With over 1.5 billion users worldwide, WhatsApp is the most popular and widely used messaging service. Its pervasiveness is not only evident within social networks, but in workplaces as well. Of late, businesses have also been embracing WhatsApp as their primary communication tool, thanks to its useful features such as group messaging, live location sharing, and verified accounts for businesses.
Companies, however, that have Bring Your Own Device (BYOD), Choose Your Own Device (CYOD), or Company Owner/Personally Enabled (COPE) policies must also be prepared for the fact that WhatsApp might be installed on these mobile devices. Such a scenario can be a compliance nightmare for organizations in the age of General Data Protection Regulation (GDPR), as this regulation implements a plethora of data privacy rules that impact the use of messaging tools such as WhatsApp at work.
To realize the use of WhatsApp for business, especially for customer service purposes, companies can implement several steps, all while staying compliant with data privacy regulations of GDPR.
- Reaching Customers Through WhatsApp
If prospective customers reach you through SMS, email, voice call, contact form on your website – every channel except WhatsApp, then you are not allowed to reach them through WhatsApp unless they provided an explicit opt-in.
This is in accordance with Article 6.1 and 7.2 of GDPR which states that organizations should have a lawful basis for processing any personal data and that data subjects have the right to demonstrate their consent for the processing of their personal data.
If the customer reaches your business directly through WhatsApp, it’s a clear sign of “affirmative action” as per Article 4.11, and that you have obtained their consent to process their personal data.
- Engaging Customers Whose Contact Details Are from Other Parties
If you got a prospective customer’s contact details from another party, do not reach out to them on WhatsApp – unless they have given consent to the other party about this.
If they have given their mobile number without an explicit consent that they can be reached through WhatsApp, you can send them one chat saying that you can also reach them through WhatsApp and that you will delete their contact details after the message.
A positive response from them will start a new conversation and is a “clear affirmative action” that you can communicate with them through WhatsApp.
- Adding Customers to Group Chat
If you want the customers to join a certain group chat, you cannot just add them to the group. The rationale behind this is that members in the group chat can see each other’s details, such as their phone numbers.
Rather, it’s best to send them a group invitation link so they can decide to join the group by themselves, thus providing their explicit consent at the same time.
- Right to Know About Data Storage
While the matter of where the data is stored is an issue for WhatsApp, your employees are still storing the encrypted WhatsApp data, at least, on their phones. But regardless if that data is in the device or you are using a WhatsApp archiving solution, you are obliged to inform your customer about the following points regarding data storage:
- The personnel liable for data protection at your organization
- The purpose of the storing of the information.
- The legal basis for storing data
- The data retention period
- Their rights to have their personal data deleted.
- Right to Access and Deletion of Archived Communications
The Right of Access and Right to Erasure are two of the fundamental data subject’s rights under GDPR. Satisfying these two rights, however, can be extremely challenging with WhatsApp, as it deletes the messages once the recipient goes online. Retaining WhatsApp communications can also be tricky since it uses end-to-end encryption to protect the messages from being intercepted.
There are, however, next-generation enterprise mobile archiving solutions designed specifically to capture and archive WhatsApp data.
To achieve compliance with GDPR’s data subject’s rights to access and rights to erasure when using WhatsApp, your organization must have a system in place that can capture and record WhatsApp communications. This will eliminate the reliance with the WhatsApp server’s capability to retain chats and instead will give your organization the capability it needs to meet the data protection and archiving requirements of GDPR.
With TeleMessage, organizations in and outside of the EU can make WhatsApp GDPR compliant through real-time and secure communications archiving. The TeleMessage’s WhatsApp Business Archiver is a unique platform tailor-made to solve WhatsApp compliance and regulation issues by allowing firms to capture and archive WhatsApp chats and calls.This platform works exactly like the standard WhatsApp application, ensuring that your employees will still be able to send work-related communications easily and quickly.
The benefits of using WhatsApp Business Archiver in your business include:
- Archive all WhatsApp communications
- Use WhatsApp to communicate with customers, employees, and stakeholders
- Search, track and retrieve WhatsApp messages in the corporate archive
- Deposit WhatsApp messages with any email archiving vendor
- Full administration and reporting
The TeleMessage WhatsApp Business Archiver is the latest addition to our mobile archiving products that securely capture content from mobile carriers and mobile devices for a variety of ownership models (BYOD, CYOD, and employer-issued). With our multiple archiving methods, you can always find the right tools or blend for your requirements:
Visit our website at www.telemessage.com to learn more about how our mobile archiving products can help your organization maintain compliance with government text archiving regulations.
