WhatsApp – is it GDPR & business compliant?

1. WhatsApp and GDPR compliance

The main reasons that WhatsApp is not compliant with GDPR privacy regulation are:

  • Lack of explicit consent 1 – you can be added to a WhatsApp group without your explicit consent. Only very recently WhatsApp added the ability for you to prevent specific users from doing this but this option is not enabled by default.
  • Lack of explicit consent 2 – your contacts can upload your data to WhatsApp/Facebook if they give access to their contacts/address book and you are in it, even though you have not given consent.
  • Lack of ability to delete information – after a certain time you cannot delete content you have posted to WhatsApp.
  • Lack of ability to get your own data back (SAR – Subject Acccess Request) – WhatsApp cannot provide you with messages you have posted only your profile info.
  • Your data transferred outside the EU zone – it is not very clear where exactly WhatsApp/Facebook move your data.

Articles/resources covering this:

2. WhatsApp and proper record keeping of business conversations

Depending on the jurisdiction, and industry sector, businesses have varying degrees of legal obligation to keep a record of conversations that their employees, suppliers or other stakeholder have with them in case there are legal challenges or other problems whereby they need to provide a record of these conversations.

Clearly with WhatsApp there is no such record of conversations so businesses risk failing in their legal obligations.

Articles/resources covering this:

3. WhatsApp and corporate governance

Businesses also have legal obligations around protecting their employees and ensuring adequate levels of oversight, governance and control e.g. to protect against bullying in the workplace, harassment or inappropriate behaviours. Businesses also need to protect and adequately control access to sensitive commercial information.

With WhatsApp businesses do not even know what groups exist, let alone who is in them, or whether former employees or contractors still have access to corporate information that they should not.

Furthermore businesses cannot delete messages which might be inappropriate or damaging. And even if a business admin removes a member from a WhatsApp group they cannot revoke access to the content, which might be commercially sensitive, unless the user deletes that content manually him/herself.

Source: Guild

Mais do que uma solução tecnológica, somos uma decisão estratégica para as organizações.

Nossa missão é redefinir a relação das empresas com a cibersegurança e a experiência dos usuários no processo de autenticação e acesso a ativos tecnológicos.