‹‹“Minimal” may be sufficient and “maximal” may prove not to serve the purpose›› says Adriana I. Gaspar, Senior Partner with NNDKP commenting the sine qua non role of technology in fostering whistleblowing and the wider context of business ethics and compliance.
Trust is to make the difference.
The EU Directive on the protection of persons who report breaches of Union law has mandated a set of minimum requirements meant to prompt individuals to inform on violations that they become aware of. As the whistleblowers’ risks decrease, chances become higher that potentially prejudicial acts be investigated, that measures (preferable internal) be taken for remediation and prevention of recurrence, of the perpetuation of derailing practices, as well as for damage recovery. In terms of scope, the Directive is applicable, for example, to fiscally aggressive conducts, breaches of competition and state aid rules, improbity in sectors such as consumer protection, food and feed safety, environment protection, radiation protection and nuclear safety, as well as other potentially major-risk threats.
In the form that was subject to public debate, the draft law aiming to transpose the Directive into the Romanian legislation – still to successfully complete the procedure for Parliamentary approval – has a wider scope as compared to the Directive. Employers are required to make available a reporting system and adequate protection both for the
employees and collaborators who unveil breaches of the Union law and for those disclosing offenses against national law and, furthermore, of deontological and professional rules.
While in Romania as well as in other European countries discussions are ongoing regarding the expansion of protection for disclosure beyond public interest and major risk offenses, other legislations have been compelling for quite a number of years a high magnitude integrity effort similar to the one proposed by the Romanian authorities.
“Thus, once the new regulation shall come into effect, legality and morality alone shall no longer be sufficient for business operations. The new standard means, in reality, that the pledge for integrity of each individual employer become manifest to the point that it nurtures the willingness of its personnel and collaborators to bring out into the open acts that are or could prove to be violations of law or ethics” clarifies Adriana Gaspar.
In alignment with the European Directive, the new law requires the employer to have available an infrastructure that:
- allows multiple options for reporting possible breaches; and
- offers the whistleblower the comfort that, as long as made in
genuine good-faith, the disclosure shall not expose him or her to
opprobrium or legal sanctions.
As a matter of good practice, employers should develop or acquire a technical reporting system that:
- is easy to operate, it does not require that whistleblowers have but minimum or basic computer literacy/technical skills to access and/or use it;
- ensures confidentiality to whistleblowers and to all persons concerned by the reports, insofar all whistleblowers, when reporting a breach, must provide their identification details to the recipient;
- restricts the access to reports on breaches and related matters to the individuals involved in the management of the reporting , for confidentiality purposes, but also as requirement deriving from the data protection laws;
- allows secure communication with the whistleblowers, to request additional information regarding the reporting or to brief them on follow-up measures;
- provides a secure (electronic) working environment for the case management, for the same confidentiality purposes;
- complies with data protection rules, including the rules regarding data minimization and data retention.
“Alternatively to the development of a proprietary platform, the market offers numerous technical solutions, but these have to be rigorously scrutinized for compatibility with other relevant company-particular infrastructure, but also for confirmation that the technical system’s capabilities allow the employer to comply with all legal requirements. For clients preferring to outsource the receipt, admin, investigation and resolution of reports, we can facilitate access to the technology developed by WhistleB, one of the outstanding providers of whistleblowing management software with whom NNDKP has formed a partnership. WhistleB platform also allows the legal & tech integrated approach to the management of each individual case” Adriana Gaspar commented.
To complement such system, the employer is expected to offer also traditional communication means, in written paper or electronic (e-mail) format, by phone or in-person meeting, which, in turn, have to meet all requirements for the protection of confidentiality and personal data.
Irrespective of the reliability of the technical system, should they consider that there is risk of retaliation or that the breach cannot be addressed effectively internally, whistleblowers have the option of reporting through external channels or even proceed with public disclosure. Consequently, in order to encourage internal reporting and,
thus, avoid a reputational risk at a time when the information based on which the reporting is made is not always complete and correct to a sufficiently high extent, the employer often has to overcome deeply subjective obstacles.
“The law itself does not offer sufficient filters to reduce the level of subjectivity embedded in the decision of a whistleblower to choose the path of external reporting, whether towards state agencies or by way of public disclosure. The legal wording places companies in an imbalanced position, which is a weakness that can be neutralized only by flawless application of the legal and regulatory framework in its entirety by all involved authorities, with due attention to best administrative practice and case law developed in other countries” emphasized Adriana Gaspar.
In turn, the employer has to complement the physical reporting system with an intangible infrastructure of integrity and credibility: integrated policies regarding the receipt and settlement of reports, compliance trainings, clear independence and impartiality for the person designated to resolve on the alerts received, contractual amendments, coherent internal and external communication contributing to the building of confidence in the employer and employees thereof having common integrity interests and objectives.
“This is the reason for which we believe that the design of and the investment in the whistleblowing infrastructure depend to a significant amount on the profile of each individual company. To secure the collaboration of whistleblowers and work together for integrity, some companies need as little as a phone, a mailing address and GDPR compliance, whereas others cannot achieve it despite the technical performance of the reporting system and the implementation of the highest standards of corporate governance. We do not recommend a “one size fits all” solution” Adriana Gaspar added.
The whistleblowers’ theme adds up in Romania too on the continuouslyevolving list of so –called “conformity aspects” which, increasingly, are systemically reshaping the organization and functioning of companies. To assist clients with their compliance efforts, NNDKP has set up Act for Ethics – a hub dedicated to business ethics and conformity and, at the same time, a space for information and debate which, at present, integrates the corporate governance, labour and data protection competencies required to assess compliance with the legislation (in-the-making) on the protection of persons reporting in the public interest.