The year 2025 has been a period of intensive work for our team on exceptionally diverse legal compliance projects. We have had the pleasure of supporting organizations from various industries — from industrial manufacturing, through the financial services sector, to technology companies and e-commerce. Each of these projects brought unique challenges and valuable experiences, while confirming that regardless of industry specifics, the fundamental principles of building an effective compliance system remain universal.

Over the past year, we have completed projects including comprehensive compliance management system implementations, due diligence audits for M&A transactions, organizational adaptation to new regulatory requirements, anti-corruption program development, and compliance culture transformations in rapidly growing companies. Each of these projects has provided us with knowledge that we wish to share with a broader audience.

This case study presents one of our projects completed in the manufacturing sector — a comprehensive compliance transformation in a medium-sized enterprise that faced the necessity of fundamentally restructuring its approach to legal compliance. We selected this case due to its representativeness of the challenges faced by many manufacturing companies, as well as the spectacular results achieved. We hope that this analysis will provide practical knowledge and inspiration for organizations facing similar challenges.

Industry Context

The manufacturing sector is characterized by a particularly extensive regulatory environment, resulting from the specificity of operations encompassing technological processes, employment of significant numbers of workers, environmental impact, and participation in complex supply chains. Manufacturing enterprises must simultaneously meet requirements in the areas of labor law and worker safety, environmental protection and waste management, personal data protection, tax and customs regulations, quality standards and industry certifications, as well as product safety regulations.

Additionally, companies cooperating with international corporations or exporting their products must meet increasingly stringent compliance requirements imposed by business partners through supplier audits. Failure to meet these requirements can result in the loss of key contracts, regardless of the quality of products offered or price competitiveness.

Starting Point — Situation Diagnosis

Circumstances of Problem Discovery

The impetus for taking action in the compliance area was a series of events that quickly made management aware of the scale of neglect in legal compliance. The first warning signal was an inspection by the National Labor Inspectorate, which revealed numerous irregularities in employee documentation, working time records, and fulfillment of occupational health and safety obligations. The administrative penalties imposed as a result, although financially painful, proved to be just the tip of the iceberg.

Almost simultaneously, the company underwent a supplier audit conducted by a key automotive sector client. The audit results were devastating — the organization did not meet basic compliance requirements expected from suppliers, resulting in suspension of cooperation and loss of a long-standing contract. This final signal ultimately convinced management that fragmentary corrective actions would not suffice and a fundamental change in approach to legal compliance was necessary.

Identified Areas of Non-Compliance

A preliminary legal review commissioned by management revealed systemic deficiencies in almost all key areas of operation. Below is a detailed characterization of identified problems in individual regulatory domains.

Personal Data Protection

In the area of personal data protection, the absence of a designated Data Protection Officer was noted, despite the scale and nature of data processing clearly indicating such an obligation. Records of processing activities were incomplete or entirely outdated, and information clauses used for employees, job candidates, and contractors did not meet GDPR requirements. Particularly concerning was the lack of any procedures for exercising the rights of data subjects and mechanisms for reporting data protection breaches.

Occupational Health and Safety

Health and safety documentation required thorough updating. Occupational risk assessments did not account for changes introduced in production processes in recent years, including the implementation of new machines and technologies. The health and safety training system operated chaotically — some employees had expired periodic training, and workstation training documentation was incomplete. A site inspection of production halls also revealed irregularities in hazardous zone marking and deficiencies in personal protective equipment at workstations.

Environmental Regulations

Environmental compliance analysis revealed exceedances of permissible air pollutant emission standards, resulting from the operation of outdated filtration equipment. Water permits required updating in connection with changes in technological processes. Industrial waste management was conducted unsystematically — there was no complete waste registry, and contracts with collectors did not always cover all categories of generated waste.

Labor Law and Employee Relations

In the area of labor law, irregularities were found in working time records, particularly concerning overtime and night work accounting. Work regulations and remuneration regulations had not been updated for many years and did not reflect the current legal status or actual practices applied in the organization. Some employees did not have current medical examinations, and the system for referring employees to periodic examinations operated reactively, without advance planning.

Anti-Corruption Compliance and Business Ethics

The organization lacked formalized procedures for vetting contractors for corruption and reputational risks. Procurement processes, although in practice conducted properly, were not documented in a manner ensuring full transparency and auditability. There was also no code of ethics or channels enabling employees to report irregularities confidentially and safely.

Compliance System Implementation Strategy

Transformation Program Assumptions

Management, aware of the scale of the challenge, decided to implement a comprehensive compliance transformation program that went beyond ad hoc corrective actions. The assumption was adopted that the goal was not merely to eliminate identified irregularities, but to build a lasting legal compliance management system capable of proactively identifying and addressing regulatory risks in the future.

