WhatsApp is one of the most downloaded apps from the app stores. We provide the necessary background information and explain how correct WhatsApp business use in accordance to GDPR works.
Companies that provide their employees with smartphones which are also used privately as part of a COPE or BYOD program must be prepared for the fact that WhatsApp is likely to be installed on these devices. And this means that companies without appropriate security measures can find themselves on thin ice – a violation of GDPR is almost inevitable.
What Is the Problem?
As soon as WhatsApp is installed on a smartphone, the app accesses the internal address book and creates a contact list. The data from the internal address book is sent to WhatsApp servers located in the United States and checked there. Data from non-WhatsApp users is also sent to these U.S. servers. If such personal data is passed on to third parties without the owner’s consent, this is a clear GDPR violation.
Without separating private and business contacts on the device, the contact data of your corporate contacts is passed on to third parties without their permission. In order to protect customer data from unauthorized access and to protect themselves from possible GDPR fines, some companies have taken radical measures.
The automotive supplier Continental, for example, opted for a complete ban on WhatsApp for its 36,000 corporate smartphones. But such dramatic measurers aren’t always necessary. What’s important is that private and professional data and contacts are separated from each other on mobile devices.
With Android devices, this has already been possible for some time with Android Enterprise (formerly Android for Work). The device has a work profile where business data is kept separate. Private apps cannot access this work profile, so in this case private WhatsApp use is not a problem for companies.
It was more difficult for iOS devices, at least until March 2018. Up until the release of iOS 11.3, all apps accessed the same contact book. This security loophole was closed with the release of iOS 11.3 on March 29, 2018.
Since then, it has also been possible to separate private and business contacts with iPhones and iPads. You can find more information about this in our blog post iOS: Ready for the EU’s GDPR with managed contacts.
How Do You Realize WhatsApp Business Use in Accordance With EU GDPR?
For WhatsApp business use in accordance with GDPR you need a Mobile Device Management System (MDM).
Then the business Exchange account must be rolled out via such an MDM solution to protect business communication and contacts. All mail and business contacts are then located in the managed area on the smartphone.
In addition, a policy must be set that excludes the exchange of data between managed and unmanaged apps. This ensures that the technical protection of corporate data as required by GDPR is implemented on the iOS device and that business contacts are not passed on to WhatsApp. This ensures that the organization is not violating GDPR regulations, even if employees use WhatsApp on BYOD or COPE devices.
Our Cortado MDM offering enables an especially rapid implementation of GDPR-compliant WhatsApp usage. A GDPR-compliant policy is already preconfigured in the web-based console. This means that all necessary security measures are automatically made, and this applies to both Android and iOS devices.
Ensure you aren’t on thin ice when it comes to GDPR and read our free white paper, explaining how Cortado MDM can help.
Mobile Device Management for Beginners
This free white paper shows how an MDM solution can help organizations meet EU-GDPR requirements and implement their own compliance policies on smartphones.
Download Free Whitepaper »