How to implement whistleblowing system?

The EU Whistleblower Directive landed years ago, every Member State has a transposition law on the books, and the question on a compliance officer's desk is no longer whether to put a reporting channel in place but whether the one already running actually meets the obligations. Bringing the rules into the daily life of an organisation still breaks down into three movements: drafting the procedure, standing the system up, and keeping it running. Each one has stopped being abstract.

Map the entity before drafting the procedure

Before a single line of policy gets written, the entity has to be mapped. Headcount decides whether the obligation kicks in: any private employer at or above 50 employees has to operate an internal reporting channel, with the deadline for the 50-249 tier having passed on 17 December 2023. Group structure decides where the channel sits. A holding company with several legal entities cannot just pool everything into one shared inbox; the European Commission's July 2024 conformity report flagged this exact pattern as one of the most common transposition gaps.

Existing procedures decide what changes. An HR grievance route, a compliance hotline, or a code-of-conduct portal already in place can be folded in, but only if their confidentiality and recordkeeping match the Directive's bar. The output of this mapping stage is a list of named channels, named recipients, and a scope statement saying which categories of breach the channel covers.

What the internal channel must actually do

Article 9 of the Directive sets two operational gates that most internal investigations later trip over: an acknowledgement of receipt within 7 days, and substantive feedback to the reporter within 3 months covering the action taken or envisaged. Missing either gate is the easiest way to lose protection from later litigation.

Beyond timings, the channel has to accept reports both in writing and orally, whether by phone, voicemail, or in person on request. It must keep a register of reports under retention limits and access controls. It must designate an impartial unit or person with no conflict of interest, and that designation has to be published internally so reporters know who they are speaking to.

Confidentiality of the reporter's identity is non-negotiable. Passing the name to anyone outside the impartial team without consent is itself a breach, and several national transpositions attach standalone fines (often up to €50,000 per violation) for that single failure.

Standing it up: people, training, and ISO 37002

Implementation is the moment a paper procedure turns into something employees can use. The committee or person responsible for examining reports has to be selected, trained, and equipped; an HR generalist with a side-of-desk hotline rarely survives a real case. Training has to extend beyond the committee to every line manager who might be the first to hear something, because the Directive's protection attaches the moment someone speaks up, not the moment they file a form.

ISO 37002:2021 is the most useful scaffolding here. It is a guidance standard rather than a certifiable management standard, but it lays out what a working programme looks like (risk assessment, role assignments, intake, investigation, follow-up, monitoring) and it is built to plug into an ISO-aligned compliance stack an organisation may already run.

Living with the system: monitoring, retaliation, GDPR

The system is a living object once it is in place. Monitoring goes beyond measuring volume: it means checking whether the operational gates are being met every quarter, whether feedback letters are going out on time, whether the register reconciles with the case files, and whether the channel is being used at all. A hotline that receives nothing across eighteen months is a signal, usually a bad one.

The retaliation regime rewrites HR procedure. Once a person has reported, any adverse action against them (dismissal, demotion, transfer, withheld promotion, disciplinary measure) is presumed retaliatory, and the burden of proof flips to the employer to show the action would have happened regardless. That presumption has to shape every personnel decision touching anyone with a known prior report.

Data protection sits over everything. Whistleblower data is personal data under the GDPR, so encryption in transit and at rest, role-based access, retention limits, and a documented purpose are not optional. They are the same article-by-article obligations that apply to any HR system.

The cost of getting it wrong

The penalty surface is wider than most boards realise. Member State transpositions impose fines on retaliation, on breaches of confidentiality, and on hindering reports, frequently in the €30,000 to €50,000 per violation band, and stacked across counts for systematic failures. On the supervisory side, the Commission pursued infringement proceedings against most Member States that missed the transposition deadline, with combined fines of around €40 million imposed in early 2025 on the slowest five.

The country-by-country picture remains uneven. Slovakia stepped back from disbanding its whistleblowing authority under EU pressure, Germany is testing the limits of external-disclosure protection in court, and Poland, the last Member State to transpose, brought its law into force on 25 September 2024.

None of this is impossible to run in-house, but it is rarely cheap, and the operational layer (meeting the 7-day clock, keeping the register clean, defending the impartiality of the committee) is where most programmes fall over. WeMoral covers that operational layer end to end, from drafting the procedure through running the channel to producing the audit trail an inspector will ask for.