ISO 37301, ISO 37001, IATF 16949, TISAX, SMETA
Legal
Whistleblowing
Compliance

Standards and certifications that require the introduction of a whistleblowing system

There are a variety of standards and certifications which your organization can apply to ensure that your workplace and processes are ethical, transparent and responsible. Many require or suggest the implementation of whistleblowing system, such as the following:  ISO 37301ISO 37301 was introduced by the International Organization for Standardization in April 2021 and sets out guidance on implementing a compliance management system (CMS). It is based on widely accepted principles of good governance, proportionality, transparency and sustainability. One of the key aims of ISO 37301 is to outline the best practice when implementing a whistleblowing policy. These include: Timely and thorough investigation of allegations or suspicions of misconduct.A visible and accessible whistleblowing system.Confidential, anonymous reporting channels.Impartial investigations of any reports of unethical conduct.Comprehensive documentation of reports made.Recording of any lessons learnt changes to the CMS.ISO 37001Published in 2016, ISO 37001 provides guidance and details requirements for the setup and maintenance of an anti-bribery system. ISO 37001 is designed to help combat instances of bribery in the public, private and nonprofit sectors, perpetrated by individuals within the organization, as well as those acting on its behalf, plus a host of other scenarios. ISO 37001 is only intended for use as part of an anti-bribery system, but its recommendations are deliberately generic as to be applicable for any nature of organization.  The introduction of a whistleblowing system in your organization is crucial for complying with ISO37001. Requirement no. 18 specifically calls for the implementation of a whistleblowing system: ‘Implement reporting (whistle-blowing) procedures which encourage and enable persons to report suspected bribery, or any violation of or weakness in the ABMS, to the compliance function or to appropriate personnel’. IATF 16949IATF 16949 is a standard published by the International Automotive Task Force (IATF) and the Technical Committee of ISO, to be used in the creation of a quality management system to allow for ongoing improvement in the automotive industry supply and assembly process. The standard was updated in 2016 to include a stipulation for a whistleblowing policy. The updated version states: ‘[Organizations] shall define and implement corporate responsibility policies, including at a minimum an anti-bribery policy, an employee code of conduct, and an ethics escalation (whistle-blowing) policy.’ TISAXTISAX (Trusted Information Security Assessment Exchange) stipulates the standards for information security management systems within the automotive industry and is now commonplace across Europe. Its requirements are very similar to ISO 27001, differing mainly in the fact that TISAX is designed specifically for the automotive industry, whereas ISO 27001 is a more generalized standard. ISO 27001 focuses on data security within an organization, TISAX secures data throughout the supply chain. SMETASMETA (Sedex Members Ethical Trade Audit) is not a standard as such, but an audit that your organization can request to help you understand labor, health and safety, environmental and ethical standards within your workplace. After the audit, organizations receive an action plan designed to help them take corrective steps. The audit comprises two mandatory pillars, Labor Standards and Healthy & Safety. The two non-compulsory pillars are Business Ethics and Environment.  Sedex recommends providing whistleblowing hotlines across your supply chain, particularly to combat modern slavery. Other standards and certificationsRead about other standards and certifications and how they relate to whistleblowing in our previous blog posts: Whistleblowing guidelines: what you need to know about ISO 37002Whistleblowing requirements and the SA8000How whistleblowing can help improve your company's ESG scoreGet in touch and see how FaceUp whistleblowing system can meet your whistleblowing needs. 
3/17/20233 min read
Whistleblowing requirements and the SA8000
Legal
Whistleblowing

Whistleblowing requirements and the SA8000

Social Accountability International (SAI) is a global non-government organization that protects and advances human rights at work. The Library of Congress in the United States includes the SAI as one of the recommended organizations providing policies and guidelines for socially responsible companies. And GOV.UK, the official website of the UK government, mentions the SAI’s workplace certification, the SA8000 as one of two audits that can be used to combat modern slavery in government supply chains.     Benefits of getting an SA8000 certificateThe SA8000 certification measures organizational practices according to nine criteria: Child LabourForced or Compulsory Labour Health and SafetyFreedom of Association & Right to Collective BargainingDiscriminationDisciplinary PracticesWorking HoursRemunerationManagement System Organizations that apply for an SA8000 certificate signal to stakeholders and the public that they are committed to creating work environments that protect and promote human rights. Having an SA8000 certification also shows potential investors that your organization is a safe investment.  As ESG (Environmental, social, and corporate governance) investing becomes more prevalent, organizations are under increased pressure to ensure that they are above board and operating ethically. The SA8000 is one of the most well-known certifications for ensuring that commitment.    SA8000 whistleblowing requirementsThe SA8000 requires that a company has a written complaint system. This grievance process must be easily accessible, for employees and other interested parties to make complaints, comments, recommendations, or reports about the workplace or violations of SA8000 standards. The SA8000 also specifies that the complaint system must be unbiased, confidential, and non-retaliatory. Once a report is received, the organization needs to have a clearly outlined process for investigating and following up on complaints concerning the workplace or non-conformance to the SA8000 guidelines.  The results of the investigation and response must be freely available to all personnel and interested parties upon request. Finally, The SA8000 makes it clear that the organization can’t in any way punish, dismiss, or discriminate against a member of staff if they choose to make a complaint. Do you need an internal complaints system for the SA8000?FaceUp is an intuitive effective whistleblowing system that matches all of these requirements. FaceUp makes it easy to track reports and respond to issues quickly within your organization. Available in 113 languages, the platform takes minutes to integrate into your organization and makes collecting reports and responding to workplace issues much easier. Get in touch and see how FaceUp whistleblowing system can meet your whistleblowing needs. 
3/9/20232 min read
La protezione del whistleblower
Whistleblowing
Legal

