[Update Sept 2021 - WhatsApp issued second-largest GDPR fine of €225m]

Below are articles, guides and resources on the subject of WhatsApp and the challenges it faces around compliance with all sorts of regulation when it comes to business and professional use (which, in any case, is against WhatsApp's own legal terms of use).

1. WhatsApp and GDPR compliance

The main reasons that WhatsApp is not compliant with GDPR privacy regulation are:

  • Lack of explicit consent 1 - you can be added to a WhatsApp group without your explicit consent. Only very recently WhatsApp added the ability for you to prevent specific users from doing this but this option is not enabled by default.
  • Lack of explicit consent 2 - your contacts can upload your data to WhatsApp/Facebook if they give access to their contacts/address book and you are in it, even though you have not given consent.
  • Lack of ability to delete information - after a certain time you cannot delete content you have posted to WhatsApp.
  • Lack of ability to get your own data back (SAR - Subject Acccess Request) - WhatsApp cannot provide you with messages you have posted only your profile info.
  • Your data transferred outside the EU zone - it is not very clear where exactly WhatsApp/Facebook move your data.

Articles/resources covering this:

2. WhatsApp and proper record keeping of business conversations

Depending on the jurisdiction, and industry sector, businesses have varying degrees of legal obligation to keep a record of conversations that their employees, suppliers or other stakeholder have with them in case there are legal challenges or other problems whereby they need to provide a record of these conversations.

Clearly with WhatsApp there is no such record of conversations so businesses risk failing in their legal obligations.

Articles/resources covering this:

3. WhatsApp and corporate governance

Businesses also have legal obligations around protecting their employees and ensuring adequate levels of oversight, governance and control e.g. to protect against bullying in the workplace, harassment or inappropriate behaviours. Businesses also need to protect and adequately control access to sensitive commercial information.

With WhatsApp businesses do not even know what groups exist, let alone who is in them, or whether former employees or contractors still have access to corporate information that they should not.

Furthermore businesses cannot delete messages which might be inappropriate or damaging. And even if a business admin removes a member from a WhatsApp group they cannot revoke access to the content, which might be commercially sensitive, unless the user deletes that content manually him/herself.

Articles/resources covering this:

4. WhatsApp and safeguarding

WhatsApp's terms of use say that it should not be used by those under 16 years of age though it is hard to see this enforced in practice in any meaningful way. Safeguarding requirements also extend beyond children to young people and vulnerable adults.

The problem with WhatsApp is that admins, or hosts, of messaging groups cannot moderate or delete the contributions of others even if those messages created safeguarding issues.

Articles/resources covering this:

Join Guild 🤝

See for yourself how the Guild experience is different to WhatsApp, Slack, LinkedIn or Facebook Groups.

Guild is a safe space to connect, communicate and collaborate with others.

Join us on a platform that is purpose-built for creating groups, communities and networks on mobile.

Contact us if you want to know more or have any questions.