Continental’s banning of WhatsApp is the most visible sign yet that enterprises are taking GDPR and data privacy seriously.
Let’s be clear. While the sweeping changes introduced by GDPR have created massive uncertainty and confusion for many, they are fundamentally a very good thing. Not least because it’s put data protection at the top of the corporate agenda.
The news that automotive giant Continental has prohibited the use of WhatsApp, and other social tools, is probably the most high profile example of this to date.
For too many years, businesses have worked to an assumption of ”acceptable risk”. CIOs and CIROs were, I’m sure, never fully comfortable with seeing free, consumer-grade messaging tools like Whatsapp being used in their business for sharing confidential information or client data; but because they met a very real business case for a more immediate chat experience, little was done.
Continental’s chief executive, Elmar Degenhart, should be commended for calling a stop to the use of WhatsApp on approximately 36,000 devices used by a workforce of almost 240,000 employees. The company’s fear was that because such apps could access users’ ”personal and potentially confidential data, such as contacts, and thus the information of third parties”, it violated GDPR’s terms for the processing and storing of personal data.
Not such a problem for individual consumers chatting to their family, but in an enterprise environment, chances are your contact list also includes other employees, partners, and of course, clients.
This is a very real risk, and we should be grateful that GDPR has finally brought the issue to the surface, and forced businesses to look long and hard at the tools being used by their employees.
Companies must be better at regulating their business communications, and actively look to reduce the risk of sharing personal data with third parties. In the case of WhatsApp, there’s no lawful basis for sharing this data, and it shouldn’t be on the enterprise to seek consent from clients to do so.
“We think it is unacceptable to transfer to users the responsibility of complying with data protection laws,” Elmar Degenhart said. “This is why we are turning to secure alternatives.”
Degenhart’s memo recommended switching to a secure messenger like Wire (article in German) as an alternative to its staff.
Four examples how WhatsApp is unsuitable for post-GDPR business communication
Here are just some of the reasons why businesses need to be conducting an immediate review of WhatsApp and its use by employees.
- Consent: WhatsApp has come under fire for automatically uploading users’ entire address books (even with the details of non-WhatsApp users). It’s also unclear exactly what data is extracted from address books, how it’s processed, and what is shared with the parent company Facebook.
- Loss of control: Being a consumer-grade tool, WhatsApp is tied to the users’ phone number. Typically this is a personal number that’s also used for business. If an employee leaves, they’ll still have access to potentially confidential chats, full chat histories, files, and of course contacts.
- Request for information. Under GDPR, companies are obliged to report on (and delete if requested) all personal identifiable information about an individual. Because WhatsApp is most likely connected to a user’s individual account, companies lose the ability to centrally audit the app, and enterprises lose the ability to inform customers how this data is being handled.
- Data portability: If you are in the EU, it’s worth noting that WhatsApp sends your account and communication related meta data, and contacts to its U.S based servers. Under GDPR you need a legitimate reason for doing this, and consent to share that information would be required. It’s also unclear what metadata WhatsApp holds on users.
Could your business survive the reputational damage caused by a breach of client data?
That’s the questions businesses now need to ask themselves. Potential fines a business faces if it fails to comply (4% of global turnover) is just one side of the coin.
Even worse is the damage to the brand reputation caused by a potential leak of client confidential data.
Continental has taken a proactive approach to lead the way in implementing appropriate policies and technical measures; not only to protect employee and client privacy, but also to earn goodwill for its brand and protect it from potential damage. I hope to see other big players to follow.
Wire was built with privacy-by-design principles in mind and can help any organization meet the GDPR-related requirements. In particular, Wire does not require sharing of the address book, and it offers businesses full control over the app usage, including one-click removal of ex-employees from accessing chat history, shared files, and contacts.
Morten Brogger, CEO, Wire