La protezione del whistleblower: The EU Whistleblowing Directive is Coming to Italy

On December 9th, 2022, the Italian Government approved a draft implementing the EU Whistleblowing Directive into national law.    The draft expands the retaliation protection for whistleblowers in Italy. Previously, only employees were protected from retaliation. Now the list of those protected after making a report includes: self-employed workers, external workers, shareholders, facilitators of the whistleblowing process, paid and unpaid trainees and even third-party members such as the whistleblower’s colleagues and relatives.   The new law is expected to affect all private sector organizations with 50 or more employees. These organizations must install internal and external whistleblowing channels which ensure the whistlelblower’s confidentiality should they come forward.  Is your organization ready for the new Italian law?  The EU Whistleblowing Directive will take effect in Italy soon. Get a secure and anonymous whistleblowing channel to meet the legislative requirements of Italy and help whistleblowers speak up. Do you need advice on how to effectively introduce a whistleblowing platform in Italy? Sources:  https://www.whistleblowingmonitor.eu/country/italyhttps://www.lexology.com/library/detail.aspx?g=d003706d-7bcc-4a33-897d-381e77fda723https://www.lexology.com/library/detail.aspx?g=304bcca7-5449-486d-b1cb-cb5800201593
1/26/20231 min read
Whistleblower laki Finland
Whistleblowing
Legal

Whistleblower-laki: The EU Whistleblowing Directive in Finland

Finland’s Whistleblower Act went into effect on January 1st, 2023. Private sector employers with at least 250 employees and public sector employers with 50 or more employees will be required to set up a whistleblowing channel by April 1st, 2023.  Private sector organizations with 50-249 employees will have until December 17th, 2023 to put a whistleblowing channel in place.  The Finnish government will allow certain organizations to have joint whistleblowing channels that receives notifications, verifies their validity and/or carries out investigations to ascertain their validity. However, this does not excuse individual organizations from their legal obligations.  Finally, the Office of the Chancellor of Justice in Finland established an external reporting channel for whistleblowers on the 1st of January 2023. Is your organization ready for the new Finnish law?  Finland's new whistleblowing law went into effect on January 1st, 2023, meaning that all companies with 250 employees or more must have whistleblowing channels in place by April 1st.   Get a secure and anonymous whistleblowing channel to meet the legislative requirements of Finland and help whistleblowers speak up. Do you need advice on how to effectively introduce a whistleblowing platform in Finland? Sources:  https://www.finlex.fi/fi/laki/alkup/2022/20221171https://raja.fi/en/whistleblower-protection#:~:text=The%20Whistleblower%20Act%20entered%20into,breach%20via%20a%20reporting%20channel.https://iuslaboris.com/insights/whistleblowing-in-finland-legislation-finally-published/?utm_source=mondaq&utm_medium=syndication&utm_term=Employment-and-HR&utm_content=articleoriginal&utm_campaign=articlehttps://www.mondaq.com/whistleblowing/1265708/whistleblowing-in-finland-legislation-finally-published
1/26/20231 min read
Belgium whistleblowing
Whistleblowing
Legal

