Today we want to take you on a trip down memory lane: back to the days when European organisations found themselves in a jungle of privacy legislation whenever they tried to implement a ‘whistleblowing’ scheme. We see parallels with the arrival of the EU Whistleblowing Directive (EU 2019/1937). And this is not a good thing, per se.
We have said this before in our blogs: any organisation has a very important objective to achieve next to the objective of being compliant with ‘whistleblowing’ law. This objective regards early transparency by means of speaking up, so that ethical wrongdoing can be detected as early as possible. Even though these objectives appear similar, they actually often conflict. This occurs mainly when organisations take strict compliancy with whistleblowing law as the means to generate early transparency by means of speaking up. This results in legal terminology, complicated formal process steps, exceptions, and complicated scope restrictions. It goes without saying that it gets even more complicated when operating in an international environment.
Historically, laws on privacy, compliance and whistleblowing have been volatile and difficult to fully grasp. One of the main reasons for this is that they are full of local deviations. While European privacy laws may say one thing, local whistleblowing laws say something else. Companies try their hardest to comply with these laws and strive to create a safe environment for their employees at the same time. The goal of this blog is to emphasise the latter: the importance of not forgetting who these laws are trying to protect – people. People should be at the forefront of every policy you design and every law that you attempt to comply with.
There’s no downplaying it, before the General Data Protection Regulation (GDPR) was installed it was near impossible for international companies to fully comply with privacy rules, when implementing an international ‘whistleblowing’ scheme. Different European countries had different rules, opinions and interpretations and there was not one overarching framework that could act as a baseline. Even though the GDPR itself does not mention anything concerning a whistleblowing scheme in any detail, the enactment of the GDPR did make a change: it enabled companies to rely more on the GDPR and the principles it holds. This created less urgency among international organisations to comply with every single local deviation. Instead, it gave more space to follow the principles of privacy law and to focus on creating healthy and open cultures within companies.
Which was a good thing…
Flash forward to 2019: to the enactment of the EU Whistleblowing Directive. What we are seeing is a step back with regards to the principle based attitude that became prevalent after the GDPR. One of the Directive’s main goals is to invoke another overarching framework of laws (this time related to whistleblowing, as the name suggests) that international companies need to comply with. In theory, this should make compliance easier. However, we see discussions happening on a local level, which are leading to local interpretations and deviations (to read more on this topic please refer to the following article). We are witnessing signs that international organizations are willing to compromise on the solid internal SpeakUp safety net that took them years to build. History seems to be repeating itself.
The strange thing is that where it used to be about finding the right balance between privacy and transparency, the current struggle seems to be between two things, the EU Whistleblowing Directive and the Internal SpeakUp safety net. These two things have the same purpose in essence: creating early transparency by means of speaking up, so that ethical wrongdoing can be detected as early as possible. Furthermore, we should not forget that the ultimate whistleblower protection preventing that there is a whistleblower in the first place!
All technicalities aside, we would like to take this chance to emphasise what we feel should be companies’ number one priority: people. We believe that ensuring a safe environment in which anyone feels that he or she could speak up is the most important aspect of creating a healthy company culture. While it is also important to comply with laws and regulation, we urge you to not succumb to putting practicalities above people. It is all too easy to get lost in trying to comply with every exception of different local privacy and whistleblowing laws. This might mean that the people for whom these laws were brought about are forgotten. After all, the reason that the laws that were just discussed exist is to protect employees’ rights. Always make sure that these same employees are put first when designing policies to protect them. Transparency and openness within your organisation is key to putting a stop to wrongdoing and creating a healthy SpeakUp culture.
We urge you to take a stand, please refer to the following article to read more about this.
Thank you for reading and we invite you to share any thoughts that you might have!