As a business, it is very convenient to use WhatsApp to communicate with your staff and to allow staff teams to communicate with each other. But could this easy and flexible communication tool land you in hot water?
In short, the answer is yes, let’s look at some of the reasons why.
Lawful basis for processing
You need to consider the implications of data protection laws like the GDPR and the Data Protection Act 2018. As a data controller, it is your responsibility to limit the use of data for the purposes for which it has been provided. If you didn’t mention using WhatsApp to your staff, or indeed your customers, when you collected their contact details then you need to check with them before you take the decision to add them to your WhatsApp group. They may well object to this as WhatsApp is not very secure and information can be forwarded without the data controller being in control.
Unwarranted disclosure of personal data
If you set up a WhatsApp group for communication, this discloses the mobile numbers and profile pictures of every member to all the other members of the group. You staff may well not want any other staff members to see their mobile numbers. This could lead to cases of harassment or bullying. The disclosure of customers numbers to other customers is pretty unthinkable and will cause complaints to the ICO about you, and you will probably lose business.
Compliance with subject access requests
Data subjects have a right to receive a copy of their data along with other statutory information. The data controller, in this case your organisation only has one month to respond to any request for access to personal data. A lack of central auditability in WhatsApp makes it difficult for you to easily collate the information required. If your senior staff have been setting up WhatsApp groups for the convenience of running their teams, your business may have many WhatsApp groups that you don’t even know about!
Data breach potential
It is very simple for any member of a WhatsApp group to forward on any message they see in the group. This can be to any number in their contact list. This leaves no record in the group itself and this is a way of losing control of your company data very quickly. If it is personal information that is forwarded on to people who have no business seeing it, then it becomes a data breach. Depending on the nature of the personal information, this could land your company in a lot of trouble.
Transparency & accountability
You are required, as a data controller, to be responsible in the way you are implementing and using technology that processes personal information. If you allow the use of WhatsApp by staff, have you gone through all the steps needed to comply with data protection laws?
You will need to consider and document the following:
- Undertake a Data Protection Impact Assessment (DPIA)
- Can you ensure the security of the information?
- Have you considered the principle of privacy by design when you implemented WhatsApp?
- Do you have access control to group personal data to ensure there is privacy by default?
- How you will delete personal information from any and all group chats if an individual requests deletion?
- Can you manage and control the retention of group chat data?
- You will need to determine a lawful basis for using personal information in a WhatsApp implementation.
- You will need to create a privacy notice for all users of WhatsApp by your staff or customers.
- You will need to create a policy or incorporate WhatsApp use into an existing policy
This is not an exhaustive list of considerations but is certainly a minimum
Does your firm need our specialist support? Call us to start the conversation on 029 2000 2339 or email contact@iolis-legal.com