The law transposes the EU directive into Estonian law and entails an obligation for organizations to create internal and external reporting channels for reporting internal misconduct. The infringements that whistleblowers can report are very different – breaches of procurement procedures, internal fraud, breaches of environmental requirements, and so on.
For private sector organizations with 50–249 employees, the proposed new law is not expected to apply until 17 December 2023, as allowed by the Directive. For larger organizations, the same obligation will apply earlier.
In addition to the notification channels, the follow-up to notifications must be developed, including notification procedures, measures to ensure the confidentiality and, where appropriate, anonymity of whistleblowers, and the deadline for processing notifications. It is also mandatory to inform the whistleblower of the final outcome of the procedure and to ensure that the notifications are stored and that personal data are collected and processed properly. The IT solution used for this purpose must also be able to ensure the confidentiality of whistleblowers and meet the requirements for the protection and processing of personal data. Incoming notifications should only be handled by a designated person or group with the appropriate competence.
The whistleblower must be able to report the breach through an external reporting channel, especially in cases where it can be expected that internal reporting may put pressure on the whistleblower. Thus, the whistleblower can notify the breach immediately through an external channel and does not need to first notify through an internal channel. A competent authority that is independent and separate must be designated to receive and process external notifications.
However, there are reasons other than formal requirements for introducing a well-functioning infringement notification system. According to the ACFE[i], the existence of such a system reduces the financial damage caused by irregularities by an average of 50%, and infringements are detected on average six months earlier than without such a function. In other words, a well-functioning whistleblowing channel has an important role to play in preventing irregularities in the organization and in mitigating the resulting risks.
Grant Thornton Baltic can help in all aspects of building such a system: from implementation, improvement of internal procedures and staff training to the creation of an external communication channel, case management and investigations.
Grant Thornton Baltic offers a software for managing the full process of reporting internal misconduct.
Grant Thornton Baltic's specialists have in-depth knowledge in areas such as prevention and treatment of conflicts of interest, money laundering, bribery and corruption, fraud, prevention and detection of accounting irregularities, as well as taxation, employment and the environment, forensic data analysis, etc.
[i] Association of Certified Fraud Examiners
If you have similar challenges and questions, please contact our specialists.
