In the UK, WhatsApp is used today by nearly 40 million users, including for business purposes. The app has become a household name, and with its various tools for communication, photo sharing, and planning, it’s easy to see why.
WhatsApp’s owning company Meta, have made great attempts to emphasise the security of the application, emphasising the end-to-end encryption offered by the app. Due to this added security, many users feel free to use the app with confidence, including in a business setting. However, there are unforeseen risks that employers and business owners should be specifically alive to when it is being used in a workplace setting, particularly in respect of how it relates to UK GDPR (“GDPR”) laws and protections.
This article explores the potential risks of using WhatsApp for workplace communications, the implications for GDPR compliance and under UK legislation, and provides practical tips for employers to mitigate these risks.
Risks of using WhatsApp in the Workplace
Blurring Personal and Professional
The clearest risk of using WhatsApp for work related use, is the blurring of lines between personal and professional. In the same way that using teams chat or slack can encourage informal messaging, using WhatsApp often results in much more informal conversations than would be via email. In some situations, this can be a benefit, particularly for team building for remote based workers. However, with this informality, comes a heightened risk of employees sharing personal opinions, and making jokes (often labelled as “workplace banter”), which may be discriminatory or derogatory. Under the Equality Act, both the employee and the employer may be liable for this, if they are considered to be in the course of employment. If the chat is used often, or primarily for work related communications, there is a real risk of these being able to be relied upon in an Employment Tribunal.
Lack of Control and Oversight
Employers may find it challenging to monitor and control the flow of information within WhatsApp groups. Unlike other communication channels, WhatsApp messages are not stored on company servers, making it difficult to track and manage data. This lack of oversight raises the risks of unauthorised sharing of sensitive information, creating compliance issues. In August 2023, NHS Lanarkshire Hospital was reprimanded by the ICO for unauthorised use of WhatsApp to share patients’ personal data, including medical/sensitive data.
Data Breach Risks
Where employees use WhatsApp, they often do so on personal devices, usually mobile phones. This significantly increases the risk of data breaches, due to the risk of the employee’s phone being lost, stolen, or hacked. Sensitive company information could therefore be exposed, and is without the additional protections that companies’ often place on their hardware.
Inadequate Data Retention Policies
Another, perhaps less obvious risk, is in relation to data retention. Under the UK GDPR, companies are strictly regulated regarding data retention, and must be clear in their policies about how and when personal data will be deleted. WhatsApp does not provide robust tools for data retention and deletion. Messages can be easily deleted, edited, and even sent privately, without leaving a trace, complicating efforts to maintain proper records and comply with data retention requirements under GDPR. The inability to effectively manage and retrieve communication logs poses a significant challenge for data governance. This is particularly complicated when employees are using WhatsApp on their personal device, as the line is blurred between what is the personal property of the employee, and what is company property that they can reasonably demand records of.
Practical Tips for Employers
Looking at the above, the risks may seem high, but for many employers and employees, WhatsApp is integral to a smooth running and friendly workplace. So what can employers do to mitigate these risks, whilst still making use of a good instant messaging tool?
Consider a different official communication channel:
Whilst WhatsApp certainly has clear benefits, there are similar services that are more specifically designed for business use, without resorting back to email, and employers may find that by encouraging a swap to one if these tools, also encourages more work appropriate communications. We recommend employers encourage the use of official, secure communication platforms that offer better control, oversight, and data protection features.
Develop Clear Policies
It is really important not to ignore WhatsApp as a potential issue – particularly if you know that employees are using it unofficially. We do not recommend an outright ban of WhatsApp, as this will be impossible to enforce and may negatively impact employee relations. Rather, you should establish comprehensive policies regarding the use of personal devices and applications for work-related communication. Clearly outline the acceptable use of WhatsApp, including examples of what is and isn’t appropriate, and the responsibilities of employees in safeguarding personal data.
Training and Awareness
Educate employees about the risks associated with using WhatsApp for work and the importance of data protection. Regular training sessions across all levels of the workforce can help reinforce best practices and compliance with GDPR.
Data Protection Measures
If you choose to continue with WhatsApp, consider implementing technical measures such as device encryption, secure backups, and regular audits to ensure the security of data shared on WhatsApp. It is also worth considering limiting the use of this to work devices only, although this will come with the added burden of providing such devices to employees.
Obtain Consent and Document It
If you do not provide work devices for employees, ensure that employees provide explicit consent for using their personal numbers and devices for work purposes. You should maintain records of such consents for accountability and compliance purposes.
We understand that this may seem daunting for some employers. If you need tailored advice about how to navigate this, please reach out to our team, who would be happy to help.