What on earth is Whistleblowing Directive?

Whistleblowing solution

Granite Whistleblow is a service, which enables organizations to provide a channel that protects the whistleblower’s identity, i.e. a whistleblowing channel for exposing and handling abuses. Thanks to the product development for the Whistleblow reporting channel, the dialogue between the anonymous whistleblower and the abuse report handler is also successful even after the report has been made.

Background of the Whistleblowing Directive

Whistleblower means a person who exposes the illegal or unethical activities of a private or public organization – either by bringing the matter to the attention of a superior or another entity internally, or by reporting the matter to a supervisory authority or even directly to the media.

Thomas Drake

For example, a whistleblowing case can be brought against Thomas Drake, an employee of the US National Security Agency NSA, who in the mid-2000s found out that the agency was violating the privacy of millions of Americans without any legal justification. Drake brought the misconduct to the attention of higher decision-making bodies through appropriate internal reporting channels, but it ultimately did not lead to any follow-up measures. Drake’s identity was also revealed in the same hiccup within the agency, after which he faced significant discrimination at his workplace. He started to be moved out of projects, his responsibilities were taken away from him and he was generally rejected. In the end, Drake then released the documents to the press that were not classified. Well, he was charged with treason anyway. Although the court case was ultimately unsuccessful, Drake’s civil service career was completely over, along with other unpleasant mild phenomena.

Edward Snowden

Another even more famous whistleblower case coincidentally also originates from the NSA. Edward Snowden leaked secret documents to the press in 2013, which revealed the NSA’s truly extensive international spying program, which also targeted officials and politicians of other countries. After his leak, Snowden took and fled from the United States, and after various stages, he later received asylum in Russia, where he is currently staying. In the United States, he would face espionage and treason charges and possibly life imprisonment. There are quite a lot of these historical, well-known cases, especially in the United States. Additional examples include the Pentagon Papers, Watergate and the more recent Chelsea Manning case. On the private side, for example, consider Enron’s accounting crimes, which were also traced after an employee handed over company information to the authorities.

Whistleblowing cases in Europe

Despite the focus on America, there are known whistleblowing cases in Europe as well. For example, when an employee of Swedish Bofors revealed the company’s illegal arms deals in 1984. In addition, there have been several whistleblowing cases in the institutions of the European Union over the years. Common to all these cases, however, is that in those cases where a Whistleblower has been identified, the consequences for the person in question have not been pleasant in any way. Even in the mildest cases, the whistleblower’s career and position in their community have come to an end. However, since exposing these abuses is in the public and general interest, it has become a matter of will to improve the protection of whistleblowers and their identity. Until now, legislation protecting whistleblowers in Finland and elsewhere in Europe has been rather incomplete and fragmented, but with the new EU whistleblower directive approved in October 2019, this will clearly change.

Who does the new directive apply to?

The new whistleblower directive will enter into force after the transition period in 2021, and requires all companies employing more than 50 people or municipalities with 10,000 inhabitants to organize a notification and investigation line that meets the requirements of the directive for reports of abuse. The directive also applies to companies with a turnover of more than 10,000,000 million. The directive sets requirements for the protection of the anonymity of the person reporting abuse, and sets deadlines for processing abuse reports. The directive protects the whistleblower from countermeasures even in the event that his identity is revealed in some way.

Why is Granite Whistleblow necessary?

Granite is a domestic risk management software company that produces tools that secure business continuity based on the Saas principle. Our solutions mainly focus on the development of risk management, occupational safety and cyber security, under which whistleblowing and abuse reports can also be read. Granite has developed the reporting channel required by the EU directive to protect whistleblowers. Granite’s abuse reporting service Granite Whistleblow includes a safe reporting channel for abuse reports and an investigation base. In addition, the Granite Whistleblow service enables a conversation between the person responsible for the investigation of misconduct and the whistleblower without endangering the whistleblower’s anonymity. That is, the whole whistleblowing process naturally begins when someone in the organization recognizes misconduct – illegal, illegal, unethical or otherwise unacceptable activity. After this, the person goes to Granite’s Whistleblow abuse notification service via a link on the intranet or, for example, a QR code on the premises. After opening the link, an electronic whistleblowing notification form opens for the notifier, where he can record the information about the abuse he has observed. Of course, the informant’s information is not asked, but when the report is sent, the informant is given an identifier, with which he can later complete the information of the abuse report, read the response given by the handler, and have a chat conversation with the handler of the report to further clarify the matter.


