Just having WhatsApp installed could be a GDPR breach

8 October 2018  |  Laurent Guyot

WhatsApp has revolutionised the way we communicate with friends and family. Although not designed for business usage, WhatsApp’s popularity has also meant it has become a principal communication channel for staff and clients, particularly in the absence of a suitable alternative.

Much to the horror of IT and compliance departments, WhatsApp is now a firmly entrenched “shadow IT” system operating beyond the expected corporate controls, leaving most firms no choice but to ban usage of the app for work. However, are these measures too little too late if your staff have already installed the app and accepted the terms? This relies heavily on the contacts your staff have on their device and the consent they have provided.

1. Did you get consent from all contacts to share details / transfer to WhatsApp?

Problems begin when the app is installed and the user grants permission to access all of the contacts on the device. This is a key feature of WhatsApp, and relies on the synchronisation of your data to populate the app’s contact list so you know who is a user of WhatsApp, thereby making it easy to start a chat.

The exponential growth of WhatsApp (over 65 billion messages are sent each day) is in big part thanks to this core feature. However, by accepting this transfer of private data and to US-based servers, users also expose all of their contacts’ details (both personal and professional) without obtaining each contact’s explicit permission for their data to be used or processed.

This is the first rule under GDPR. Consent. Companies cannot either comply with GDPR’s requests for information and the right to be forgotten as they ultimately do not have control over the data.

2. Does GDPR distinguish between a personal phone and one that is supplied by the company?

Not really, as it is subject to its use.

The good news is that if you are the owner of the device and it is only used for private use, GDPR Article 2 paragraph 2c provides an exemption “Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity”.

The risks of data breaches and the responsibility of businesses (of any size) increases significantly when WhatsApp is installed on either a personal phone when used for professional purposes (BYOD) or one which is supplied by the company. If, for example, an employee stores a business (or client) contact on either a private or company phone then the business may be committing a data breach as data is transferred to WhatsApp without consent as outlined in the GDPR.

In June 2018, Continental Tyres banned its employees from using Whatsapp and Snapchat on their work phones due to concerns over the recently introduced European General Data Protection Regulation and said in a statement "In the company's opinion, these services have deficiencies when it comes to data protection, as they access a user's personal and potentially confidential data such as contacts, and thus the information of third parties who are not involved. In the case of WhatsApp, access to the contact list cannot be restricted. The responsibility for complying with data-protection laws is therefore shifted onto the users of this app. The risks this poses in terms of data protection are not ones the company is willing to take."

For smaller and bigger businesses to remain safe and compliant, WhatsApp use and installation should be prevented, to the extent possible, and certainly on phones supplied by the company.

3. Our company allows BYOD. Can I separate contacts between personal and professional?

Yes. Apple (IOS 11.3 onwards) and Android for Enterprise now provide for the possibility to separate personal and business contacts to cater for own devices being used (BYOD) as this is increasingly the case. Apple now differentiates between Apps that are managed or not managed by the Mobile Device Manager (MDM) and can therefore prevent an upload of business contacts to WhatsApp.

4. Is the company safe with a containment of contacts and an MDM service?

100% compliance cannot be ensured. A staff’s private contact book may already have business or customers contacts (which would need to be deleted or transferred to the separate business contact book), they could still add contacts in the private address book on their device, and customers or business partners could also contact staff via WhatsApp.

That said, the separation of contacts is already an important step for businesses which rely on staff to use their personal devices. At this stage, offering a true alternative to connect staff, clients and partners (internal to external) which is secured and compliant is key. This is the premise of Qwil.

5. But WhatsApp state they are now GDPR compliant?

Their business may well be, the private user also with Article 2 exemption (see question 2), but not your company using it. Ahead of the 25th May 2018 deadline, Facebook (the parent company of WhatsApp) created an Irish entity WhatsApp Inc for EU based users to ensure compliance of their services.

The privacy policy has been updated to outline the rights of users and access to data under GDPR but also reflect the sharing of information with internal and external partners, data transferred, stored and processed outside of Europe (i.e. in the US) and as this is a legal agreement, not allowing under-16s to use the service.

WhatsApp now complies with its data usage of its own personal users. This is very different to being a compliant tool for another company to use with their own clients. A company needs to be able to obtain consent from all users on their terms of use.

6. What about Enterprise collaboration tools? Slack for example?

Collaboration tools have greatly increased the efficiency of the internal work force, replacing email for internal communications (although still leaving the gap when having to communicate externally). However, cloud solutions such as Slack have their servers located in in US raising concerns with regard to data protection and GDPR-compliance when discussing confidential information on clients, transferring and storing their data outside of Europe and without their explicit consent. The importance of local cloud hosting has been discussed in one of our past blogs .

7. What steps should I be taking for my company?

1. Install secured chat alternative to be used as main communication channel both internally and externally (with clients). This channel has to be deemed equivalent both in look and feel and in functionality (refer to our blog Why is WhatsApp being used for business purposes? )

2. Agree the terms of usage of each communication channel.

3. If your company supply mobile phones, prohibit the installation of WhatsApp and ensure all professional communications are made on company device in line with policy.

4. If your company has a BYOD (Bring Your Own Device) policy, install an MDM tool and segregate private and business contact books. Ensure the contact books are correct as per company policy.

8. How is Qwil different? How can it help businesses be compliant and be the business alternative to WhatsApp?

Qwil solves the challenge of making chat safe and compliant when it matters most: between staff, clients and partners. Qwil looks and feels like your favourite social chat app but below the surface, Qwil involves deep technical complexity to meet the demands of enterprise.

A branded, multi-tenant app – one common platform for Businesses to Clients (B2C)
Unlike any other chat platform, Qwil allows users (staff, clients and partners) to engage with multiple organisations via a single app. Users can effortlessly switch between the various brands without compromising confidentiality and on a common platform.

Pre-Defined contact lists – no access to user’s phone contacts
A user’s contact list on Qwil is managed by the company. Each user’s list can be tailored to create dedicated contact points between clients, partners and representatives that align with the organisation’s coverage and servicing models. Qwil never accesses your user’s phone books.

Invitation only access – everyone is who they say they are
To gain access, a user must be invited by each company. This approach is an important security aspect of the platform as every user account is created by the company with whom they can engage using verified identity information. There is no self-provisioning.

Regulatory compliance – you own your data and host it wherever required
Achieve regulatory compliance via our multi-jurisdictional hosting options wherever you need your client private data to be held in as many locations as required (e.g. UK, France, Germany, Singapore, Australia), with recording, auditing and full data controls. Every user consents to both Qwil’s and your terms of use (i.e. no transfer, storage or processing outside of your control – even notifications to devices have non-sensitive information).

Enterprise-grade security – BYOD out of the box
Every aspect of our platform has been designed to meet the most stringent security requirements of the world's largest regulated firms. Our measures include:

• Two-factor authentication (2FA) for every user, on every device.
• End-to-end data encryption both in-flight and at rest.
• Users only have access to the features and functions they are entitled to and we fully audit every system action, including read receipt for each message sent.
• Data containerisation on staff mobile devices (BYOD friendly out of the box) and network access restrictions to only allow staff access from authorised workstations.

Find out more at qwilmessenger.com .

Interested in learning more?

Search our help centre to get the answer you need

Help Centre
Follow us

© Copyright 2024 Network Platform Technologies Limited ("Qwil") 5 St John's Lane, EC1M 4BH, London, United Kingdom - All rights reserved.