RGPC Practical Roadmap

For local authorities, RGPC compliance should never be treated as a paperwork exercise. Portugal’s General Anti-Corruption Regime applies to local authorities and other public entities with 50 or more workers, but the law also makes it clear that public bodies falling outside that threshold should still adopt corruption-risk prevention tools proportionate to their size and nature. In practice, that means even a smaller municipality should not assume the subject is irrelevant. A proportionate, documented and operational approach is still the smarter governance choice.

For a public sector director, “full compliance” does not mean publishing a code of conduct and calling it a day. The RGPC requires a compliance programme including, at minimum, a corruption and related offences risk prevention plan, a code of conduct, a training programme and a whistleblowing channel, together with the designation of a compliance officer. For public entities, that framework also connects with administrative transparency duties, conflict-of-interest safeguards, internal control obligations and measures to promote competition in public procurement.

The most common mistake is to start with the most visible document and ignore the governance architecture underneath. The better route is the opposite: governance first, diagnosis second, controls third, evidence fourth. A municipality is only genuinely aligned when it can show who is accountable, how risk was assessed, what measures were implemented, how people were trained, what evidence exists and how the entire framework is reviewed over time. That logic reflects the structure of the RGPC itself, which links prevention, control, communication, evaluation and accountability.

1. Start with leadership and clear internal accountability

The first practical step is to elevate the matter to the level of the mayor, executive councillors, municipal leadership and department heads. The RGPC expressly places responsibility for adopting and implementing the compliance programme on the governing body or senior manager, and it also requires the designation of a compliance officer who performs the role independently, permanently and with decision-making autonomy, with access to the necessary information and resources. In a municipality, that means avoiding purely symbolic appointments. The compliance officer cannot be a nominal contact person with no visibility over processes, no authority to escalate issues and no real administrative backing.

In operational terms, it is worth creating a simple responsibility matrix from day one. Who approves the risk prevention plan? Who keeps the risk map current? Who receives conflict-of-interest disclosures? Who oversees the whistleblowing process? Who validates corrective actions? Who ensures alignment with data protection? Who prepares submissions to MENAC? If those questions do not have precise answers, the authority does not yet have a functioning system. It only has good intentions.

2. Perform a real risk diagnosis, not a generic one

The second step is to identify where the authority is actually exposed. The RGPC requires the risk prevention plan to cover the full organisation and its activities, including management, leadership, operational and support areas, and to include the identification, analysis and classification of corruption-related risks. The law also requires preventive and corrective measures, probability and impact scoring, and more robust prioritisation where risk is high or maximum.

In a local authority setting, that means looking at very concrete areas: procurement, urban planning, licensing, inspections, fleet management, HR, grants and subsidies, assets, records management, citizen service desks, payments, treasury, routine purchasing, concessions, events, partnerships and outsourced services. Diagnosis has to go down to process level and decision point level. It is not enough to write “risk of favouritism in procurement”. You need to specify where that risk emerges: defining need, selecting procedure, inviting suppliers, evaluating bids, receiving goods, validating expenditure, renewing contracts, splitting purchases, unmanaged conflicts of interest, informal pressure or over-dependence on one provider.

A useful exercise is to ask, in every sensitive process: where is discretion strongest, where is there supplier contact, where are decisions taken without dual validation, where is urgency repeated, where are audit trails weak, where are duties not segregated and where is evidence fragmented across teams. That is the level of detail that turns the plan into a management tool rather than a legal appendix.

3. Build the risk prevention plan as a management instrument

Many municipalities still treat the risk prevention plan as a mandatory annex. That is a strategic mistake. The plan should work as the master map for prevention. The RGPC requires its implementation to be monitored through an interim assessment report in October for high or maximum risks, and an annual assessment report in April of the following year, including the degree of implementation of preventive and corrective measures. The plan must be reviewed every three years, or whenever relevant organisational or structural changes occur, and it must be disclosed to workers and, where applicable, communicated to MENAC and the relevant supervisory bodies within 10 days of implementation, revision or preparation.

In management language, that means each risk needs an owner, a status, a deadline, evidence and a metric. Every risk should be connected to a process, a responsible person, existing controls, identified gaps, improvement actions, a deadline and a means of proof. Without that, October and April reporting quickly turns into vague narrative reporting instead of verifiable execution reporting.

A simple example would be: “Risk of favouritism in low-value purchasing procedures.” Existing controls: seek more than one quotation where feasible, line management approval, system record. Gap: no periodic review of supplier concentration. Action: quarterly supplier concentration report by cost centre. Owner: procurement unit. Deadline: 60 days. Evidence: system export. KPI: percentage of suppliers exceeding the defined concentration threshold.

