Create a secure and simple reporting system for Whistleblower

- SCAB - > Blog > Cybersecurity > Create a secure and simple reporting system for Whistleblower


According to a new EU directive, all public activities and companies with more than 50 employees, all municipalities with more than 10,000 inhabitants, as well as organizations that are sensitive to money laundering or terrorist financing will be required to create safe, effective and efficient reporting channels that guarantee protection against retaliation by whistleblower. By 17 December 2021, Member States shall have adopted the laws, regulations and administrative procedures necessary to comply with this Directive.

“Whistleblower, whistleblower or whistler, by the English whistleblower, is a person who sounds the alarm about irregularities, often in his own workplace, mainly to the mass media or control bodies in the event of detection of irregularities by, for example, authorities and companies.” Wikipedia.


Despite the fact that many countries have legislation to protect whistleblowers, many are reluctant to report it. In a survey by Transparency International, for example, 35% of EU citizens surveyed answered that the risk of retaliation is the biggest obstacle to reporting irregularities.

Those who use the reporting channels must therefore dare to trust that confidentiality and anonymity are maintained throughout the process, also in smaller organizations where “everyone knows everyone” and in smaller towns with strong social control. Although the statutory protection is extensive, it is very difficult in practice to prove retaliation.

It should be easy to report. Many people give up simply because the process requires you to create an account, have to fill in extensive forms and then are expected to participate in a (often) complicated dialogue where you even risk being questioned.


Today’s existing reporting systems and processes are built for large or special activities that often have or have had special legislation to take into account, but which are unnecessarily complicated (and expensive) for especially the smaller activities that are now affected.

This is necessary for most people to meet the requirements of the directive:

  1. The reporting must primarily be done internally in the own organization
  2. Support and protection measures against retaliation must be guaranteed for whistleblowers
  3. Obligation to react and follow up whistleblower’s reports within three months
  4. Clear instructions on internal and external reporting channels shall be given to all concerned

In practice, this means that the organization must a) establish at least one technical reporting channel with sufficient security and anonymity, b) appoint at least one suitable person to handle the reporting, c) create a sufficient process that guarantees that the whistleblower is not retaliated against and that the report is handled within a reasonable time, and d) inform employees, suppliers, business partners and all others concerned about the reporting system and process.

What is a “secure reporting system”?

Basically, security is about creating a system and a process that guarantees that the whistleblower does not suffer retaliation in any form and that the whistleblower feels that he can trust.

In its simplest form, and often applied, the channel can be a telephone number to, for example, an external law firm that has an agreement with the employer, and a mandate, to investigate reports of irregularities in the business. Experience shows, however, that this solution works very poorly in practice because the whistleblower usually feels little or no confidence in the solution.

At the other end of the scale are large technical systems where the whistleblower must create an account, fill in often extensive forms, and then be expected to have a dialogue during the process. This type of solution also does not work very well because it is too complicated and also risks exposing the whistleblower through negligence or technical problems.

Many of these solutions also have outdated substandard security both in terms of access to sensitive data and the possibility of tracking.

A modern technical system must be easy to use (work with a mobile), have high security also against tracking, not store unnecessary data, give the whistleblower the opportunity to report completely anonymously, and have support for at least 2 alternative recipients to choose from.

Our new service ANON::form is such a modern system developed for the needs of small businesses, read more about the whistleblower forms here.

Reporting irregularities is based on the whistleblower feeling safe, which creates a delicate balance between the need to get as much information as possible, the opportunity to follow up and supplement and perhaps even get a testimony, and the whistleblower’s anonymity.

Anonymity is often a crucial requirement because the whistleblower knows that the statutory protection, even if it is improved by the EU directive, is unfortunately insufficient in practice and that whistleblowers are always at risk of being hung out, not least in social media.

Anyone who reports an irregularity should therefore always have the opportunity to remain anonymous unless the law has a clear requirement that the notifier’s identity must be known. Either by not having to provide names or contact information, or with clear info on how to easily create and use, for example, an anonymous and secure e-mail address with which you can communicate in the handling of the case. Please see ANON::forms demo as an example.

Is your whistleblower form the forgotten weak link in your cybersecurity? Protect your business and your employees!

Create a safe process

The size and focus of the business must state the framework for how a sufficient process is created. Large organizations and activities with extra legislation have a corresponding need for complexity, while smaller organizations manage in comparison small measures. It is therefore very important to analyze the real need before creating your solution.

Small and medium-sized organizations with normal operations can create a solution as follows:

  1. Needs analysis; what are the risks of irregularities in the business, who can be the whistleblower and who should be informed about the reporting system?
  2. Process; how should reports on different types of irregularities be handled and at what levels? The process should preferably be integrated into or the same as the process you normally use when dealing with irregularities in the organization.
  3. Protection; how should the whistleblower be protected in the process?
  4. Administrator; appoint appropriate dedicated staff, external resource, or a combination, to receive and handle incoming cases. Here it is important to appoint impartial people with sufficient resources, knowledge and mandate, preferably at least 2 people.
  5. Report channel; procure and implement at least one technical reporting system that can be easily integrated into the existing IT environment. The system must be secure, comply with the GDPR, be easy to use and have only the functionality that is really needed. Investigative material and other sensitive information should preferably be handled and stored outside the reporting system if this is open to the Internet, which should be for sufficient accessibility and anonymity. NOTE! An e-mail address for the administrator is not a secure reporting channel! A telephone number can be a good complement but is not in itself a sufficient reporting channel.
  6. Information; all concerned must be informed in a clear manner about how and where irregularities are reported and how cases are handled.
  7. Follow-up; report channel and processes should be evaluated annually and adjusted as necessary. Received cases should be regularly anonymized, compiled and evaluated in the management team.

Feel free to contact us if you need support and advice when setting up your whistleblower system, the technical solution is only part of it all.