Instant Messaging (“Chat”) has become the most popular form of communication not only
replacing email in our private lives but highlighting the need for the same efficient and convenient
technology at work and to service clients. Due to its rapid adoption, tools such as WhatsApp have
been passively “accepted” (or worse, promoted) without appreciating the legal and regulatory risks
which the business has now taken.
Since we started our journey to make all business communications safe and client (with Qwil Messenger), there has been hundreds of articles covering the security risks and personal data usage (don’t forget WhatsApp is part of Facebook) but very few answering the simple question – what risks do I really have as an employer if my employees use WhatsApp? Note the same rules apply whether your business is a local bakery with 10 staff to large financial institutions with the need to control and monitor conversations on work approved channels. Our answers to 4 of the most common responses:
We usually respond by asking if the use of personal email would be acceptable internally
with colleagues and/or clients? It is up to the company to provide a safe and convenient alternative
and impose its policy on staff.
Fact is that there are higher risks for the business when communication channels are exposed to the outside world. In this case, the employer does not control the network from one end to the other, the same flaw of email or phone lines (anyone can email or call someone if they have the number). This opens up the possibility of fraud, hacking and phishing attempts which may impact clients, staff and the overall security of the company.
From a legal perspective, the company is at risks of data leakage, that documents and information are sent outside of the firm (willingly or not) without even knowing about it. This could also be a breach of privacy (and GDPR) with significant fines for the business.
That is correct. Employer’s cannot force staff members to hand over personal
devices even if they suspect inappropriate conduct.
Employers also cannot take any action against the staff member or fulfil their legal requirement to submit the evidence to employment tribunals.
Even with a clear mobile and messaging policy, a business cannot either ensure subject access requests and prompt access to chats and historical conversations are met (as there is no auditing or monitoring function). Failure to comply is the higher tier of GDPR fines for the company.
Yes and no. The good news is that if you are the owner of the device and it is only
used for private use,
GDPR Article 2 paragraph 2c
provides an exemption “Regulation does not apply to the processing of personal data by a natural
person in the course of a purely personal or household activity”.
Unfortunately the exemption does not apply to the employer. The regulatory risks (due to data breaches) and the responsibility of business increases significantly when WhatsApp is installed on either a personal phone when used for professional purposes (BYOD) or one which is supplied by the company. If, for example, an employee stores a business (or client) contact on either a private or company phone then the business may be committing a data breach as data is transferred to WhatsApp to the US without obtaining consent from each contact as outlined in the GDPR.
Larger businesses may install MDM (Mobile Device Management) software to separate professional and personal contacts, a step in the right direction but often a step too far for small businesses with no or limited IT support.
WhatsApp may say it meets GDPR and that it complies with its data usage of its own personal users. This is very different to being a compliant tool for another company to use with their own clients.
To ensure security you need (1) to know the identity of the participants and (2) that the
information is accurate and has not been modified.
Unfortunately, both Whatsapp or Telegram allow users to self-register to use the platforms – with the name of their choice and in most cases a mobile number and/or email linking them to their account. Each user can also invite any other users to chat and share content and this has opened up the door for hacking and impersonation (like phishing attempts on telephone lines). So effectively, none of the information is verified or can be trusted. This may be acceptable for social interaction, but not for businesses. Having these conversations encrypted (coded) from the sender to the receiver’s phone only prevents communications from being read…other than by those holding the keys.
There is no need for businesses to run unnecessary legal and regulatory risks as above when safe and compliant alternatives can be deployed internally and to clients within minutes without the need for IT experts. Qwil Messenger B2C secure chat platform was built to be safe enough for the financial sector, but easy and intuitive to use as any social chat platform.