Introducing a whistleblowing system in 3 weeks: process, pitfalls, real numbers

When companies ask us whether we can set up a whistleblowing system, the first follow-up question usually sounds like this: "How long will you need?" Our answer is three to four weeks — technically and organisationally. The reaction is almost always the same: "That fast?"

Yes. But only if you set the right course.

What the German Whistleblower Protection Act actually requires

The Whistleblower Protection Act (HinSchG) has been in force since 2 July 2023. It obliges companies with 50 or more employees to set up internal reporting channels. For companies with 50 to 249 employees, an extended transition deadline applied until 17 December 2023.

The core obligations at a glance:

• Set up an internal reporting channel through which reports of legal violations can be received
• Acknowledge receipt within seven days
• Provide follow-up actions and feedback to the reporting person within three months
• Ensure confidentiality and protection against retaliation
• Accept anonymous reports (this can — but does not have to — be supported technically)

What many companies don't know: the system does not have to be operated externally. An internal solution is permissible — it must only meet the legal requirements, particularly confidentiality and the independence of the responsible person.

How our introduction project at a trading company in Rosenheim went

A mid-sized trading company in the Rosenheim area — 85 employees, own trade and import business — came to us last spring. They had heard of the legal obligation but had postponed the topic for months. Concretely: no reporting channel, no responsible person designated, no information given to the workforce.

The risk was not just theoretical. Violations of the HinSchG can incur fines of up to 20,000 euros — not for the person reporting, but for the company that fails to operate a functioning reporting channel.

Week 1: analysis and selection

We always start with the question: who should operate the internal reporting channel? That is not an IT question, it is an organisational one. In the Rosenheim case the answer was: the authorised signatory, who already handles data protection responsibilities and enjoys the trust of the workforce.

In parallel we clarify whether a technical solution with anonymous reports is desired. The HinSchG does not mandate anonymity, but recommends it for acceptance. We deployed the whistleblowing module from HELITS HRIS: web-based, encrypted communication, no real name required, automated acknowledgement of receipt, deadlines with an integrated reminder system.

Week 2: technical setup and internal policy

The technical setup took one and a half days in this case. The system runs on our hosted infrastructure, GDPR-compliant under German law. The actual work of this week was creating the internal reporting policy: which violations can be reported? How does the procedure run? Who decides on follow-up actions? What happens with unfounded reports?

This step is the one that is most often underestimated. A functioning whistleblowing system is not a tool — it is a process. The tool makes the process more efficient and legally robust, but does not replace it.

Week 3: training and communication

At the end of week two there was a short workshop with the responsible authorised signatory: how does she receive a report? How does she document the case? What does she do if a report has criminal-law relevance? The latter is rare — but the process must still be in place.

In week three, the workforce was informed. Not a mandatory event with a presentation, but a short written notice via internal newsletter, complemented by a one-page leaflet with the essential points: what is the system, what is it for, who is responsible, how does anonymity work.

That was deliberately kept brief. Companies that promote the whistleblowing system too prominently sometimes produce the opposite of the desired effect — namely distrust about what happens with reports. Trust grows over time and through lived practice, not through elaborate communication campaigns.

What three months later looked like

Three months after go-live we spoke with the authorised signatory. Two reports had come in — one of them anonymous. Both concerned internal procedural questions, no criminal matters. Both were processed and documented within the legal deadlines.

That sounds unspectacular — and that is good. A well-introduced whistleblowing system runs in the background without demanding attention. The legal protection is there. The process works. And the company has sent a clear signal to the workforce: tips are welcome, not feared.

For follow-up questions on introducing a legally compliant whistleblowing system, contact us directly. Information on the technical foundations can also be found on the HELITS HRIS page and on our digitalisation solutions for SMEs.

---