WhatsApp and the GDPR: Steps required

26 May, 2018

The new EU General Data Protection Regulation, the GDPR, has now finally come into force. Despite month-long preparations, there are still many unanswered questions. Such as: does WhatsApp, the popular messaging service, comply with the GDPR in a business environment?

WhatsApp is the absolute market leader among the messaging apps. The software application has around 1.5 billion users worldwide. In Germany, one in two people uses WhatsApp every day – and not just for personal use. Owing to its omnipresence in day-to-day communications, the messaging service is also used for business communications and data transmission, not just between colleagues but also with external business partners. However, experts believe that this infringes the GDPR, as does the purely personal use of WhatsApp on a company smartphone.

WhatsApp transmits personal data

The problem here is that WhatsApp needs access to the list of contacts on the smartphone and transmits every phone number stored there to the US company’s server. And not only that: despite WhatsApp’s end-to-end encryption, it is also where customer data ends up when colleagues share it via the service.
But the GDPR requires that these data subjects must give their explicit consent every time their personal data is used. And they must be informed about what happens with their data. This, however, is impossible for a company if it does not know how WhatsApp uses this data. And WhatsApp is planning to share user data such as the user’s own phone number with its parent company Facebook and third parties. Only contact details, at least, will not be passed on.

According to the US company, the only way for users to prevent data disclosure is to delete their account and the app.

The alternatives: Enterprise Mobility Management and other apps

But is this really the only solution? Owing to WhatsApp’s popularity, deletion would be a significant curtailment for employees using their devices privately. Enterprise Mobility Management (EMM) constitutes an alternative. It either uses container solutions, which keep private and business data strictly separate from each other, or under iOS, the “Managed Contacts” feature is used to ensure that privately installed apps do not have access to business contacts. And it is advisable for businesses to install an EMM anyway if they wish to align mobile working with the GDPR – read more about this here.

Teamwire – Enterprise messaging tool

In addition, there are some solutions on the market that represent an alternative to WhatsApp. They do not pass on any data and focus on corporate use, for example Teamwire. Teamwire complies with all European and German data protection regulations and is therefore acceptable for communications and sharing data.

Whether using an EMM or an alternative app, companies are well advised to rethink their use of services like WhatsApp following the introduction of the GDPR.

If you have any questions on this subject, please feel free to contact us.