The program was based on several key principles. First, a holistic approach was adopted, assuming simultaneous addressing of all identified areas of non-compliance, rather than fragmentary patching of individual gaps. Second, it was recognized that lasting change requires not only the implementation of procedures and tools, but above all transformation of organizational culture and building compliance awareness at all levels of the organization. Third, it was decided to cooperate with external experts who would bring specialized knowledge and experience from similar projects.

Project Organizational Structure

To ensure appropriate priority and resources, the project received direct patronage from the CEO. A Steering Committee was established, comprising board members and directors of key operational departments. The Committee met monthly, monitoring progress and making strategic decisions.

Operational project management was entrusted to a newly created Compliance Officer position, filled by a person combining legal experience with knowledge of manufacturing industry specifics. The Compliance Officer received broad authority and direct access to management, emphasizing the importance of the compliance function in the organization. Coordinators in individual departments were designated to support the Compliance Officer, creating a network of compliance ambassadors permeating the entire organizational structure.

Schedule and Project Phases

The transformation program was spread over eighteen months, divided into four main phases, each with defined objectives, deliverables, and milestones.

Phase One: Comprehensive Audit and Diagnosis (Months 1-3)

The first phase focused on gaining an in-depth understanding of the organization’s current state. A detailed legal audit was conducted covering all areas of operation, analysis of internal documentation, and review of contracts with key contractors. Simultaneously, business process mapping was conducted to identify points of contact with legal regulations and potential sources of risk. An important element of this phase was also interviews and surveys with employees at various levels, allowing understanding of actual organizational practices, often diverging from formal procedures.

Phase Two: Compliance System Design (Months 4-7)

Based on audit results, work began on designing the target compliance management system. A comprehensive Compliance Policy was developed defining the objectives, principles, and structure of the system, as well as a Code of Ethics formulating the values and standards of conduct expected of all employees. For each identified risk area, detailed operational procedures were created, specifying responsibilities, processes, and control mechanisms. A whistleblowing system was also designed, enabling employees to report potential violations confidentially and with protection against retaliation.

Phase Three: Implementation and Training (Months 8-14)

The implementation phase encompassed formal deployment of all developed documents and procedures, combined with an intensive training program. Training was differentiated according to target groups — from general awareness training for all employees, through specialized workshops for management, to in-depth sessions for those performing key roles in the compliance system. Simultaneously, contracts with contractors were updated, introducing compliance clauses and standards expected from business partners.

Phase Four: Monitoring and Certification (Months 15-18)

The final phase focused on consolidating implemented changes and confirming system effectiveness. Mechanisms for continuous monitoring of key compliance indicators were implemented, and a series of internal audits were conducted to verify compliance with procedures in practice. The culmination of the program was the certification process for the compliance management system in accordance with the international ISO 37301 standard, providing external confirmation of the maturity of the implemented system.

Program Implementation in Key Areas

Personal Data Protection System Transformation

Organizing the personal data protection area began with the appointment of a Data Protection Officer, selecting a person possessing both legal competencies and understanding of manufacturing processes. The DPO received organizational independence and direct access to senior management, in accordance with GDPR requirements.

A comprehensive inventory of all personal data processing activities in the organization was conducted, covering data of employees, contractors, customers, and visitors to the facility. On this basis, a complete Record of Processing Activities was developed, documenting purposes, legal bases, categories of data, and recipients for each process. All information clauses were updated, adapting their content and form to the specifics of individual groups of data subjects.

Procedures were implemented enabling effective exercise of data subject rights, including the right of access, rectification, erasure, and data portability. A mechanism for identifying and reporting data protection breaches was also created, including an escalation path, notification document templates, and a procedure for communicating with affected individuals. All changes were consolidated in the form of a comprehensive Personal Data Protection Policy, constituting the overarching document in this area.

Occupational Health and Safety System Modernization

The transformation of the health and safety area required combining documentation activities with actual changes in work organization and facility equipment. The starting point was a comprehensive update of occupational risk assessments for all workstations, conducted with the participation of employee representatives and with support from external safety experts. New risk assessments took into account both current technological processes and the specifics of individual machines and equipment operated at the facility.

The health and safety training system was thoroughly rebuilt, implementing an electronic training management platform that automatically monitors training validity dates and generates reminders with appropriate advance notice. New training programs were developed, adapted to the specifics of individual positions and taking into account actual hazards occurring in the work environment. Particular attention was paid to workstation training, which had previously been conducted superficially and poorly documented.

On production floors, a comprehensive review and modernization of safety signage was conducted, adapting it to current European standards. Missing personal protective equipment was purchased and a distribution and usage monitoring system was implemented. Monthly health and safety audits were also introduced, conducted by interdisciplinary teams including health and safety service representatives, management, and employees, with results regularly reported to the board.