Belgium’s New Whistleblowing Law: What You Need to Know

On December 15th 2022 Belgium passed a bill transposing the EU Whistleblowing Directive into national law.  Here is what you need to know: The law will establish 3 whistleblowing channels each with their own rules: an in-company channel, an external channel to the authorities and a channel to the press. With few exceptions, all legal entities with 50 to 249 employees will have until December 17th, 2023 to establish internal whistleblowing channels. Organizations with 250 employees or more must have these channels in place when the law enters into force on February 15th 2023.   The Belgian law provides strong protection for whistleblowers against retaliation. Awards equal to 18-26 weeks' salary will be given to employees who are punished for stepping forward. Finally, the law expands on the EU Whistleblowing Directive. In Belgium reports on tax fraud and social fraud will also be protected. Is your organization prepared?  Belgium’s new whistleblowing law will go into effect on February 15 2023, meaning that all companies with 250 employees or more must have whistleblowing channels in place by that date.   Get a secure and anonymous whistleblowing channel to meet the legislative requirements of Belgium and help whistleblowers speak up.  Do you need advice on how to effectively introduce a whistleblowing platform in Belgium? Sources https://www.brusselstimes.com/327497/whistleblowers-to-receive-improved-protection-in-belgiumhttps://www.jdsupra.com/legalnews/new-whistleblowing-rules-for-belgium-5258202/https://www.lexology.com/library/detail.aspx?g=e9417577-4f54-490a-8537-3a78bc428cb2https://www.lexology.com/commentary/employment-immigration/belgium/altius/belgian-whistle-blowing-act-published-in-belgian-state-gazette
1/26/20231 min read
The EU Whistleblowing Directive in Ireland
Legal
Whistleblowing

The Protected Disclosures (Amendment) Act 2022. Whistleblowing EU Directive in Ireland

Ireland is preparing to implement the Protected Disclosures (Amendment) Act 2022 which dramatically expands who is covered by whistleblowing laws. Additionally, the act places the burden of proof on employers in cases involving suspected retaliation against the whistleblower. Under the law, every organization with 50 employees or more must establish formal channels and procedures for “protected disclosures” (AKA whistleblowing). The act also expands the list of those protected to include job applicants, volunteers, shareholders, and board members. Employers must monitor the whistleblowing channels, follow up on reports, and give feedback on all communication received via these channels.  Finally, if someone believes they were punished for whistleblowing, it is incumbent on the company to prove their actions(such as firing or docking of hours) were not retaliatory. Get ready for January 1st, 2023Ireland and the Whistleblower legislationIreland is the 11th country to adopt a new law by implementing the EU Whistleblowing Directive. The new whistleblowing legislation will go into effect on January 1st, 2023. Get a secure and anonymous whistleblowing channel for whistleblowers to help them speak up and meet requirements by Irish national law. Whistleblowing system in IrelandAll private sector organizations with more than 50 employees are obliged to provide an internal whistleblowing system. FaceUp offers the #1 rated whistleblowing system: 👉 Irish whistleblowing law and GDPR compliant, ISO certified.  👉 Whistleblowers are able to report anonymously - writing and orally. 👉 5 minutes implementation without the need for IT department. 👉 Administration and completely customizable form, both available in 113 languages.  👉 Secured with 2FA, E2E encryption, and penetration testing. 👉 Cooperation with partners - psychologists, lawyers, etc. And we offer much more! How FaceUp whistleblowing system can help you to comply with the EU Whistleblowing Directive in Ireland? Have a look.
11/24/20221 min read
Competent authority for whistleblowing
Compliance
Legal
Whistleblowing

External vs. internal competent authority managing whistleblower reports

A trustee, ombudsman or delegated person. All of these terms you may encounter refer to one and the same thing, namely the so-called "competent authority", who is a key function in the internal whistleblowing system.  Companies implementing a whistleblowing system are therefore faced with the important question of who to assign to this function. In the following, we look at what responsibilities are associated with the function, how to select the right person and whether it is more appropriate to choose an internal employee or an external delegate for this role. Who is the competent authority and what are his/her duties?One of the main duties associated with the forthcoming Whistleblower Protection Act is the appointment of a 'competent authority' who: receives and assesses the reasonableness of a notification made through the internal whistleblowing system,proposes corrective measures following a notification,maintains confidentiality; andacts impartially.The person who receives and deals with the notification must be of good repute, of the utmost trustworthiness, independent, free from conflicts of interest and properly trained. It is extremely important to keep the whistleblowing system as credible and efficient as possible through a sufficiently knowledgeable competent authority, thus avoiding the risk of the whistleblower disclosing information. A whistleblower may disclose information when they do not have sufficient confidence in the whistleblowing system or when they feel that the firm is not adequately handling the disclosure (they may get this feeling from a mere lack of communication). What are the steps to be taken by the competent authority once a notification has been made?The competent authority is obliged to receive the oral or written notification via the internal notification system. If the whistleblower requests it, the competent authority is also obliged to receive the notification in person.The competent authority must notify the notifier in writing of the receipt of the notification within seven days of the date of receipt.The competent authority shall assess the validity of the notification and inform the notifier in writing of the results of the assessment within thirty days of receipt of the notification. (In complex cases, this period may be extended by up to thirty days, but not more than twice.)If the notification is assessed as substantiated, the competent authority shall propose measures to prevent or remedy the unlawful situation and shall inform the notifier in writing.If the notification is not found to be justified, the competent authority shall inform the notifier in writing.Is an internal employee the appropriate person to receive and evaluate the notification?The head of the legal department, the compliance officer or someone from the human resources department are usually suggested as the appropriate person. However, this is a rather demanding and very responsible position which involves a large number of responsibilities. In addition, the person chosen must be sufficiently independent to avoid a conflict of interest in the investment of the notification. Last but not least, they must reliably maintain confidentiality, prevent anyone from having access to the content of the notification and must not provide anyone with any information that could defeat the purpose of the notification. A violation of these duties of the competent authority is punishable by a fine. If the company does not have a suitable candidate to perform this function, it is possible to appoint an external person who guarantees independence and professionalism in dealing with the notification and proposing effective measures.  See a comparison of the benefits of an external and internal competent authorityExternal competent authority: less administrative burden for the companythe investigation is guaranteed to be objectiveno risk of conflict of interestnotifications are better evaluated by a professional with experience in receiving and dealing with notificationslower risk of disclosure of the identity of the whistleblowerInternal competent authority:  better knowledge of the company and internal processeslower financial costseasier accessibility for verbal notificationsWho receives and evaluates the notification can be quite crucial to the fate of the entire incident. Failure to properly carry out the duties of the person in charge jeopardises the credibility and functionality of the entire notification system. The company is then at risk that the employee will either not file a report at all and the problems will accumulate, or will disclose their information, causing the company to lose control of the situation, but more importantly, the company may suffer devastating reputational or financial damage.
3/21/20224 min read
ISO 37002
Compliance
Legal
Whistleblowing

