The importance of whistleblower hotline programmes and protecting employees who report misconduct in the workplace is increasingly being valued globally. Legislation has been introduced to regulate this issue, not only in the EU under the EU Whistleblowing Directive (in force since 17 December 2021), but also under legislation that applies in other jurisdictions (including under the UK's Employment Rights Act 1996, as amended by the Public Interest Disclosure Act 1998).

Businesses in those EU Member States that have transposed the Whisteblowing Directive, are required to establish internal and external reporting channels for receiving and investigating whistleblower complaints. The Directive also sets out the scope of activities that whistleblowers may report, for example violation of laws concerning public procurement, product safety or financial services, and it gives protection and rights to whistleblowers. Crucially whistleblowers' confidentiality must be protected. The deadline to transpose the Directive was 17 December 2021, but many jurisdictions are still working through the legislative process and have not yet finalised the implementation process. We anticipate all jurisdictions will implement the Directive by the end of 2022.

The concept of the EU Directive is mirrored in the US with the Sarbanes Oxley Act introducing similar principles that apply to publicly traded companies. The organisation's audit staff are required to set up a complaint notification system or whistleblower hotline to receive internal complaints regarding accounting and auditing matters. This forms part of a publicly listed company's overall compliance and anti-corruption programme.

As a result of this global focus, many multinational companies are encouraging whistleblowing by establishing a designated hotline or similar complaint system that enables employees and other company insiders to report misconduct. In addition to ensuring legal compliance, there are numerous business advantages to this. It enables businesses to learn about, investigate and most importantly remedy conduct that could, if not rectified, expose the business to criminal or civil liability.

We are seeing more and more multinational companies adopting whistleblowing hotlines not only in each country where a legal obligation to do so arises, but across all subsidiaries and branches where they operate.

Whistleblowing hotlines and the (UK) GDPR

Of course, across the EEA, organisations must comply with data protection requirements under the GDPR when processing personal information collected from whistleblowing hotlines. Similar rules apply in the UK under the UK GDPR. Common requirements include:

  • Ensuring the organisation has a lawful basis to collect and process personal data in the relevant jurisdiction.
  • Providing notice to employees about the organisation's whistleblowing programme and data collection practices.This is usually satisfied by providing a privacy notice before or when the data is collected.It is best practice to implement a privacy notice specific to the hotline.
  • Taking special precautions when processing special category data, often known as sensitive personal data.Sensitive personal data generally includes race or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health data, biometric data and criminal convictions.In these circumstances the employer has to have very clear reasons for processing the data, including identifying an Article 9 condition for the processing – most likely that it is needed to carry out the organisation's rights or obligations. The data must also be kept especially secure given its sensitivity.
  • Protecting personal data against unauthorised or accidental access.
  • Keeping data for no longer than is necessary. There are no specific retention periods but the expectation is that the data is retained for as long as is needed to fulfil the organisation's collection purposes.
  • Complying with cross-border transfer restrictions.The GDPR and its UK equivalent only allow cross-border data transfers under limited circumstances, including where a country is recognised as providing adequate protection to the data, or where an authorised data transfer mechanism is used.
  • Registering data processing activities with local data protection authorities when required to do so legally. Specific registration requirements vary by jurisdiction and each data protection authority imposes its own formalities.
  • Consulting with works councils or other employee representative bodies before engaging in data processing is usually required in EU Member States.

Contracts with third party service providers

Employers often engage third parties to operate a whistleblower hotline. This does not negate the requirement to comply with this legal framework. Rather, it is important to include clauses in the contract with the third party service provider that gives employers adequate protection. Contracts should comply with Article 28 processor requirements, including by ensuring personal data is processed in line with the employer's instructions, the data is only used for specified purposes, and security measures have been implemented.

Privacy by design

When implementing hotline systems the starting point should be to take the approach of privacy by design. This will be reinforced by ensuring the independence and integrity of those who operate the hotlines; if a third party is used then this principle applies to them too. Another way to ensure that privacy is embedded is to inform employees about the purpose of the system and to build in appropriate steps to protect privacy as required under the GDPR data minimisation principle, for example, collecting only the minimum amount of data that is relevant for the investigation or inquiry. Any employee request to access, delete or correct data collected from the hotline must also be acted on. Using defined retention periods and criteria for the personal data to be collected, encryption technology, and measures to ensure the anonymity of the reporter are also essential.

Strong leadership

For any hotline system to be successful, organisations need to work to avoid conflicts and ensure that the culture of the workplace supports and encourages the importance of whistleblowing and protecting the anonymity and confidentiality of the whistleblower. To achieve this, senior managers and directors must lead the programme, understand it and embrace it. It is only with strong support from leadership that it is possible to reinforce the importance of having a culture that values internal reporting.

What to do now

The period in which businesses are required to implement hotlines in line with the Whistleblowing Directive has been delayed but this does not mean businesses should do nothing. Now is the time to design internal reporting channels that comply with complex legal requirements, including privacy requirements which will vary between jurisdictions. The sooner the processes are implemented, the more trust will be generated among staff and the more successful the system will be. Employees should feel confident that they work in a business that has provided them with the best available platform to raise concerns in their organisations and that they and their personal data will be protected.