The European whistleblowing landscape has seen massive progress with the passage of the EU Whistleblowing Directive — and the ripple effects are being felt far beyond the EU’s borders. Take, for example, ISO 37002. Published within two years of the EU Whistleblowing Directive, this standard applies to a wide range of companies across the globe and provides best practices for a whistleblower management system.
ISO 37002 is a framework for setting up and maintaining a whistleblowing hotline that adheres to the highest standards as outlined by the International Organization for Standardization (ISO). In their own language, it provides “guidelines for establishing, implementing and maintaining an effective whistleblowing management system” based on the principles of trust, impartiality and protection in the following four steps:
The ISO is an independent, non-governmental international organization, bringing together global experts to “share knowledge and develop voluntary, consensus-based, market relevant International Standards that support innovation and provide solutions to global challenges.” Its standards, including ISO 37002: Whistleblowing Management Systems, represent guidelines or best practices that organizations can adopt voluntarily. This sets ISO standards apart from regulations like the EU Whistleblower Directive, Sarbanes-Oxley in the United States, or Sapin II in France which companies are legally obligated to comply with.
The ISO recommends the adoption of ISO 37002 stating, “It can assist an organization to improve its existing whistleblowing policy and procedures, or to comply with applicable whistleblowing legislation.” This means ISO 37002 is a holistic and adaptable approach to establishing a whistleblowing management system that meets or exceeds regulatory requirements.
According to the ISO, adopting ISO 37002 will encourage whistleblowers to come forward and make case handling much more effective – improving your organization’s culture and governance, while reducing the risk of wrongdoing.
The EU Whistleblower Protection Directive outlines a minimum set of protections for whistleblowers in Member States of the European Union, which must be implemented by organizations with 250+ workers (and by organizations with 50+ workers by December 17, 2023). The EU Directive focuses on whistleblower protections and empowerment; ISO 37002 focuses on the processes and systems a company uses to enable whistleblowers. Plus, the EU Whistleblower Directive is (as the name implies) a directive which must be transposed into law in all 27 EU Member States, while ISO 37002 is a set of guidelines that companies may voluntarily adopt.
From a tactical perspective, ISO 37002 recommends standards for processes, systems, and technology an organization must meet in order to follow through with whistleblower protections. ISO 37002 details voluntary guidelines for organizations who wish to establish their own compliant whistleblower management system anywhere in the world.
The two sets of guidelines complement one another, ensuring that any whistleblower protection standards put into place between now and the adoption of the EU Whistleblower Protection Directive will work together. Following both sets of guidelines could prevent companies from a costly whistleblower hotline implementation that ends up being non-compliant.
Both the EU Whistleblower Directive and ISO 37002 aim to protect whistleblowers and the confidentiality of the subsequent reports. Private, public, and not-for-profit organizations, regardless of employee count or geographic location, can adopt the ISO 37002’s guidance.
Want to learn more about the EU Whistleblower Directive? Check out our ultimate guide.
Whether your organization is a global enterprise with thousands of EU-based employees or a growing start-up that wants to set their hotline up according to the highest standards, OneTrust can help.