WhatsApp - is it GDPR & business compliant?

[Update Sept 2021 - WhatsApp issued second-largest GDPR fine of €225m]

Below are articles, guides and resources on the subject of WhatsApp and the challenges it faces around compliance with all sorts of regulation when it comes to business and professional use (which, in any case, is against WhatsApp's own legal terms of use).

1. WhatsApp and GDPR compliance

The main reasons that WhatsApp is not compliant with GDPR privacy regulation are:

• Lack of explicit consent 1 - you can be added to a WhatsApp group without your explicit consent. Only very recently WhatsApp added the ability for you to prevent specific users from doing this but this option is not enabled by default.
• Lack of explicit consent 2 - your contacts can upload your data to WhatsApp/Facebook if they give access to their contacts/address book and you are in it, even though you have not given consent.
• Lack of ability to delete information - after a certain time you cannot delete content you have posted to WhatsApp.
• Lack of ability to get your own data back (SAR - Subject Acccess Request) - WhatsApp cannot provide you with messages you have posted only your profile info.
• Your data transferred outside the EU zone - it is not very clear where exactly WhatsApp/Facebook move your data.

Articles/resources covering this:

• The Irish Times:  Sports clubs and political parties advised not to use WhatsApp
• BCI (Business Continuity Institute):  Are WhatsApp and GDPR on a Collision Course?
• Lexology:  Do Sports Clubs' WhatsApp Groups Breach the GDPR?
• Guild:  Is WhatsApp in breach of the GDPR? A lawyer's view

2. WhatsApp and proper record keeping of business conversations

Depending on the jurisdiction, and industry sector, businesses have varying degrees of legal obligation to keep a record of conversations that their employees, suppliers or other stakeholder have with them in case there are legal challenges or other problems whereby they need to provide a record of these conversations.

Clearly with WhatsApp there is no such record of conversations so businesses risk failing in their legal obligations.

Articles/resources covering this:

• Financial Times:  JPMorgan Chase suspends credit trader for WhatsApp messages
• Bloomberg (video):  JPMorgan puts senior credit trader on leave over use of WhatsApp
• Business Matters:  Almost half of WhatsApp usage is illegal

3. WhatsApp and corporate governance

Businesses also have legal obligations around protecting their employees and ensuring adequate levels of oversight, governance and control e.g. to protect against bullying in the workplace, harassment or inappropriate behaviours. Businesses also need to protect and adequately control access to sensitive commercial information.

With WhatsApp businesses do not even know what groups exist, let alone who is in them, or whether former employees or contractors still have access to corporate information that they should not.

Furthermore businesses cannot delete messages which might be inappropriate or damaging. And even if a business admin removes a member from a WhatsApp group they cannot revoke access to the content, which might be commercially sensitive, unless the user deletes that content manually him/herself.

Articles/resources covering this:

• The Wall Street Journal:  Do Messaging Apps Fit Into the Workplace? Not Always Comfortably
• Silicon Republic:  Workplace WhatsApp usage still common despite privacy concerns
• Digital Doughnut:  4 Risks of Using Whatsapp for Work
• The Telegraph: Why your WhatsApp group chats may not be as private as you think

4. WhatsApp and safeguarding

WhatsApp's terms of use say that it should not be used by those under 16 years of age though it is hard to see this enforced in practice in any meaningful way. Safeguarding requirements also extend beyond children to young people and vulnerable adults.

The problem with WhatsApp is that admins, or hosts, of messaging groups cannot moderate or delete the contributions of others even if those messages created safeguarding issues.

Articles/resources covering this:

• BBC:  GAA tells clubs not to use WhatsApp amid concerns over 'unsuitable material'
• Safeguarding in Schools: Why schools shouldn't use Whatsapp

Join Guild 🤝

See for yourself how the Guild experience is different to WhatsApp, Slack, LinkedIn or Facebook Groups.

Guild is a safe space to connect, communicate and collaborate with others.

Join us on a platform that is purpose-built for creating groups, communities and networks on mobile.

• Just want to join some groups? Simply join Guild and then look through the discoverable groups and communities to find relevant ones to join
• Thinking of running your own community? With an elegant and simple to use, mobile-first UX you’ve got everything you need to start a community  - custom branding, analytics, group and user management and support.  Get started with your own community here with our free and paid options

Contact us if you want to know more or have any questions.