How messaging apps are creating a GDPR privacy nightmare

Written by Ross McCaw, founder and CEO of OurPeople

In the workplace, instant messaging apps such as WhatsApp and Facebook Messenger are a popular way to keep up-to-date with colleagues and employers on a daily basis.

However, while quick communication platforms provide ample convenience, they have serious drawbacks.

Companies often assume they’re suitable for business communication due to encryption, but that’s not actually the case. There are major implications around security and privacy that both employers and employees need to be aware of. What are they, and how can they be overcome?

GDPR compliance

One of the biggest issues with using popular messaging apps for business communication is whether they are compliant with the General Data Protection Regulation (GDPR). Having come into effect in May 2018, this law not only aims to protect the data and privacy of people living in the UK, EU and European Economic Area but also data that is transferred to countries outside these areas.

A lot of people aren’t aware of the risks of using social media applications for communication within a business. Whether it’s just engaging in conversations with colleagues or sharing work documents via these apps, the way employers and staff communicate here can actually violate GDPR rules because they don’t have control of where their data goes.

Using WhatsApp as an example, it offers users encryption. However, all conversations and documents are still stored in one of Facebook’s datacentres. What if one of these datacentres were to be breached? Under GDPR, liability falls onto the business whose data has been leaked. And while WhatsApp provides end-to-end encryption, this doesn’t cover backups or chat exports by default.

There are other important questions that businesses and employees should ask themselves if they’re using one of these apps. For instance, what if an employee leaves a company but still has access to a Whatsapp chat or group? Or what happens when a business shares employee phone numbers without their permission?

Having worked with a number of organisations across a range of industries, we’ve learnt that this is a major issue for employers. One company, which manages staff across 50 UK-wide leisure facilities, ran into a number of problems when groups were being created for different departments. In many instances, people who had left the company could still access these groups. They could do whatever they wanted with messages, files and personal phone numbers.

Sharing personal details such as the phone numbers of workers without permission, because they’re just added into groups by employers, can be another big problem. People don’t have the right to be forgotten as they can’t control or edit where this data sits. It’s stored in a third-party, and there’s no way you can revoke access. WhatsApp warns:
“Please remember that when you delete your account, it does not affect the information other users have relating to you, such as their copy of the messages you sent them.”

WhatsApp also accesses all the phone numbers in a user’s address book, which presents a serious privacy issue. The firm states in its user terms: “You provide us, all in accordance with applicable laws, the phone numbers of WhatsApp users and your other contacts in your mobile address book on a regular basis, including for both the users of our Services and your other contacts.”

How to regain control

I’d say 80% of the people we’ve spoken to don’t understand that using these apps poses a huge risk to their business. Unless employers wake up to the threats here, they risk the repercussions of hefty GDPR fines and lost confidence from staff. If you run a business, you’re probably wondering how you can regain control and ultimately ensure compliance with GDPR. Here are some tips.

1.To start the journey towards GDPR compliance, understanding how this legislation works and affects your business is important. Whether it’s human resources, customer services, marketing or IT, most areas of your business handle data on a daily basis and therefore must be GDPR compliant. There are both legal and technical aspects to consider, which are detailed on the ISO website.

2. In particular, you should learn and understand the seven data protection principles as set out by GDPR:

  • Lawfulness, fairness and transparency – you should use data lawfully and be transparent with people.
  • Purpose limitation – you must be clear about why and how your business collects personal data.
  • Data minimisation – your business should only collect data if it actually intends on using it for a specific purpose. Less is better.
  • Accuracy – you need to ensure that the data your business processes is accurate and stored in an appropriate manner.
  • Storage limitation – you shouldn’t keep data forever and set a period when it’ll be deleted.
  • Integrity and confidentiality – you must store data securely to prevent “accidental loss, destruction or damage”.
  • Accountability – you need to establish, record and communicate data protection policies. This is paramount to proving compliance.

3. You need to understand that using non-compliant messaging apps can be dangerous.  Ask yourself: Are you using a manner to disperse company information you don’t have control of?

Systems audits will help you identify any applications that could potentially violate GDPR. You need to find which communication channels (Whatsapp, Facebook Messenger, text message groups and more) are being used both internally and externally. If you discover something that could be non-GDPR compliant, you must find a safer alternative.

4. Whether it’s writing blogs or holding company-wide workshops, making your workforce aware of issues around GDPR and the implications if their data got into the wrong hands is important too . People understandably want to have information delivered to them easily and conveniently, but they also want this to be done in a manner that protects their data and privacy.

5. Over time, things change. So once you’ve implemented and established data protection policies, you’ll need to conduct regular audits. Policies could become outdated and your business will put itself at risk of data breaches without these.

Regardless of the industry you operate in, as a business, getting things right when it comes to security and privacy is crucial. GDPR came into force to protect people, and any employer has a duty to protect their staff.

Hungry for more?

Understand how OurPeople works for your people.

Request a demo