Should you allow your employees to use WhatsApp for work related correspondence? The GDPR WhatsApp saga demonstrates that the popular messaging apps are not always compliant when it comes to data protection. And it’s worth considering how using them can put your business at risk too.

Why was WhatsApp not GDPR compliant?

In 2021, WhatsApp, the international messaging app owned by Meta (Formerly Facebook), was fined £193 million by Ireland’s data watchdog for breaching privacy regulations. At the time it was the largest fine ever to be imposed by the Irish Data Protection Commision and the second-highest under the new EU GDPR rules.

The investigation into WhatsApp’s compliance problems began back in 2018. The question was about whether WhatsApp has been transparent enough about the way they handle the information of their users. This investigation was of particular interest to messaging companies that are used for both personal and professional use.

The main issue that regulators had with WhatsApp was the lack of information they provided to users about how their data was stored and processed. Regulators found that WhatsApp’s privacy policies were not clear enough.

Similar complaints have been leveled at other major companies in recent years too. For example, in July 2021, regulator’s Luxembourg fined Amazon €746m for non-compliance with data-processing laws. Indeed, today it is clear that regulators are clamping down on the misuse and improper storage of data.

Commenting at the time, a WhatsApp company spokesperson said, “WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”

Using WhatsApp for work

So, should you allow your employees to use WhatsApp for work related correspondence?

While many of your employees will use the standard WhatsApp Messenger App, they should probably switch to using the WhatsApp Business version for any communication related to company operations.

WhatsApp Business is a version of WhatsApp that is marketed towards small to medium-sized businesses. It is a much safer option than the standard app, especially if you are concerned with GDPR compliance. Unlike the standard WhatsApp, the WhatsApp Business version does not ask for access to the users’ contact list. This simple difference makes the app more compliant with data protection standards.

There is still concern from legal experts about how suitable WhatsApp Business is for proper business communication. Especially when the communication involves sensitive personal data. Today many businesses avoid WhatsApp altogether and opt for more tailored team-chat apps like Slack, Google Chat, Troop Messenger or Microsoft Teams.

Data protection and messaging apps in the workplace

This whole GDPR WhatsApp saga gives employers plenty to think about when it comes to data protection and messaging apps in the workplace. While WhatsApp and Facebook Messenger might be popular ways for colleagues to communicate they also present security and privacy challenges for organizations.

The GDPR aims to protect the data and privacy of people in the UK, EU and European Economic Area, as well as any data that is transferred to countries outside of these areas.

Employees using WhatsApp to conduct business related correspondence can unwittingly fall foul of the GDPR. For example, if conversations and documents are shared via WhatsApp this information will be stored in one of Facebook’s data centers. Although WhatsApp provides end-to-end encryption, this does not automatically cover backups or chat exports. According to the GDPR if a datacenter was breached, liability would fall on the business whose data was leaked.

The GDPR has seven clear data protection principles that all companies would do well to observe. These principles are:

• Lawfulness, fairness and transparency – use data lawfully and be transparent with people and the businesses you work alongside.
• Purpose limitation – be clear about how and why your business collects personal data.
• Data minimization – only collect data if you intend to use it for a specific purpose.
• Accuracy –  ensure the data your business processes is accurate and stored appropriately.
• Storage limitation – don’t keep data forever. Set a period when it’ll be deleted.
• Integrity and confidentiality – store data securely to prevent “accidental loss, destruction or damage”.
• Accountability –  establish, record and communicate data protection policies.

If you consider all of these principles when deciding on your policy regarding messaging apps in the workplace you will give yourself the best chance to be both effective and compliant.

Making the most of your company phone

If you’re thinking about the best messaging service to use within your organization you may also be thinking about how to supply your employees with the best smartphones.

Read up on smartphone protection

• Is private use allowed on a work phone?
• Mobile Device Management: Why choose Apple hardware?
• Huawei data privacy concerns

At Everphone we provide “device as a service,” – a sustainable, user-friendly concept for providing employees with the latest smartphones, tablets, and laptops. Whether Apple or Android – we procure, configure, and ship them directly to your employees. It is the ideal solution for convenient and affordable workplace communication.