Note: This article has been updated to detail that WhatsApp is currently GDPR-compliant. Click this link to jump to that portion of the article.
GDPR – the General Data Protection Regulation is a heavy-handed regulation that has been an issue among international entities both inside and outside the EU for over a year now. Yet, while most company preparation has been years in the making, many have not yet considered its significant impact to the common yet often overlooked practice of their employees, which is using consumer-grade messaging apps, especially WhatsApp.
The use of WhatsApp in enterprises has been on the rise, but after the massive security breach that its owner, Facebook, suffered in 2018, EU regulators knew they this FB popular messaging app warranted additional compliance oversight. The incident has also added to the movement by some of the biggest companies in the EU to ban WhatsApp in their workplace, including the Deutsche Bank and Continental.
While it is certainly an option for organizations to ban WhatsApp, it is not a sufficient and effective solution if the employees themselves do not comply with such a policy. In this infographic, we will discuss the potential solutions to solving the key compliance issues with WhatsApp while meeting the data protection requirements of GDPR.
Problem 1: Transfer of User’s Contact List to WhatsApp
The primary reason why WhatsApp is deemed non-compliant with GDPR is that it prompts the user to upload their contact list to WhatsApp when the user decides to share a contact using the app’s Contact feature.
This means that a company that uses the app to communicate with an EU customer is at risk of non-compliance if any of their employees upload their address book containing that EU customer’s contact information (including emails and phone numbers) to WhatsApp. This upload is a specific rule violation as companies must fully notify their customers’ about how their data is being handled (Right to Know).
How to Solve This WhatsApp GDPR Problem? Use an MDM and EMM solution
The most viable method to solve this problem is the deployment of an MDM or EMM solution to employees devices which will then allow for the creation of a separate business address book where employees can add the contact information of their customers or colleague and which will also prohibit the app from accessing the personal address book of the user.
This method, though, is not a full guarantee that the customer’s personal information will not be uploaded to WhatsApp, particularly in a situation where they initiated the contact first. It is crucial, therefore, to also issue a notice in all your platforms which states that any customers who decide to reach you via WhatsApp would automatically provide their consent for WhatsApp to access their contact information.
Problem 2: Transfer of Personal Data to U.S. Server
WhatsApp forward and process user’s data to the U.S., which breaches the GDPR clause which restricts organizations to transfer or store personal data outside the EU unless specific conditions are met.
What Does This Mean?
This could mean that if the company and its customer resides in the EU, then WhatsApp will process the data in Ireland, and therefore, no international data transfer would occur. In instances where the data is transferred to the U.S., WhatsApp said they “ may rely on the European Commission’s adequacy decisions about certain countries, as applicable, for data transfers from the European Economic Area to the United States and other countries.”
Problem 3: Right to Access and Right to be Forgotten
WhatsApp only process messages on their server if the recipient is offline, and when delivered, will delete the messages on their server, complicating organizations abilities to comply with the right to access and right to be forgotten clauses of GDPR.
This also means that if the organization needs to forward all data of a customer to another service, they would not be able to do so with WhatsApp.
According to WhatsApp.com, both WhatsApp and WhatsApp Business are now GDPR-compliant based on their intended purpose. This article by WhatsApp tackled about the Business app’s user being the controller of their contacts in the address book and, as the controller, must have legal basis to control said contacts.
The legal basis stated in Article 6 that WhatsApp tackled included contractual necessity, legitimate interest, and consent. WhatsApp functions as the processor of the information and will provide the assistance necessary for a firm to comply with GDPR’s requirements, including providing all information reasonably necessary to comply with GDPR’s requirements. The company using WhatsApp Business can fulfill their obligations in order to respond to requests to exercise Data Subject rights under GDPR.
WhatsApp recently strove to be GDPR-compliant as of October 2020.
How to Solve This? Use a WhatsApp GDPR Archiving Solution
In order to ensure that your organization can comply with the right to access and right to be forgotten rules, it is important that you have a system in place that can capture and record WhatsApp messages. This will eliminate the reliance on the WhatsApp server’s capability to retain chats and instead will give your organization the capability it needs to meet the archiving requirements of GDPR. Companies may still have difficulty monitoring employee communications and comply with GDPR’s archiving requirements if they rely on WhatsApp and lack the capability to record communications themselves.
With TeleMessage, organizations in and outside of the EU can comply with GDPR requirements on archiving text messages. The TeleMessage’s WhatsApp Archiver is a unique platform tailor-made to solve WhatsApp compliance and regulation issues by allowing firms to capture and archive WhatsApp messages, including conversations that transpired in group messaging threads. This platform works exactly like the standard WhatsApp application, ensuring that your employees will still be able to send work-related communications easily and quickly.
The benefits of using WhatsApp Archiver in your business include:
- Archive all WhatsApp GDPR communications
- Use WhatsApp to communicate with customers, employees, and stakeholders
- Search, track and retrieve WhatsApp messages in the corporate archive
- Deposit WhatsApp messages with any email archiving vendor
- Full administration and reporting
The TeleMessage WhatsApp Archiver is the latest addition to our mobile archiving products that securely capture content from mobile carriers and mobile devices for a variety of ownership models (BYOD, CYOD, and employer-issued). With our multiple archiving methods, you can always find the right tools or blend for your requirements: