The hidden data risks of using WhatsApp for business

Messaging apps like WhatsApp can create major headaches for businesses if employees are mixing personal and professional communications with clients, raising data protection issues and potential regulatory fines

Istock 1404741341

WhatsApp may be a convenient way for businesses to keep in touch with clients, but it has proven costly for some of the world’s biggest financial institutions. Around a dozen banking giants, including JPMorgan and Goldman Sachs, were hit with fines totalling more than $2bn (£1.6bn) last year for failing to monitor messages sent via unauthorised apps such as WhatsApp. 

The episode underscored the risks businesses face from the explosion in new digital communication channels and the challenges of keeping tabs on what employees are sharing on them.

How did WhatsApp become the go-to business tool?

While the use of unauthorised communications long pre-dated Covid, the pandemic accelerated the practice as the lines between home and work life blurred – something that has persisted as hybrid working policies have become more established.

“The office is a controlled environment where compliance has oversight,” says Damon Batten, a partner at regulatory consultancy Bovill. “But when you’re at home, it’s easy to just pick up and use your personal device and there isn’t any oversight.”

That means work and personal communications are also blending. “When you have a relationship with a client, they may also be a friend – or at least a contact in your network – and your communications with them may veer between professional and personal, especially on these messaging apps,” explains Batten.

Given the more challenging competitive landscape and the pressure on firms to maintain margins, there is also often a willingness to communicate with clients however the client wants, even if that means using unauthorised channels, notes Alex Viall, chief strategy officer at Global Relay.

“People often think that to satisfy the customer and keep their business they need to respond on-demand via whatever channel the customer wants to use,” says Viall. “Given the proliferation of new channels, it’s a complex problem.”

WhatsApp use requires strong data governance

While the banking fines were handed out for failing to keep proper records, rather than for any market abuse, there is an elevated risk that if employees communicate with clients via an informal channel they may let slip information that they shouldn’t, says Batten. Organisations and individuals may also risk reputational damage if communications sent on such channels are later subject to legal disclosures.

If you say that WhatsApp is banned, regulators will apply extra scrutiny because they know it’s probably still going on

“People must realise that whatever they send digitally could come back to bite them,” says Viall. “Then they should ask themselves that if a message appeared in a court of law in five years, would they be happy to hear a prosecutor read it aloud?”

In addition, organisations need to think about data governance issues that could arise if employees use unauthorised apps for business communications. “If people use an authorised application to communicate there is some level of control, such as applying retention periods so that the information isn’t kept for too long,” explains Gayle McFarlane, a partner at Eversheds Sutherland.

This is particularly relevant since the introduction of the EU’s general data protection regulation and the increase in data subject requests, where businesses have a legal obligation to disclose the information they hold on a given individual. If employees are using unauthorised apps to communicate, that can complicate the retrieval of any relevant data.

In some cases, employees may be reluctant for messages they shared on social apps to be disclosed because the content may be professionally embarrassing, which could tempt them to hit the delete button – something that would have serious consequences. “If they do that, they run the risk of potentially committing a criminal offence under the Data Protection Act, which relates to destroying personal data after a request has been made for its disclosure,” says McFarlane.

Why WhatsApp use is a problem for all businesses

But it isn’t just financial services firms that need to worry about employees using unauthorised communications channels.

“Data protection principles and information security principles apply to any business in any industry,” explains Frank Schemmel, senior director of privacy and compliance at DataGuard. “The risk is that if you mix private and business data, you can have uncontrolled storage and publication of confidential information, so the misuse of popular messaging services for business communication affects any company.”

That’s a mantra which also applies to internal messages, not just communications with customers. If employees are chatting with each other on social messaging apps and it occasionally involves business-related matters, then those messages would fall under regulatory scope for data protection rules.

“The decision for companies to make is whether they need an institutional record for ephemeral water cooler-type conversations,” says McFarlane. “Sometimes you will because you’re carrying out regulated business. But at other times there may well be a greater risk in capturing chit-chat than there is in not capturing it.”

What compliance options are open to businesses using WhatsApp?

That means unregulated organisations need to think carefully about their communication policies, such as what channels they want to allow and how long data is retained so that they don’t hold transient conversations that have no business relevance but could be misconstrued if caught up in a disclosure process.

Some regulated businesses, such as banks, have simply responded by prohibiting these messaging apps. A study by Global Relay this year found that 59% of compliance teams have banned WhatsApp and other similar applications because of the recent banking fines. Despite that, only 2.6% of respondents said they were confident that banning such apps is an effective solution.

“It’s a knee-jerk reaction in response to the regulatory enforcement,” says Viall. “If you send the message to everyone that WhatsApp is banned, that is a first step. But you put yourself at considerable risk if that is your only approach. Regulators won’t accept that and will apply extra scrutiny because they know it’s probably still going on.”

Outright bans may also put firms at a competitive disadvantage if their peers have adopted technology to allow employees to use WhatsApp in a compliant way by filtering out personal messages and keeping a record of the business communications.

“It’s important to find a solution to this,” says Viall. “This isn’t a trend. It’s part of life.”