Following the Bundestag’s decision, the Bundesrat’s approval is still needed, which is expected to take place this week. After the Bundesrat’s approval, the HinSchG will enter into force. Transitional periods for the establishment of a whistleblower system are not provided for. However, there are for the requirement to set up anonymous reporting channels, which has been changed in the draft law: The transitional period for setting up an anonymous reporting channel is 01.01.2025. Despite the transitional period, companies should already start thinking about implementation possibilities. Because after approval by the Federal Council, only systems that can guarantee anonymous communication are future-proof.
Anonymity as a requirement
Anonymous communication is a much higher requirement for a system than the identity protection described in the preliminary draft of the law. One option for companies is to appoint ombudspersons to whom whistleblowers should turn. Depending on the conditions (e.g. if there are no ombudspersons in the company yet), a technical solution may be more effective and less expensive. Digital whistleblowing systems that guarantee anonymity lower the inhibition threshold for whistleblowers. The lower the threshold, the greater the likelihood that the company will benefit from valuable information. Another advantage of digital whistleblowing systems is that they can be implemented quickly and operated at manageable costs (monthly SaaS fee).
Technical solution from otris
When developing otris’ whistleblowing system, the anonymous communication channel was a key requirement – even though it was not initially demanded in the legislative process. An anonymous reporting channel not only provides additional motivation for whistleblowers who wish to remain unidentified, it also simplifies the implementation of another legal requirement: identity protection. Whistleblowers who choose to report anonymously automatically enjoy identity protection, as their identity is not known. The identity of whistleblowers who report non-anonymously must of course also be protected. The high IT security standards of the otris whistleblowing system provide the technical requirements for identity protection: the system ensures that third parties cannot access information that whistleblowers and whistleblowers exchange. To this end, the system complies with the following IT security standards, among others:
- Hybrid encryption in accordance with BSI specifications (applies to all information-related data on the reporting platform)
- End-to-end encryption
- BSI-compliant transport encryption of all messages and attachments with TLS1.3
- On request: two-factor authentication
- Data centres certified according to ISO 27001 and ISO 9001
- System pentests according to OWASP Application Security Verification Standard
- Security audits