Usage of e-mails as a whistleblowing channel: not compliant according to the EU directive

A deep dive into whistleblowing channels: why e-mail is not compliant with the EU Directive 2019/1937

Among the changes introduced by the European Union Whistleblowing Directive, which has now been transposed in the vast majority of Member States, the most important is undoubtedly the obligation for entities and companies to establish “channels for receiving the reports which are designed, established, and operated in a secure manner that ensures that the confidentiality of the identity of the reporting person and any third party mentioned in the report is protected, and prevents access thereto by non-authorized staff members” (Article 9 of Directive (EU) 2019/1937).

Therefore, it is crucial to ensure that your system for handling reports has the necessary requirements for confidentiality, both organizationally and technically.

Whistleblowing systems and email use: Penalties for companies that break the rules

Many companies already handle whistleblowing internally through email boxes or online forms, if not in person or through paper forms, believing that such a system meets all the requirements.

However, these solutions need to be reconsidered in light of the new regulations. Used alone, without the co-presence of compliant software, they do not meet the strict requirements for the protection of sensitive whistleblower data set out in the EU Directive. In this article, we will focus on the critical compliance issues raised by the use of email as a whistleblower channel: let’s look at the key points together.

Inadequate encryption and lack of access restrictions on email accounts

Compared to software such as Legality Whistleblowing, which uses cryptographic systems for both the content of the report and any attachments, generic e-mails such as “whistleblowing@” do not provide adequate encryption tools to protect the confidentiality of the whistleblower’s identity, which may be accessible even to people outside the whistleblowing management, such as the company’s IT staff.

Operational management and timeliness issues

The EU Directive set precise deadlines for the handling of whistleblowing, of which the whistleblower must be informed. Daily operational tasks for SBs and Compliance Officers, such as keeping track of deadlines and communicating with whistleblowers, are difficult to perform efficiently via e-mail, as well as assigning different reports to managers with the right skills to handle them and involve employees.

Another critical issue is the retention of the documentation inherent to the reports: regardless of the channel through which they are received, reports should be kept only for the time necessary to process the report, and in any case no longer than 5 years from the final outcome of the procedure. In addition, data retention and the processing of personal data must always comply with the GDPR (EU Regulation 2016/679): any data breach exposes the company to severe penalties, calculated on the basis of turnover.

Lack of a structured reporting form

In an email, it is up to the whistleblower to decide what information to disclose and how to disclose it, with the possibility that the template usually provided by the company policy will not be followed and the report may lack details that are essential for case management. A wizard that classifies the type of whistleblowing at the outset and includes the mandatory fields to be completed speeds up the follow-up and simplifies the work of managers.

Perception of insecurity by whistleblowers

A perceived unsafe channel actually discourages whistleblowing: retaliation such as harassment or dismissal is real threat to whistleblowers, who need firm guarantees of identity protection to find the courage to report what is wrong in their work environment. In this sense, a reliable system supports the company’s risk management processes by helping the organization address potential problems before they become more serious.

Lack of inclusiveness

People with dyslexia or writing difficulties may face obstacles in using e-mail, while IT platforms such as Legality Whistleblowing offer the possibility of recording voice messages with voice distortion effects to make them unrecognizable.

Statistics on the percentage of employees who are afraid of retaliation - whistleblowing

The original text of the EU Directive suggested that member states provide a system of criminal, civil, or administrative sanctions to ensure the effectiveness of whistleblower protection rules, and indeed many national transposition laws have done so. However, penalties for GDPR violations have been in place for years, capped at 4 percent of total turnover or 20 million euros.

Legality Whistleblowing vs. E-mail: What is the best solution for whistleblowing in the company?

We have seen that using an e-mail box as a whistleblowing channel unfortunately might not offer the necessary guarantees of confidentiality and trust that such a tool should provide to those who decide to “blow the whistle”.

The Legality Whistleblowing Software is the most secure system for handling whistleblowing in both the public and private sectors:

E-mails

  • Don’t ensure the confidentiality of the whistleblower’s identity and personal information

  • Difficult to manage from an organizational perspective

  • Discourage whistleblowing, undermining the effectiveness of the channel

  • Expose the company to the risk of fines

Legality Whistleblowing

  • Asymmetric encryption and regulatory compliant access

  • Secure servers with ISO/IEC 27001/2017 certified infrastructure

  • Intuitive and user-friendly platform for both managers and whistleblowers

  • Compliant and valid for obtaining ISO 37001, 37002, and 37301 certifications

Legality Whistleblowing software and mobile app: book a free demo

Implementing a compliant system is easier than you think

With Legality Whistleblowing, you can quickly equip yourself with a fully compliant solution