GDPR and WhatsApp: What you need to know
As a business owner, you might have heard about or used WhatsApp on a company phone. It is one of the most popular messaging apps around the globe and has a huge number of users.
Companies have now gone through some changes that affect their privacy policy. In European Union countries for example, the GDPR (General Data Protection Regulation) regulates how personal data can be processed by companies since 2018.
WhatsApp transfers data to Meta/Facebook
In January 2021, WhatsApp updated its terms of service and privacy policy to introduce a new feature that will share user data with Facebook—even if users do not have an account for Facebook. This change was initially planned for February 8th but was postponed for three months due to feedback from users about this policy update.
WhatsApp privacy policy after 2021
The biggest concern about WhatsApp’s new privacy policy is that it shares personal data such as phone numbers and account activity with Facebook. According to the GDPR WhatsApp rules:
- The personal data you provide must be gathered for specific purposes, and it must not be used in a way that is incompatible with those purposes.
- Further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered incompatible with the initial purposes.
- However, the processing of personal data from business contacts (and the data transfer to Facebook servers is a process in this sense) needs written consent from all contacts listed in the address book of the business cell phone.
WhatsApp on a company phone: MDM software vs. container apps
Thankfully, there is a solution: company and private data can be kept separate on company phones. This can be achieved by a container app or an MDM software.
There is a big difference between container apps and MDM software, and it’s important that you understand the difference to choose the best option for your business.
MDM software
Mobile Device Management software serves as the simplest way to set up a Bring-Your-Own-Device (BYOD) policy in companies. Mobile Device Management (MDM) software, such as AirWatch, Microsoft Intune, or MobileIron, allows employees to install their applications on a mobile device without any restrictions. It’s a good idea to ensure that BYOD legal aspects are covered.
It allows employees to use the same phone for business and personal purposes. It does this by creating two separate workspaces on the device, one for business and the other for private use. This may be similar to what container apps do, but MDM software also gives other benefits such as allowing remote access to install security apps and updates, or even wipe the device if it’s lost or stolen.
Container apps
Using WhatsApp on a company phone? Let’s chat about container apps. A container app is a technology that holds an application along with its configuration files, preferences, and information within a defined space on a device.
As containerization is a standard feature of MDM softwares, it is usually advisable to opt for an MDM solution. MDMs offer numerous additional functions in comparison with a mere container app.
Due to data protection problems with WhatsApp, WhatsApp is forbidden on a service cell phone. Let’s take a look at why that is.
WhatsApp and mobile malware
The first and most obvious reason you shouldn’t use WhatsApp on a company phone is that it’s meant for personal use. It was never built with companies and their data privacy needs in mind. It was created to allow friends, family, and loved ones to share personal messages, photos, videos, audio clips, and other information.
Why is this a problem? WhatsApp isn’t particularly secure—and just using it on your company phone could open the door to all kinds of malicious activities and problems unless you have other security measures and virus protection on the phones.
Have you ever been sent one of these chain messages, that your kids may warn you about? They usually come with a fake link to a fake app store. WhatsApp is thus susceptible to many of the same vulnerabilities that plague regular text messaging as an enterprise solution for messaging apps.
WhatsApp discourages business use of its app
The WhatsApp company, which Facebook (now known as Meta) bought in 2014, has strict rules about how its users should use the app. The company is clear that your employer may not approve the use of its app on company-issued devices and advises that you should not install the app if this is the case.
It would violate your company’s security policy and put it at risk for a data breach. In addition to these specific warnings about using WhatsApp on a company phone, there are several other reasons why employers might discourage their employees from doing so.
Whatsapp is not GDPR-compliant
You might already know the General Data Protection Regulation (GDPR) rules. But here’s a quick refresher. The GDPR is an EU regulation that protects the personal data of all citizens, whether it’s collected inside or outside of Europe.
The regulation applies to any organization that deals with such data, regardless of its location or business type. As per Article 4(1) and Recital 26 of the GDPR, “personal data” means any information relating to an identified or identifiable natural person.
This information can include the name, email address, phone number, identification numbers, cookies, etc. It can even be physical characteristics like your height and weight.
If you possess ANY data related to a European citizen (or anyone else), you must comply with the GDPR. As per Article 5(1)(b), you shall process personal data to ensure appropriate security. This process means that you must keep all personal data secure – not sharing it with unauthorized parties.
Final thoughts
WhatsApp on a company phone is not a good choice for business communications. If you are a business and you use WhatsApp, it behooves you to be aware of the risks above and take steps to mitigate them.
It isn’t easy, but possible – even if you don’t have access to cloud backups or the ability to control your device remotely. The first step is to educate your employees about these issues to make smart decisions with their work devices and data.