Adaptation to Environmental Requirements

Achieving environmental compliance required significant investments in both technical infrastructure and management systems. Exhaust gas treatment installations were modernized, replacing outdated filters with modern solutions meeting current emission standards. A continuous emission monitoring system was installed, automatically recording parameters and generating reports required by environmental authorities.

New environmental permits were obtained, taking into account the current scope and nature of operations conducted. This process required detailed inventory of all emission sources and environmental impacts, as well as preparation of comprehensive technical documentation. Water permits were also updated, adapting them to actual water demand and volumes of industrial wastewater generated.

Waste management was thoroughly reorganized, introducing a source segregation system that allows for precise recording and optimal management of individual waste fractions. Cooperation was established with certified waste collectors, obtaining full documentation confirming lawful processing or disposal of all categories of generated waste. An electronic waste registry system was implemented, integrated with the BDO database.

Organizing Employee Relations

In the area of labor law, the fundamental change was the implementation of an electronic working time recording system, integrated with the facility access control system. The new system eliminates the risk of errors and manipulation in records, automatically recording actual working time and generating alerts in cases of exceeding working time standards or improper overtime accounting. Management received tools for ongoing monitoring of employee workload, enabling proactive working time management.

A comprehensive update of work regulations and remuneration regulations was conducted, adapting them to the current legal status and actual practices applied in the organization. This process included consultations with employee representatives and took their demands into account where possible and appropriate. Updated regulations were communicated to employees in an accessible manner, using information meetings and educational materials.

A proactive medical examination management system was implemented, which identifies in advance employees approaching the end of examination validity and automatically initiates the process of referring them for periodic examinations. All backlogs in examinations were addressed, and for newly hired employees, a rigorous procedure was introduced for verifying current examinations before admission to work.

Prevention of Workplace Bullying and Discrimination

An essential element of transformation in the area of employee relations was the implementation of comprehensive procedures for preventing workplace bullying and discrimination. Previously, the organization had no formalized mechanisms in this regard, which exposed it both to legal risks arising from employer liability and to negative consequences for work atmosphere and employee engagement.

An Anti-Bullying and Discrimination Policy was developed and implemented, clearly defining prohibited behaviors, indicating examples of situations that may constitute bullying or discrimination, and unequivocally communicating the employer’s position — zero tolerance for any form of improper treatment of employees. The policy covers all legally protected grounds, including gender, age, disability, race, nationality, political beliefs, union membership, ethnic origin, religion, sexual orientation, and form of employment.

An Anti-Bullying Committee was established, comprising representatives from various departments and an external labor law expert, ensuring impartiality and professionalism in reviewing reports. A detailed procedure for reporting and reviewing complaints was developed, guaranteeing confidentiality, protection of reporters against retaliation, and thorough investigation of each case within defined timeframes.

The training program covered all employees, with particular emphasis on management, who received in-depth workshops on recognizing warning signs, properly responding to reports, and building a work environment free from inappropriate behavior. Training was practical in nature, utilizing case studies and situational scenarios relevant to manufacturing facility realities.

Preventive mechanisms were also introduced, including regular organizational climate surveys, anonymous questionnaires regarding team relations, and periodic meetings between HR departments and employees from individual areas. The purpose of these activities is early identification of potential problems and intervention before conflict situations escalate.

Building Compliance Culture and Business Ethics

Lasting change in approach to legal compliance requires not only the implementation of procedures, but above all building awareness and attitudes among employees. A Code of Ethics was developed and implemented, formulating the fundamental values of the organization and standards of conduct expected of all employees, regardless of position held. The Code was developed with the participation of representatives from various departments and levels of the organization, increasing its authenticity and acceptance.

A whistleblowing system was implemented, enabling employees to report potential violations confidentially and safely. The system includes both an electronic channel and the possibility of telephone and written reports, with all reports handled by the Compliance Officer with the highest standards of confidentiality. A zero-tolerance policy was introduced for retaliation against persons reporting irregularities in good faith.

Contractor vetting procedures were formalized, introducing mandatory compliance risk assessment before establishing cooperation with new business partners. The procedure includes verification of the entity’s legal status, checking in sanctions registers, and analysis of potential corruption and reputational risks. For high-risk contractors, enhanced due diligence and periodic reviews during the course of cooperation were introduced.

Transformation Results

Operational and Financial Dimension

The implementation of the compliance system brought measurable operational and financial benefits, significantly exceeding the expenditures incurred. The most direct effect was the complete elimination of administrative penalties, which before the program implementation constituted a significant budget burden. A systematic approach to legal compliance now allows for proactive addressing of potential risks before they transform into violations resulting in sanctions.

In the area of workplace safety, a dramatic decrease in the number of accidents was recorded, which translated into a reduction in costs associated with sick leave, compensation, and increased insurance premiums. The improvement in health and safety indicators was also noticed by insurers, who reduced premiums in recognition of the preventive measures implemented and the systematic approach to risk management.

