Enterprise messaging in the GDPR era

 

by Jorge Cabaleiro| Whatsapp is one of the most used messaging and personal communication apps in the world and ,sometimes, people are so used to communicate through this application that it ends up being used for enterprise communications.

At the beginning of this month Continental banned the use of Whatsapp and Snapchat on their company phones, a move that Deutsche Bank had already put in practice in early 2017. Both Continental and Deutsche were worried about data protection and compliance with the GDPR, but, how does this european law affect Whatsapp (and other similar communications apps)?

 

Key facts

GDPR (General Data Protection Regulation) has been a hot topic for companies in the last few months and rightfully so as it is a simple regulation in concept but hideously complicated to comply with every detail.

What you should know about this regulation is that it affects every company based in the EU and any enterprise that collects and process data from a EU resident regardless of their location. That means that the regulation not only applies to business located in Europe but anywhere in the world if they offer goods or services to EU users. It is important as well to notice that GDPR affects not only collectors of data but also processors of users data with fines that can go up to 4% of the company revenue or 20 million €.

This new european regulation comes with a few changes and requirements for data handling and processing:

 

  • Consent: Clear, precise, and explicit consent is required from each person to the enterprise for the process and storage of their personal data. Companies must prove the consent and the consent can be withdrawn (opt-in, opt-out). Also companies must explain the use of the data they are gathering.
  • Right to access: this is the right for users to know what personal data is being stored and how is it being processed. If required, the user can get a digital copy of what data is being stored and processed.
  • Right to be forgotten: refers to the possibility of the end user to have the data controller erase their personal data, and have third parties that the enterprise collaborates with, stop processing such data.
  • Transfer of data: there is a restriction on the transfer of data to third countries outside the EU. This restrictions try to ensure that GDPR rights are met.

 

 

What happens with Whatsapp?

From a GDPR point of view, Whatsapp leads to several critical issues. The main worry is that Whatsapp exports the whole address book of the user. This includes names, phone numbers and emails of the contacts. It is not clear what is the purpose of storing this data and how it is being processed by Whatsapp itself. Because of this a few problems arise:

  • Consent: the end user allowed the process and handling of personal data by your enterprise but they don’t know how Whatsapp is handling their personal information. This means that there is no consent to transfer personal information to this third party.
  • Right to access: this is a critical issue as it is impossible for the end user to know what data is being stored by whatsapp and neither can have access to it and get a copy of the stored data.
  • Right to be forgotten: according to the GDPR end user must have the option of data erasure. As the contacts are exported to Whatsapp servers it is not possible to enforce this right. Also contacts can be exported to desktop which means even less control of storage and erasure of personal data.
  • Transfer of data: Issues can arise for transferring personal information to a country outside the EU. Data, files and messages can be shared with no limitation without leaving a trace which means that it is impossible to know where that information might end up.

As a result, it is clear that the use of Whatsapp for enterprise communications brings up several problems about compliance with GDPR. Because of this, businesses should deploy a safe and professional enterprise communication tool to be compliant with the new EU regulation and avoiding fines.

Quobis portfolio includes Sippo collaborator a complete UC solution fully compliant with GDPR. In next posts we will talk about how Sippo collaborator fulfills GDPR compliance.