Brought to you by
qwil messenger logo

All-in one app for secure client communication 

Save content
Have you found this content useful? Use the button above to save it to your profile.

Having WhatsApp installed could be a GDPR breach

13th Feb 2023
Brought to you by
qwil messenger logo

All-in one app for secure client communication 

Save content
Have you found this content useful? Use the button above to save it to your profile.

Although not designed for business usage, WhatsApp’s popularity has also meant it has become a principal communication channel for staff and clients, particularly in the absence of a suitable alternative.

Accept to access contacts
Qwil & Screenshot WhatsApp/META

Much to the horror of IT and compliance departments, WhatsApp is now a firmly entrenched “shadow IT” system operating beyond the expected corporate controls, leaving most firms no choice but to ban usage of the app for work. However, are these measures too little too late if your staff have already installed the app and accepted the terms? This relies heavily on the contacts your staff have on their device and the consent they have provided.

1. Did you get consent from all contacts to share details / transfer to WhatsApp?

Problems begin when the app is installed and the user grants permission to access all of the contacts on the device. This is a key feature of WhatsApp, and relies on the synchronisation of your data to populate the app’s contact list so you know who is a user of WhatsApp, thereby making it easy to start a chat.

The exponential growth of WhatsApp (over 65 billion messages are sent each day) is in big part thanks to this core feature. However, by accepting this transfer of private data to US-based servers, users also expose all of their contacts’ details (both personal and professional) without obtaining each contact’s explicit permission for their data to be used or processed.

This is the first rule under GDPR. Consent. Companies cannot either comply with GDPR’s requests for information and the right to be forgotten as they ultimately do not have control over the data.

2. Does GDPR distinguish between a personal phone and one that is supplied by the company?

Not really, as it is subject to its use.

The good news is that if you are the owner of the device and it is only used for private use, GDPR Article 2 paragraph 2c provides an exemption “Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity”.

The risks of data breaches and the responsibility of businesses (of any size) increases significantly when WhatsApp is installed on either a personal phone when used for professional purposes (BYOD) or one which is supplied by the company. If, for example, an employee stores a business (or client) contact on either a private or company phone then the business may be committing a data breach as data is transferred to WhatsApp without consent as outlined in the GDPR.

3. But WhatsApp state they are now GDPR compliant?

Their business may well be, the private user also with Article 2 exemption (see question 2), but not your company using it. 

The privacy policy has been updated to outline the rights of users and access to data under GDPR but also reflect the sharing of information with internal and external partners, data transferred, stored and processed outside of Europe (i.e. in the US) and as this is a legal agreement, not allowing under-16s to use the service.

WhatsApp now complies with its data usage of its own personal users. This is very different to being a compliant tool for another company to use with their own clients. A company needs to be able to obtain consent from all users on their terms of use.

4. What steps should I be taking for my company?

  1. Install secured chat alternative to be used as the main communication channel both internally and externally (with clients). 
  2. Agree the terms of usage of each communication channel.
  3. If your company supply mobile phones, prohibit the installation of WhatsApp and ensure all professional communications are made on company device in line with policy.
  4. If your company has a BYOD (Bring Your Own Device) policy, install an MDM tool and segregate private and business contact books. Ensure the contact books are correct as per company policy.

5. How is Qwil Messenger different? How can it help businesses be compliant and be the business alternative to WhatsApp?

Qwil Messenger solves the challenge of making chat safe and compliant when it matters most: between staff, clients and partners. Qwil Messenger looks and feels like your favourite social chat app but below the surface, Qwil Messenger has been designed from the ground up for professional use, with data privacy and security in mind! 

Try Qwil today!

Qwil Messenger

Invitation-only access – everyone is who they say they are.
To gain access, a user must be invited by each company. This approach is an important security aspect of the platform as every user account is created by the company with whom they can engage using verified identity information. There is no self-provisioning.

Pre-Defined contact lists – no access to user’s phone contacts.
A user’s contact list on Qwil Messenger is managed by the company. Each user’s list can be tailored to create dedicated contact points between clients, partners and representatives that align with the organisation’s coverage and servicing models. Qwil never accesses your user’s phone books.

Regulatory compliance – you own your data and host it wherever required.
Achieve regulatory compliance with recording, auditing and full data controls. Every user consents to both Qwil Messenger’s and your terms of use (i.e. no transfer, storage or processing outside of your control – even notifications to devices have non-sensitive information).

Enterprise-grade security for companies of all sizes – BYOD out of the box.
Every aspect of our platform has been designed to meet the most stringent security requirements of the world's largest regulated firms but made available for all. Our measures include:

• Two-factor authentication (2FA) for every user, on every device.
• End-to-end data encryption both in-flight and at rest.
• Users only have access to the features and functions they are entitled to and we fully audit every system action, including read receipt for each message sent.
• Data containerisation on staff mobile devices (BYOD friendly out of the box)


Upgrade to an all-in-one professional platform.
Your data, your control, your brand.

Talk to an expert