The GDPR implications of using WhatsApp for business

More and more businesses are using WhatsApp as a means of communicating internally or externally with their clients for instantaneous encrypted communication.

Whilst the intention to communicate from a seemingly secure platform is to be commended, it is worthy of note that when used for business purposes this could constitute a breach of GDPR.

Upon downloading WhatsApp you will be asked to give the app permission to access ALL the contacts in your phone’s directory, in order to allow WhatsApp to list your contacts that are also using the App. Upon agreeing to this you also give WhatsApp permission to upload ALL of your phone’s contacts to their servers.

The implications of GDPR become a factor from the moment you allow this, because WhatsApp will be processing the personal contact information you have provided, regardless of whether your contacts have the app or not.

You as a business could be allowing WhatsApp to hold and process the personal information of hundreds of subjects on every mobile device currently being used within your business right now.

With your contacts list holding information such as a data subjects full name, phone number, business name, email address, and domestic address; these are all clear examples of identifying characteristics for a data subject.

Now the really crucial area that businesses need to consider when deciding whether they continue to use WhatsApp in their business is this statement from WhatsApp’s own terms and conditions:

“Legal And Acceptable Use. You will not use (or assist others in using) our Services in ways that: (f) involve any non-personal use of our Services unless otherwise authorized by us.”

This disclaimer clearly seeks to disassociate WhatsApp from any legal ramifications that could come from the way they process and hold sensitive data. What a business needs to consider is if they should continue to use the app for business use when there are heavy question marks over compliance with GDPR, and the very fact WhatsApp forbids any use of the app for non-personal reasons.

Every business has been made aware of the potential fines associated for GDPR breaches. With this most recent risk of breach in mind, then a simple exercise of maths can be employed to assess the potential risks to your own business. Multiply the number of contacts in your own phone’s directory, then minus the number of people that currently use WhatsApp. Then multiply that number by the amount of people within your business using WhatsApp to communicate internally or with your clients or suppliers.

To give an example of a recent client who we helped secure their internal communications network; Their sales director had 614 contacts in their phone’s directory, with 323 of those contacts having WhatsApp. Leaving 291 contacts who did not have the application who now have their personal information being stored on the WhatsApp servers. Our client had 17 people within the business using WhatsApp for external and internal communication. To give a worst case scenario we multiplied 291 by 17 to illustrate that they have now 4,997 potential cases of GDPR breach by using WhatsApp as a business communication tool.

This figure of 4,997 is the worst case scenario for the potential risk to them as a GDPR breach. But if we couch this in actual terms, just 1 breach of GDPR proved by the ICO could mean a fine of £176,000 for this client who turned over £4.4M last year.

We are currently offering free consultations to any business looking to strengthen the security of their communications and decrease their risk of a GDPR breach.

We have 10 years experience of helping companies to protect their information security and IP.

Let us help you to protect your business in the same way today.

Kind regards,
The Serbus Team