GDPR Compliance & Crisis Communications: Is WhatsApp the right tool for organizations?
This month, the Data Protection Commission (DPC) in Ireland has issued a record fine to WhatsApp for a “serious” breach of the General Data Protection Regulation (GDPR).
According to the DPC, WhatsApp provided “only 41% of prescribed information to users of its service. Non-users – whose messages sent on other apps could be forwarded to the platform by WhatsApp users – got no information, denying them the right to control their personal data.” Commissioner Helen Dixon explained that the company’s GDPR infringements have affected an extremely high number of individuals; and breached the core principle of transparency as well as the fundamental right of the individual to protection of individuals’ personal data.
WhatsApp offers the option to create chat groups, which makes it easy to reach out to staff especially in large organizations. However, a rising problem is that organizations have lost track of how many WhatsApp groups & subgroups have been created; and even more importantly, who is part of which group. Jim Preen, Crisis Management Director at YUDU Sentinel, explains, “There are many tales of people who have left a company to work for a competitor who are still part of a WhatsApp group as they’ve taken their mobile phone number with them.”
Since 2018, GDPR has been implemented and compliance has become a top priority for organizations across all industry sectors. The legislation has radically changed the way companies process and share information - “giving individuals, prospects, customers, contractors and employees more power over their data” - and has established severe (and expensive) penalties for those companies who fail to comply.
Jim Preen is unconvinced the court action will overly concern WhatsApp’s owners. “I’m not sure the fines will hugely worry WhatsApp and their parent organisation Facebook” and “Given their revenues it may seem more like a slap on the wrist.” He also added that the payment of any subsequent fines will be delayed in the courts for many years. He said, “The sharing of data is central to Facebook’s business model, this is how they make their huge profits, so they’ll fight it all the way.”
From a reputational point of view, does WhatsApp run the risk of any damages? Not really. According to Preen, people will continue to use the app. Moreover, he believes that many people are “becoming less and less surprised that their data is being shared” and - as they live part of their lives online - they are willing share personal details. “Though of course if cyber criminals share their data, they may have a different opinion” he said.
However, from a business continuity or crisis management perspective, the story is different. Preen strongly believes that organizations should not use WhatsApp during a crisis. He explains, “There’s no corporate oversight, people can delete messages, pictures, and documents at will if the content reflects badly on them.” This is a great risk, and it can be detrimental to an organization. Crisis analysis can be severely hampered if people don’t come forward and make their group chats available.
So how can companies protect themselves from the risks posed by WhatsApp during an emergency? There are good reasons - in terms of security, safety, and compliance - for companies to ban staff from using WhatsApp, and they may attempt to do so. However, Preen admits that monitoring can be difficult and people will likely still use WhatsApp “under the radar”.
One of the key issues in today’s work culture is that there is a tendency to drift between work-based conversations and more personal ones, all using the same App. Banning the use of WhatsApp would not be popular among staff and would be almost impossible to enforce. However, Preen recommends that organizations should instruct and educate their staff about why such Apps should not be used during a crisis.
Some positive news was reported by the BCI Crisis Communications Report 2021, which showed that organizations are moving away from tools such as WhatsApp and using more collaborative platforms like Microsoft Teams – a tool that is also being used in incident situations. Many organizations, which have been using collaborative software for the first time in 2020, are now seeking to extend investment into specialist emergency communications technology.