In order to illustrate the process, an imaginary situation is discussed at the same time, where the treasurer of Ankkalinna’s sewing club uses the association’s funds to participate in karaoke tournaments. Martta, a member of the association, accidentally hears the treasurer telling her friend that she sometimes \”borrows\” money from the association for the participation fee of karaoke tournaments, if there is no money in her current account at that time. The treasurer says right after that he will pay the money back whenever he remembers.

Blowing the whistle

Martta is bothered by this vague use of the association’s funds, and later she reads the QR code in the association’s break room on her phone, which takes her directly to the whistleblowing abuse notification form implemented on Granite. Martta writes in the form that she suspects the treasurer is using the association’s funds for her own personal expenses and sends it on. In connection with the transmission, Martta receives an identifier with which she can later view the abuse report she sent. Martta saves the tag on her phone. In Granite, this report is automatically directed to the right party, where the right people will investigate and process the report of abuse. During the entire investigation process, the person making the report can use the identifier to exchange messages with the person handling the report and help with the investigation.

Providing additional information

With the help of the messaging feature, the handler can request additional information from the author of the report, as well as confirm to the author the receipt of the abuse report and the start of processing. In practice, this message exchange works on the same operating principle as various internet messenger services – although in this case the other party does not appear under his own name or even a nickname.

Notification to the employee

In Ankkalinna, Jamppa, a board member of the sewing club, is responsible for reacting to possible reports of abuse. Now Jamppa gets a notification in his e-mail about a new abuse report that Martta made to the system. By clicking on the link included in the e-mail, after logging in, he will be able to read the report of misconduct regarding the club’s treasurer. At first, Jamppa doesn’t want to believe what happened, because he has known the treasurer for a long time, and considers him a reliable Ankkalinna resident. Jamppa opens a chat window, confirms receipt of the report and asks the person making the report how the suspected misconduct of the fund manager came to light.

Providing additional information

Later, Martta logs into the abuse notification form using the identifier and notices Jampa’s question appearing in the chat window. Martta estimates that she can tell without risking her anonymity that she overheard when the treasurer told another person about the use of the association’s funds for karaoke tournament participation fees.

Recording of procedures

Ankkalinna Jamppa registers two actions in the abuse report, for which other board members are appointed as responsible persons. He asks one to go through the club’s account statements for the past 12 months, and the other to talk to the treasurer about the situation. Both persons responsible for the procedures receive information about the procedure they are responsible for in their e-mails, and through the link they can read the description of the procedure after logging in, and mark it as complete when they have completed the procedure. When the processing of the report is completed, the handler records the results of the investigation in Granite and sets the answer for the person making the report to read. With the completion of the measures specified by Jampa, it becomes clear that the treasurer has indeed sometimes borrowed the association’s money for his own expenses. In most cases, he has later paid them back, but as it turned out when going through the bank statements, he also “forgot” to pay back a couple of times. As a result of the discussion, the treasurer will be moved aside from his duties, and the matter will be discussed further at an extraordinary board meeting. Jamppa also writes a reply to the author of the notification in the notification template, which tells about the completion of the processing and its results. Martta, whose identity is not known by Jamppa or anyone else involved in the processing, reads the answer later and is happy that the matter has been resolved.


Through RaportointiGranite, people in positions of responsibility can monitor and report whether all reports of abuse have been responded to appropriately and according to the deadlines. At the end of the year, Jampa’s task is to report on the handling of abuse reports at the board meeting. With the help of Granite’s reporting features, this really doesn’t take long, but with just a couple of clicks, the system produces a report with illustrative graphs on abuse reports, their final results and processing times. The Granite Whistleblow abuse reporting service is an easy-to-implement, but comprehensive solution to meet the requirements of the EU whistleblowing directive’s reporting channel. Its whistleblower protection features encourage your staff to address abuse they detect, while providing handlers with powerful tools to properly process reports within the directive’s deadlines.