Whistleblowing guidelines: What you need to know about ISO 37002

At the end of July 2021, the International Organisation for Standardisation published ISO 37002:2021 (ISO 37002 Whistleblowing management systems - Guidelines). This standard is a guide for the effective implementation of an internal whistleblowing and management system related to this. Together with previously published standards (in particular ISO 37302), it forms the first global standard to fully address whistleblowing.  The new ISO 37002 provides guidance for establishing and maintaining an effective whistleblowing system based on the principles of trust, impartiality and protection. The standard can therefore prove to be a very useful guide for employers in establishing and using internal whistleblowing systems in accordance with legislative requirements (the EU Whistleblowing Directive and the forthcoming Czech Whistleblower Protection Act). However, unlike the legislation, it does not focus so much on whistleblowers, but targets organisations directly. It seeks to minimise the negative impact of any possible wrongdoing. According to ISO 37002, the important elements are: information securityensuring an anonymous dialogue with the whistleblowerprotection of whistleblowers The FaceUp platform is fully compliant with all current legislative requirements and the recommendations of the new ISO 37002 standard. What can ISO 37002 help you with?While the legislative requirements generally tell you what you need to do, ISO 37002 provides very specific and detailed instructions on how to do it. The standard can be implemented in any private, public or not-for-profit organisation, regardless of size or business sector. It is a broadly applicable standard - it emphasises consideration of the context, needs and expectations of the organisation and adapts the whistleblowing management system to these actualities.  According to ISO 37002, you should devote plenty of time and attention to the  preparation and planning of an internal whistleblowing system, from securing all resources, allocating responsibilities, determining how to communicate through an ethical line or other whistleblowing channel, to documentation, etc. The standard sets out the content of the obligations for employers, defining individual roles, responsibilities and authorities. A substantial part of the standard is devoted to the actual process of managing the whistleblowing notifications received, which is naturally the most important part of the whole whistleblowing management system. On the other hand, the standard also emphasises the importance of other consecutive follow-up  (e.g. planning or subsequent evaluation of the effectiveness of the system).  The whole whistleblowing management process is divided into several key steps: Receipt of the notification of the violation,Assessment of the notification ,Management of  the whistleblowing - this  also includes providing protection and support to whistleblowers,Closing the case.According to ISO 37002, it is also necessary to focus on assessing the effectiveness of the internal whistleblowing system and to address its monitoring, analysis and subsequent evaluation. The recommendation is to conduct regular internal audits, the findings of which should help improve the whistleblowing management system. At the same time, it foresees that the system can be adapted at any time during its use to better suit the needs of your organisation and to be truly effective. Certification options and other standards for compliance management systemsAs stated directly in the title of the new ISO standard (Whistleblowing management systems - Guidelines), it is one of the so-called guidelines, i.e. standards of a more general nature, and therefore cannot be certified. However, you can certify your internal whistleblowing channel as part of a complete compliance management system according to ISO 37301 Compliance management systems - Requirements with guidance for use. In the context of whistleblowing, the (also certifiable) ISO 37001 Anti-bribery management systems standard, which deals with the protection against corrupt behaviour and establishes anti-corruption management systems, is also frequently referred to. Implementing these standards will ensure that your organisation's internal whistleblowing channel is truly effective and in line with all international standards. Interested in implementing ISO 37002 or any of the other ISO standards? We would be happy to explain the specific requirements and help you with the certification process. Let's talk. 
3/21/20223 min read

FREE E-BOOK: everything you need to know about whistleblowing