Put together a team for this project. We think about a member of staff dealing with compliance, legal, HR, IT, communication.
If you have a DPO, be sure to involve him/her in the preparation as well.
Work out the procedure in a policy and make sure it is in the correct language (Dutch and/or French depending on the operating center of the company) as far as the procedure concerns employees.
We prefer a policy because it allows for more flexibility (than e.g. work rules or a collective bargaining agreement) and can also be made applicable to non-employees (e.g. consultants).
If necessary, update the data register and the data protection notice
Think about the choice of and the roll-out of the internal reporting channel. This can be online (link on intranet or through an external web portal), by telephone (through a hotline or voice message system without recording), etc.
You can manage it in-house or outsource. If you opt for an external service provider, check whether the necessary agreements have been concluded (e.g. data processing agreement in case the service provider acts as data processor). Provide the necessary legal basis and safeguards for transfers of personal data to third countries.
Communication and information
Provide sufficient time for information and consultation of the consultation bodies (works council or, in case of absence, trade union delegation) before the implementation of the whistleblowers.
Consider whether a DPIA is necessary or desirable.
Ensure that all stakeholders are sufficiently informed and sensitized about the modalities, safeguards and consequences of the whistleblowing procedure.