The provisions of the EU Whistleblower Protection Directive partially came into effect on December 17, 2021. We are also awaiting its implementation, which may happen soon, as the draft law was published late last year.
Organizations that have already decided to implement whistleblower protection systems can seek help from the recently published ISO 37002:2021 – Whistleblowing management systems – Guidelines by the ISO/TC309 committee.
What organizations can use them?
The ISO 37002 guidelines were created to be applicable to virtually any organization. The International Organization for Standardization itself states that they are general in nature and apply to all organizations, regardless of type, size, nature of activity, or sector—public, private, or non-profit*.
There's a common misconception that building compliance systems (e.g., AML, GDPR, anti-mobbing and anti-discrimination procedures, and whistleblower procedures) based on ISO standards and guidelines is only possible for companies with extensive structures and significant financial and resource resources. However, as noted above, this is absolutely not the case, and applying ISO standards is a good practice that helps build an effective system.
What do the guidelines contain?
This document provides guidance on establishing, implementing, maintaining, and improving a whistleblowing management system. It is recommended that the implementation process be based on the popular Deming Cycle (Plan-Do-Check-Act).
The guidelines are based on three main principles – protection, trust and impartiality – and cover four main stages:
- receiving reports of irregularities;
- evaluation of received applications;
- responding to reports;
- closing whistleblower reports.
Certification
The Whistleblowing Management System Guidelines are not designed for certification, so it will not be possible to obtain confirmation from an independent accredited entity that ISO 37002 has been effectively implemented.
Summary
Using ISO standards and guidelines when designing and implementing compliance systems is highly valuable. Not only do they help build an effective system, but they are also highly valued by supervisory authorities (as is the case with the Personal Data Protection Office and the ISO 27001 and 27701 standards) and build a positive image of a trustworthy organization among customers and contractors.
The practical application of the guidelines for whistleblowing management systems is reflected in the implementations that many organizations will be required to implement under the EU directive. The ISO guidelines are complementary to its requirements in many respects, and sometimes even impose higher requirements or specify specific assumptions. Furthermore, they emphasize the need to tailor the guidelines to the specific nature and context (including the legal context) of the organization.
A whistleblower management system can be implemented standalone or used as part of an organization's overall compliance management system. The ISO 37002 guidelines are an excellent complement to ISO 37001 (anti-corruption systems) and ISO 37301 (compliance systems). Unfortunately, the ISO 37002 guidelines on whistleblowers have not yet been included in the Polish Committee for Standardization (PKN) translation program, so for now, the English version must be used.
This alert is for informational purposes only and does not constitute legal advice.
* https://www.iso.org/standard/65035.html
author:
