Let our experience be your guide 


Let our experience be your guide 


Let our experience be your guide 


Let our experience be your guide 


Let our experience be your guide 


Let our experience be your guide 


Let our experience be your guide 

To content

Case study: Whistleblower protection system – implementation in 3 steps

By December 2021, there was a lot of talk in the media about the imminent, passing and finally missed deadline for the Polish whistleblower protection law. In this post I will not analyse the next version of the Act, we did that together with Aleksandra Philips in the post “The final version of the whistleblower protection law getting closer?“. Instead of analising it, I will be happy to share my experience and thoughts from the implementation of the whistleblower protection system we carried out.

Once upon a time…

It happened on 23 October in 2019. Although I don’t remember what the weather was like, on that day the Directive of the European Parliament and of the Council on the protection of whistleblowers in the Union (Directive 2019/1937) was enacted. The Whistleblower Protection Directive, as it is colloquially called, is in force and is one of those pieces of EU legislation generating a lot of interest, not only among lawyers.

Whether and to whom the directive is binding?

The directive became particularly notorious last winter. At the end of 2021 Poland’s deadline for enacting a law on the protection of whistleblowers passed. Well, that’s when the questions arose: is the directive binding on us?

I will, however, be precise. What does ‘us’ mean? Our clients, our employers, asked. After all, nothing motivates action like a dead line, and here the dead line was even crossed! You could see the interest in the topic, or rather the desire to avoid penalties. We reassured at the time that the directive made no demands on employers… at that point. The deadline was slept through at most by the Polish legislator, but not by employers, as I mentioned on LinkedIn.

The prudent ones have acted before

The news about no binding deadline caused a distinct sense of relief. This is understandable, although it was a relief in the short term. After all, we know one thing: employers with more than 50 or more employees will have to implement so-called whistleblower protection – sooner or later. The largest ones, with at least 250 employees, will be the first, then the smaller ones, but what is delayed is not lost. And by this I mean the prospect of a few months for the big ones, and several months for the smaller ones.

As early as winter 2021/2022, however, there were already some prudent employers who decided to implement whistleblower protection in their companies. In my opinion, this is the right approach; procrastination and short deadlines obviously motivate, but are ultimately often a source of unnecessary stress.

Implementing a whistleblower protection system – “first-hand” experiences and reflections

In one of the textile companies we support the owners took the subject very seriously. Regardless of the lack of an effective date for whistleblower protection legislation, they decided to act and asked us for help.

I like implementation projects because there is a process behind them, an algorithm, you have to start it somehow, plan it out, set a goal and work towards it. This is exactly the case with whistleblower protection implementations.

Start of implementation project

We started the implementation with a conversation. To begin, we met with HR and managers to explore and learn about their needs. We asked:

  • What do they expect from this system?
  • How do they understand it?
  • What risks do they see?

Then, together, we outlined in which areas possible reports of legal violations could occur in their organisation.

This was the moment when the project started to take shape and fill with content. Employers know their problems and want to deal with them. The whistleblower protection system is intended to help them do this.

The essence of the whistleblower protection system

And here is the clou of the matter: it doesn’t just have to be the fulfilment of an unpleasant duty, because someone demands that an employee can confidentially make a “denunciation”. Such an approach does not end up with implementation materials ending up in a drawer, no one understanding what they are about, and everyone being afraid that someone might get the courage to write about an irregularity.

The approach I always try to present to clients is based on pointing out that with the help of a:

  • confidential;
  • safe;
  • easy-to-use;
  • and, against all appearances, cheap tool,

can have a better insight into what is going on in the company. And, as those who prefer other terminology might add, they will have more control over what goes on in their organisation.

The importance of properly diagnosing customer needs

In fact, this initial stage is the most important. It is necessary to identify needs:

  • some have certain risks associated with their activities in the employee area;
  • others – environmental risks;
  • and others in the area of accounting.

Although every company is different, the schematic of working is similar.

Step one

First we check the needs, then we show how the channel for requests should work.

In this respect, we have partnered with leading software provider Whistleblower Software (, which offers a ready-made solution that employers can, for example, upload to their website, or point to their employees in the form of a QR code, or communicate to them in other ways. The sky is the limit when it comes to creativity (I already have another blog post planned on this subject).

Step two

The next step is to develop rules of procedure for submissions. I see this as creating a blueprint for dealing with a notification, as a kind of algorithm that will allow the whistleblower review team to work step by step.

The starting point is the question: “A notification comes in, what do I do next? “

  • I check its veracity;
  • I determine how and which tools to use;
  • I decide with whom to cooperate to get to the root of the problem as quickly as possible.

This is what the rules and regulations we prepare for our clients are for. It is a process in which we talk to the people who have to handle the notifications, train them and give practical guidance.

Step three

At the end is ‘go live’ – you press the green button (in your imagination) and the system goes live.

We establish cooperation with our clients in different ways. As a rule, clients themselves form teams to review notifications. We also advise and assist in their examination.
However, whether the system will work properly is largely up to the users themselves. If it is really used and does not end up as just another procedure in a drawer, it will certainly be really useful.

Instead of a conclusion

For some, the system introduces a certain amount of anxiety – there is the question ‘What happens if someone (really) reports something? ‘ My answer is always, well that’s great that they will report, that’s what it’s all about. The problem doesn’t go outside, the whistleblower wants to solve it inside the organisation. As in the regulations – you have to deal with the report and figure out the next steps, follow the algorithm.

Just to reassure you – the vast majority of cases that come into the system are trivial, sometimes even matters that do not involve breaches of the law, but issues of a completely different nature. Sometimes the system is treated as a “complaints and requests” box’. It is then necessary to skilfully and patiently explain to the whistleblower the purpose of the whistleblower protection system and show them where/to whom they can report other issues.

Implementing whistleblower protection in a company does not have to be an unpleasant duty. These kinds of projects are some of my favourite things to do. I learn a lot about the operation and specifics of different industries and pass my knowledge to clients. I encourage you to contact me and talk to me – I am happy to share my practical experience in the field of whistleblower protection.

Jan Muszyński PhD, attorney at law (PL)

+49 30 88 03 59 0
To top