4. Review the code of conduct so it works in real life

The RGPC requires a code of conduct setting out principles, values and behavioural rules for managers and workers, taking into account criminal rules on corruption and related offences and the organisation’s exposure to those risks. It also requires the identification of disciplinary sanctions and criminal consequences, as well as an internal report for each breach, stating the rules violated, the sanction applied and the measures taken or to be taken. The code must be reviewed every three years or when relevant change occurs, and it must be disclosed and communicated within the statutory deadlines.

In practice, a useful municipal code of conduct is not a high-level text about “integrity”. It answers day-to-day questions. How should staff deal with gifts and hospitality? How should they manage relationships with local suppliers? What happens when there is family or personal proximity to an applicant or bidder? How should informal meetings be handled? What should happen when there is pressure to speed up a process? How are recusals, impediments, disclosures and conflicts recorded? How are people protected when they raise concerns? How are deviations escalated without fear?

When a code speaks to the real context of local government, people use it. When it remains generic and ceremonial, they ignore it.

5. Treat the whistleblowing channel as an operating mechanism, not just a legal requirement

The RGPC links internal reporting channels to Portugal’s whistleblower protection regime, and Law no. 93/2021 sets specific requirements. Mandatory entities must have internal channels; those channels must ensure completeness, integrity, preservation, confidentiality of identity or anonymity, and prevent access by unauthorised persons; they may be operated internally or externally, provided independence, impartiality, confidentiality, data protection, secrecy and absence of conflicts of interest are ensured. The law also requires acknowledgement of receipt within seven days and reasoned feedback on planned or adopted measures within a maximum of three months. Reports must generally be retained for at least five years.

There is an important nuance for local authorities. Law no. 93/2021 states that local authorities with 50 or more workers but fewer than 10,000 inhabitants do not have to maintain internal whistleblowing channels, and local authorities may also share channels regarding receipt and follow-up. Even where a formal exemption exists, however, deciding not to structure a clear reporting mechanism should be approached cautiously. The absence of a formal channel does not remove operational risk, governance risk or reputational risk.

The protection regime is also robust. The identity of the whistleblower is confidential and access is restricted; retaliation is prohibited; several harmful acts occurring within two years after a report are presumed to be motivated by that report; and a disciplinary sanction imposed on the whistleblower during that period is presumed abusive.

6. Build GDPR into the channel from the start

The processing of personal data under the whistleblower protection regime is expressly subject to the GDPR and the relevant Portuguese legislation. Separately, the CNPD states that a personal data breach must be notified within 72 hours where it is likely to pose a risk to rights and freedoms, and organisations should have internal policies enabling them to detect and manage security incidents affecting personal data.

That means a municipality should not launch a whistleblowing mechanism without resolving basic privacy issues first: who can access reports, under which profile, where records are stored, what retention logic applies, how communication with reporters is handled, how the identity of third parties mentioned in reports is protected, what privacy information is given and what technical and organisational safeguards exist against unauthorised access. This is where alignment with iPrivacy makes practical sense: not as an optional extra, but as an essential layer that makes the channel legally sound and operationally safe.

7. Strengthen transparency, conflicts of interest and internal controls

For public entities, the RGPC goes well beyond the minimum documentary package. It requires publication, on the intranet and official website, of important information including organisational structure, strategic and operational documents, budget and accounts, reports, public services, benefits and subsidies granted, donations received, major procurement notices and contact channels for citizens and businesses, while ensuring accessibility, quality, integrity and, where relevant, open formats.

The regime also requires conflict-of-interest safeguards and, in areas such as procurement, subsidies, urban, environmental, commercial and industrial licensing, and sanctioning procedures, it provides for declarations of absence of conflicts and communication of situations that may affect impartiality. At the same time, it requires an internal control system proportionate to the size, nature and complexity of the entity, designed to ensure legality, risk mitigation, prevention and detection of illegality, fraud and error, asset protection, information reliability, prevention of favouritism and overall operational transparency.

Translated into municipal operations, this means moving beyond the culture of “each department does it its own way”. Critical procedures require manuals, approvals, segregation of duties, decision trails, documented criteria, regular reporting and internal audits or sample-based reviews. That is where iComply can play a strong role as the technical layer for evidence capture, approvals, tasks, reminders, audit history and continuous compliance follow-up.

8. A realistic 180-day roadmap

A practical implementation roadmap can be broken into four phases.

Days 1 to 30: appoint the compliance officer, approve governance, identify critical processes, collect existing documents, map RGPC, whistleblowing and GDPR requirements, and decide whether the channel will be internal, external or shared.

Days 31 to 75: draft or revise the risk prevention plan, update the code of conduct, define conflict-of-interest rules, map internal control evidence, select the supporting technology and design intake, triage, investigation and response workflows.

Days 76 to 120: deliver role-based training, publish required documentation, activate the whistleblowing channel, test response times, approve record and reporting templates, and align leadership, intranet and website communication.

