Our helpdesk often asks us if WhatsApp Business is a suitable way to stay in touch with colleagues and customers and what one should consider before using such a communication channel. How do we, as Audittrail, look at this matter?
To start with, organizations use WhatsApp differently. This is because it depends on what WhatsApp is used for and whether it is a work phone that can be used privately or a work phone that is only meant for business use. In addition, WhatsApp itself may be used, or there may be an API between WhatsApp and other software. In general, we would not recommend using WhatsApp Business for several reasons. And those reasons have everything to do with the privacy and information security risks involved. Here are a few questions and risks to consider:
Is there a processor agreement in place?
WhatsApp Business requires you to accept its terms of service (data processing agreement). This could be interpreted as a kind of processor agreement, but it's one you cannot change. So you will still have to accept many terms from WhatsApp. For example, they maintain the right to use and sell the data for their own purposes. Therefore, there is a significant privacy risk.
What about security?
As an organization, you may, in principle, 'hire' WhatsApp as a processor. You can probably formulate a purpose and processing basis for using WhatsApp for your business or communication. But you must also be able to take sufficient appropriate technological and organizational measures and ensure that the processor does not use the data for other purposes. Unfortunately, WhatsApp does not guarantee these things at the moment, whereas they would usually be done in a processor agreement. Because, as an organization, you are the processor, this also forms a privacy risk.
Where is the data stored, and is it secure?
Another question you should ask is where your data is stored and whether you are prepared to take additional measures if the data is stored outside the European Economic Area (EEA). This is because the European Union currently has no agreements regarding data processing with, for example, the United States. Meta, the parent company of WhatsApp, states in their terms of service that when using the service, the organization agrees that the data WhatsApp will collect, store and use will go to the United States and other countries worldwide "regardless of which country you use our Business Services in". In addition, the organization must accept that "the laws, regulations and standards in the country where your information is stored or processed may differ from those in your own country."
Can you still comply with data subjects' rights?
The GDPR lists several data subjects' rights, such as the right to inspect or the right to erase data. So data subjects have the right to see a copy of their data. The data controller has only one month to respond to a request to view the personal data. Due to a lack of central control in WhatsApp, it is difficult to collect the required information efficiently. For example, all employees can create group apps. Think, for example, of team leaders creating WhatsApp groups for running their team. As a privacy officer or security officer, monitoring all these groups is a big task. Giving complete insight is, therefore, an almost impossible task.
Are you willing to accept the risk of potential data leaks?
In practice, customer data and/or company information are often sent via WhatsApp. It is easy for any member of a WhatsApp group to forward a message. This can be done to any number in their contact list. This leaves no data in the group itself; therefore, WhatsApp ensures that you quickly lose control of your business data. If personal information is forwarded to people who have no connection to the data, this is a data breach. Depending on the nature of the personal information, this could put the organization in serious difficulties.
Using WhatsApp for business?
Although we have listed some of the risks above, you may decide to use WhatsApp as an organization. Or you may already be using it and no longer want to or can do without it. In this case, we recommend that you consider at least the following topics:
- Carry out a Data Protection Impact Assessment (DPIA).
- Assess whether there is a legitimate basis for using the personal information on WhatsApp.
- Establish frameworks for how you will use WhatsApp. What type of communication is done over WhatsApp, and do I accept this risk? In any event, do not send sensitive or unique data through this communication channel, but consider whether you would be willing to take the risk for messages without personal data.
- Properly record the considerations and operating agreements you make as an organization.
- Consider whether you can guarantee the security of the information.
- Take into account the principle of privacy by design when implementing WhatsApp.
- Establish rules for access control to group data to ensure privacy by default.
- Agree on how you can remove personal information from all group chats if a data subject exercises their data erasure rights.
- Investigate whether you can manage and control the retention of group chat data.
- Put the use of WhatsApp in a privacy statement.
- Create a policy on using WhatsApp or incorporate it into an existing policy.
In addition, it is recommended that you take the following measures:
1. Enable two-step verification;
2. Disable the blue checkmark;
3. Set the incognito mode on WhatsApp (this will prevent people from seeing your profile picture, your WhatsApp status and your "Last seen")
4. Turn off all unnecessary permissions (through your phone's settings)
5. Turn off the backup of WhatsApp conversations to the cloud.
What else should I do? Are there alternatives?
Of course, WhatsApp is not the only communication channel available. Some alternatives are more privacy-conscious.
Finally, my advice is to look for more privacy-friendly alternatives. Please refer to the following website:
https://www.securemessagingapps.com/