25 September 2020

Five Reasons you should not use WhatsApp in your business

As a business, it is very convenient to use WhatsApp to communicate with your staff and to allow staff teams to communicate with each other. But could this easy and flexible communication tool land you in hot water?

In short, the answer is yes, let’s look at some of the reasons why.

Lawful basis for processing

You need to consider the implications of data protection laws like the GDPR and the Data Protection Act 2018. As a data controller, it is your responsibility to limit the use of data for the purposes for which it has been provided. If you didn’t mention using WhatsApp to your staff, or indeed your customers, when you collected their contact details then you need to check with them before you take the decision to add them to your WhatsApp group. They may well object to this as WhatsApp is not very secure and information can be forwarded without the data controller being in control.

Unwarranted disclosure of personal data

If you set up a WhatsApp group for communication, this discloses the mobile numbers and profile pictures of every member to all the other members of the group. You staff may well not want any other staff members to see their mobile numbers. This could lead to cases of harassment or bullying. The disclosure of customers numbers to other customers is pretty unthinkable and will cause complaints to the ICO about you, and you will probably lose business.

Compliance with subject access requests

Data subjects have a right to receive a copy of their data along with other statutory information. The data controller, in this case your organisation only has one month to respond to any request for access to personal data. A lack of central auditability in WhatsApp makes it difficult for you to easily collate the information required. If your senior staff have been setting up WhatsApp groups for the convenience of running their teams, your business may have many WhatsApp groups that you don’t even know about!

Data breach potential

It is very simple for any member of a WhatsApp group to forward on any message they see in the group. This can be to any number in their contact list. This leaves no record in the group itself and this is a way of losing control of your company data very quickly. If it is personal information that is forwarded on to people who have no business seeing it, then it becomes a data breach. Depending on the nature of the personal information, this could land your company in a lot of trouble.

Transparency & accountability

You are required, as a data controller, to be responsible in the way you are implementing and using technology that processes personal information. If you allow the use of WhatsApp by staff, have you gone through all the steps needed to comply with data protection laws?

You will need to consider and document the following:

  • Undertake a Data Protection Impact Assessment (DPIA)
  • Can you ensure the security of the information?
  • Have you considered the principle of privacy by design when you implemented WhatsApp?
  • Do you have access control to group personal data to ensure there is privacy by default?
  • How you will delete personal information from any and all group chats if an individual requests deletion?
  • Can you manage and control the retention of group chat data?
  • You will need to determine a lawful basis for using personal information in a WhatsApp implementation.
  • You will need to create a privacy notice for all users of WhatsApp by your staff or customers.
  • You will need to create a policy or incorporate WhatsApp use into an existing policy

This is not an exhaustive list of considerations but is certainly a minimum

Does your firm need our specialist support? Call us to start the conversation on 029 2000 2339 or email contact@iolis-legal.com

Recent Posts

Will monitoring your home-working staff land your business in hot water?

Large scale working from home happened very quickly at the start of the COVID-19 pandemic, and many organisations didn’t have time to fully explore the impact this could have on working practices. Some businesses and organisations had already embraced the benefits of remote working for their employees. Others had been wary of it and had […]

Read more
The 7 easy ways you can avoid data protection in your business becoming a Halloween horror show...

I was working as a DPO, late one night,When my eyes beheld an eerie sight.For a monster problem began to riseAnd suddenly, to my surprise,There was a breach, a data breach.How far’d it reach, that data breach?Where did it reach? Don’t be left singing your own version of the Monster Mash this Halloween! There are […]

Read more
How could the right to be forgotten affect your amateur rugby or football club?

The General Data Protection Regulation was ground-breaking legislation in several ways. It brought data protection rules to filed paper documents, for example, and gave individuals a standard mechanism to request what data an organisation holds on them. Among the new rights it introduced was the right for individuals to ask to have their personal data […]

Read more
What are the 4 common data protection mistakes which could cost your business dearly?

Every business has a duty of care for the personal data of its customers, suppliers, and staff. The law enshrines it in the General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the PECR, and any data breach must be reported to the relevant authorities, generally within 72 hours. In the UK, that’s […]

Read more
Five Reasons you should not use WhatsApp in your business

As a business, it is very convenient to use WhatsApp to communicate with your staff and to allow staff teams to communicate with each other. But could this easy and flexible communication tool land you in hot water? In short, the answer is yes, let’s look at some of the reasons why. Lawful basis for […]

Read more

Does your UK business need a mediator or support with data protection and GDPR? Tell us how we can help you.

Call us to start the conversation on 029 2000 2339 or email contact@iolis-legal.com

Contact us
25 October 2020
Will monitoring your home-working staff land your business in hot water?
Large scale working from home happened very quickly at the start of the COVID-19 pandemic, and many organisations didn’t have time to fully explore the impact this could have on working practices. Some businesses and organisations had already embraced the benefits…
Read More
25 October 2020
The 7 easy ways you can avoid data protection in your business becoming a Halloween horror show...
I was working as a DPO, late one night,When my eyes beheld an eerie sight.For a monster problem began to riseAnd suddenly, to my surprise,There was a breach, a data breach.How far’d it reach, that data breach?Where did it reach? Don’t be left singing your own version…
Read More
20 October 2020
How could the right to be forgotten affect your amateur rugby or football club?
The General Data Protection Regulation was ground-breaking legislation in several ways. It brought data protection rules to filed paper documents, for example, and gave individuals a standard mechanism to request what data an organisation holds on them. Among…
Read More
13 October 2020
What are the 4 common data protection mistakes which could cost your business dearly?
Every business has a duty of care for the personal data of its customers, suppliers, and staff. The law enshrines it in the General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the PECR, and any data breach must be reported to the relevant authorities,…
Read More
25 September 2020
Five Reasons you should not use WhatsApp in your business
As a business, it is very convenient to use WhatsApp to communicate with your staff and to allow staff teams to communicate with each other. But could this easy and flexible communication tool land you in hot water? In short, the answer is yes, let’s look at some of the…
Read More
31 August 2020
What are the 5 things every employment solicitor needs to know about SARs?
Many employment law cases now begin with a Subject Access Request (SAR). The reason is that it’s a useful way for an employee or former employee to gain information for their case. Dealing with SARs is a specialised field of law for one excellent reason: it’s extremely…
Read More
© 2020 IOLIS Ltd. Reg. in England & Wales Num.11968202 For reg. address see contact details | Website designed, hosted, and maintained by Jötnar Systems