Days 121 to 180: run tests, measure adoption, collect non-conformities, review permissions, create dashboards, prepare the interim and annual reporting cycle and institutionalise the review routine.

The crucial point is not to confuse “published” with “implemented”. Documents do not reduce risk by themselves. Behaviour, control, evidence and review do.

Mini-scenario

Imagine a medium-sized municipality launching a procurement procedure for urban maintenance services. A staff member uses the internal whistleblowing channel to report that one of the decision-makers previously sat on the board of a local association linked to a potential supplier, and that there is informal pressure to accelerate the award.

In a municipality with weak RGPC maturity, the report becomes an inconvenient email, no formal case file is created, no one knows who should handle the matter and the process continues with minimal correction.

In a municipality that has implemented the roadmap properly, the opposite happens: the report enters a controlled channel; receipt is acknowledged within the legal deadline; an independent person performs triage; the conflict-of-interest issue is assessed; the relevant decision-maker is removed from the critical stage; traceability of the procedure is reinforced; and documentary evidence is created for the analysis, decision and corrective action. The outcome is not only legal. It is managerial, cultural and reputational.

Downloadable template: structure

Tab 1 – Initial diagnosis

  • Number of workers

  • Municipality population

  • Critical areas

  • Existing risk plan

  • Existing code

  • Existing channel

  • Compliance officer appointed

  • Training completed

  • Internal control maturity

  • GDPR alignment status

Tab 2 – Risk map

  • Process

  • Risk event

  • Cause

  • Probability

  • Impact

  • Risk level

  • Existing control

  • Gap

  • Corrective action

  • Owner

  • Deadline

  • Evidence

  • KPI

Tab 3 – Whistleblowing channel

  • Written reporting available

  • Verbal reporting available

  • Anonymous reporting available

  • 7-day acknowledgement SLA

  • 3-month feedback SLA

  • Record retention

  • Access control

  • Privacy information

  • Internal/external/shared operation

  • Follow-up owner

Tab 4 – Training and communication

  • Role

  • Topic

  • Frequency

  • Date

  • Evidence

  • Refresher need

Tab 5 – Monitoring

  • Indicator

  • Current value

  • Target

  • Frequency

  • Owner

  • Improvement action

Free download

Download the RGPC checklist and template for local government

Take a practical step towards stronger RGPC compliance with a ready-to-use workbook covering initial diagnosis, risk mapping, whistleblowing channels, training and monitoring.

This resource is designed for public sector directors, compliance leads, legal teams, internal control functions, privacy teams and municipal services that need a clearer and more structured implementation approach.

  • Initial diagnosis of RGPC maturity in the municipality
  • Risk map with owners, actions and evidence fields
  • Whistleblowing channel checklist and follow-up requirements
  • Sheets for training, communication and continuous monitoring
Practical workbook to support RGPC compliance, whistleblowing channels and governance in local government.
 RGPC checklist and Excel template for local government by iBlow.eu

The cost of doing it badly is higher than the cost of structuring it properly

Under the RGPC, failure to adopt or implement the risk prevention plan, the code of conduct or the internal control system, as well as several failures relating to review, disclosure and communication, may amount to administrative offences, with fines that can reach €44,891.81 for legal entities in some cases. Under Law no. 93/2021, serious and very serious breaches relating to channels, confidentiality, retaliation and record keeping can reach €250,000 for legal entities.

For a local authority, though, the biggest risk is not just the fine. It is the loss of trust from citizens, weak evidence in inspections, erosion of internal culture, repeated procurement failures, reputational exposure and the inability to demonstrate sound public governance.

Conclusion

The best RGPC roadmap for local government is the one that converts legal obligations into management routines. It starts with leadership, continues with a real diagnosis, turns into an actionable risk plan, becomes operational through the code, the reporting channel, training and internal controls, and closes the loop with evidence, measurement and continuous improvement. The goal is not to “have documents”. It is to reduce risk, increase trust and protect public decision-making.

Suggested Readings:

  1. Comparative analysis of whistleblower protection in the EU.
  2. SME whistleblowing challenges.
  3. The role of technology in safeguarding anonymity.

Do you need support to implement this roadmap in your local authority?

Find out more about iBlow.eu for whistleblowing channels, iComply.pt for technological implementation, iPrivacy.eu for GDPR compliance, and iCompliance.eu for further implementation services and legal and regulatory compliance audits.

Be part of the conversation that is shaping the future of work! Book a meeting!

See other articles that may be of interest to you.

We hope you enjoyed this article.

Thank you!

Constantino Ferreira

iBlow.eu

Drawing of a green paper aeroplane, to ask to be part of the iBlow.eu community Liked? Subscribe to receive future articles