A particularly significant result was the recovery of a lost contract with a key automotive sector client. After successfully passing a repeat supplier audit, cooperation was resumed, and the company gained preferred supplier status, opening the door to expanding the scope of cooperation. The ISO 37301 certificate additionally became an asset in tender processes, enabling participation in proceedings where confirmed compliance standards are a necessary condition.

Organizational Culture Transformation

Equally important as the measurable financial benefits were the changes in organizational culture. Surveys conducted among employees showed a radical increase in awareness of the importance of compliance and business ethics. While before the program implementation only a small portion of employees were able to correctly define the concept of compliance and indicate its significance for the organization, after the transformation was completed, the vast majority of staff declares understanding and acceptance of legal compliance requirements.

A particularly positive signal is the active use of the whistleblowing system by employees. Incoming reports mostly concern minor issues and potential improvements, which indicates that the system is treated as an organizational improvement tool rather than a punitive mechanism. Middle management, initially skeptical of additional obligations arising from the compliance system, over time came to appreciate the benefits in the form of clear rules and reduced risk of personal liability.

Market Position and Reputation

The implementation of an advanced compliance system positively influenced the company’s perception by key stakeholders. Corporate clients, especially those subject to their own rigorous compliance requirements, appreciate the opportunity to cooperate with a supplier meeting the highest standards of legal compliance and business ethics. This translates into greater stability of business relationships and preferential treatment in situations requiring choice between suppliers.

The company also gained recognition as a socially responsible organization, which supports recruitment processes and employer branding. In an industry where competition for skilled workers is intense, the reputation of a company that cares about workplace safety and respect for employee rights is a significant argument in the eyes of potential candidates. The organization was also recognized in industry rankings of responsible business, which further strengthened its market position.

Conclusions and Recommendations

Key Success Factors

Analysis of the transformation carried out allows identification of factors that contributed most to the program’s success. Senior management engagement was of fundamental importance, expressed not only in resource allocation but above all in the CEO’s personal participation at key project moments. Visible board engagement effectively communicated to the entire organization that compliance is a strategic priority, not just another initiative that will be abandoned after a few months.

Equally important was the adoption of a holistic approach, assuming simultaneous addressing of all areas of non-compliance. Fragmentary corrective actions focusing on individual problems would not only be less effective but could even deepen employee frustration with constant changes and new requirements. A comprehensive program, although more demanding at the planning and implementation stage, allowed for achieving synergy effects and lasting change in the organization’s way of functioning.

A key element of success was also transparent communication with employees at all stages of the project. Employees were informed about program objectives, work progress, and expected results. Their concerns and doubts were heard and addressed, and suggestions were taken into account where possible. This approach built a sense of ownership toward the implemented changes and reduced natural resistance to new procedures and requirements.

Lessons for the Future

The experiences from the transformation program provide valuable lessons for other organizations facing similar challenges. Above all, it is not worth waiting to build a compliance system until problems become acute. The costs of preventive actions are many times lower than the costs of remedying violations, and reputational damage resulting from publicized irregularities can be difficult to reverse.

It is also important to understand that compliance is not a one-time project but an ongoing process requiring constant attention and resources. The regulatory environment is constantly evolving, new requirements and standards emerge, and the organization itself changes over time. The compliance system must be capable of adapting to these changes, which requires regular reviews, procedure updates, and continuous improvement of the competencies of the team responsible for compliance.

Finally, it should be remembered that even the best-designed procedures will not work without appropriate organizational culture. Investment in building employee awareness and attitudes is equally important as investment in systems and documentation. An organization in which compliance is perceived as a shared responsibility of all employees, rather than exclusively the legal or compliance department, is significantly more resistant to regulatory risks.

Recommendations for Manufacturing Enterprises

Based on this case study, the following recommendations can be formulated for manufacturing enterprises intending to strengthen their compliance systems:

• Conducting a preventive compliance audit, even in the absence of signals of significant problems, allows identification of gaps before they transform into violations resulting in sanctions.
• Designating a dedicated person responsible for compliance, even in smaller organizations, ensures consistency of actions and continuity of compliance monitoring.
• Investing in training and building employee awareness is the foundation of a lasting compliance culture, without which even the best procedures remain dead letter.
• Using technology to automate compliance processes reduces the risk of human error and frees resources for higher value-added activities.
• Regular reviews and updates of the compliance system in response to changing regulations and business practices ensure its currency and effectiveness.

* * *

This case study illustrates that investment in legal compliance, although requiring significant time and resource expenditure, brings measurable benefits exceeding the costs incurred. In a business environment characterized by growing regulatory complexity and increasing stakeholder expectations, a systematic approach to legal compliance ceases to be an option and becomes a necessary condition for the lasting success of a manufacturing enterprise.