Save content
Have you found this content useful? Use the button above to save it to your profile.
online message network communication on digital background

Compliance risk exposure: What’s up with WhatsApp?


What is the cost of convenience? When it comes to using systems like WhatsApp for conducting business with clients the costs could be far greater than you realise, explains Bill Mew.

15th Feb 2022
Save content
Have you found this content useful? Use the button above to save it to your profile.

How and where we store data is back at the top of the agenda, whether it is Donald Trump refusing to comply with the Presidential Records Act and ripping documents up or using ‘burn bags’, or Facebook (aka Meta) refusing to comply with GDPR and threatening to leave Europe if it is made to do so (my viewpoint on TV). 

However, few of us have the power or impunity to defy the law in the way that the former POTUS or the social media giant have done. So what are our obligations and where do we have potential exposure if we fail to keep organised and accurate records?

Retention of accounting and other corporate records

There are a host of regulations that require you to retain accounting and other records for six years or more, from the Companies Act and the Charities Act to the Taxes Management Act, VAT Act and Finance Act as well as various HMRC rules.

Retention of personal data and the GDPR

At the same time, GDPR and the Data Protection Act have additional obligations that apply to the storage, processing and protection of personal information. Competent and effective data management is required to know exactly where and how all such personal information is stored in order to be able to retain, remove and transfer it in a compliant manner.

Transfers: you need a legal basis for transferring data. This can be on the basis of adequacy which currently covers all transfers between the EU and UK, as the current regime in the UK has been deemed to be sufficiently equivalent. It can also be on the basis of Article 49, which allows for “occasional and not repetitive transfers”, and is limited to situations where users have given explicit consent or if the transfer is strictly necessary to provide a contract (eg a hotel booking abroad). 

Standard contractual clauses (SCCs) can also provide a basis for data transfers. However, it is important to note that following the demise of Privacy Shield there is no adequacy with the US and you cannot use SCCs when transferring data to “electronic communication service providers” (ECSPs - includes ALL cloud firms, SaaS firms, telcos and social media platforms) that have operations in the US, as these all fall under 702 FISA (50 USC § 1881a). 

Given the extraterritorial nature of these US regulations, any use of ECSPs (including AWS, Azure, Dropbox, Salesforce, etc) counts as a transfer of data to the US, even if the provider offers some form of data residency where the data is stored in their data centres in the UK or EU and is never actually transferred across the Atlantic. As such whenever using these ECSPs, supplementary measures are required such as end-to-end encryption where you retain the crypto keys. Flexibility and agility are also recommended, as such regulations could well change. Rumours of a new Privacy Shield and of new arrangements in the UK could change these requirements significantly.

Retention: retention of personal information needs to be minimised in line with reasonable use and the basis on which consent was obtained. Whatever the purpose and basis on which you obtained such consent needs to be adhered to and your data management systems need to be sophisticated enough to be able to locate, identify and remove such data as soon as the basis for its retention expires.

 GDPR does, however, include exceptions to this where retention is required on the basis of other laws and regulations - such as when accounting or other corporate records containing personal information (eg an invoice that contains a name, address, email address and phone number) need to be retained.

Removal: further flexibility and agility are required when personal information is removed in advance of the normal retention policy, such as under the ‘right to be forgotten’ provision in GDPR. Again, this does not apply to records that contain personal information where retention is required on the basis of other laws and regulations (eg I cannot ask the DVLA to forget about my speeding convictions on the basis of the ‘right to be forgotten’).

Best-practice retention for professional services, disputes and litigation

Beyond what is required either under law or GDPR, accurate and accessible records and a tamper-proof audit trail are essential for almost all professional services. 

In the event that any professional advice is either misunderstood or disputed, you need accurate records and a tamper-proof audit trail you can refer to. 

Accessibility is also essential. If, for example, potentially conflicting advice is given by different members of your team, then you will need a comprehensive audit trail that includes every record relating to the engagement, including all calls, emails, text messages or whatever from all members of the team.

Where you’re probably going wrong and what your exposure is

If your staff are using communications platforms that do not allow central management and record-keeping then you could be in real trouble. All too often the convenience of systems like WhatsApp override considerations of compliance and risk. As individuals all have their own personal WhatsApp account, there is no central record management compatibility, nor are records tamper-proof. Individuals can delete records at will and if they leave your company, they take the correspondence with them. 

There is also no way of enforcing GDPR requirements for the retention or removal of personal information, and no way of compiling a comprehensive, tamper-proof audit trail. This can create massive exposure in the event that a regulator demands records or a client disputes or misinterprets advice. Regulators are already beginning to crack down on the use of such systems, with JPMorgan Chase recently fined $200m for conducting business on WhatsApp.

Simply having a system that keeps records isn’t enough either. Records not only need to be comprehensive and tamper-proof, but they also need to be accessible and usable. Automation is becoming ever more critical for competitiveness and efficiency. Manual processes have been found to be the biggest roadblock to achieving automation, cited by 46% of firms, followed by legacy systems (42%), poor interoperability (40%) and regulatory requirements (38%).

How to get it right

Complying with the need to have comprehensive record-keeping, adequate cybersecurity with access management and keep effective backups while also enabling you to comply with data retention and removal requirements doesn’t need to be an impossible task. And you don’t necessarily need to sacrifice the convenience and productivity you get with systems like WhatsApp.

Aware of the risk exposure, professional services firms are now scrambling to implement alternative apps that offer the functionality of WhatApp, but also include central management and tamper-proof call recordings as well as application programming interfaces (APIs) to enable integration with CRM systems. 

This allows you to stay accountable by keeping and managing comprehensive records centrally. Records should also be tagged to individual members of staff, as well as individual clients and their executives and full call transcripts provided. This means you can sift and categorise intelligently to know where personal data exists on each and every individual, so not only can you comply with the ‘right to be forgotten’, but you are also able to refuse to do so when there is an overriding regulatory need for retention.

The sooner you start collecting call transcripts and other such data in a centralised and structured manner, the quicker you will start building a valuable repository that can be mined for intelligence to provide a competitive advantage once sophisticated AI tools become available. However, this also needs to be done in a compliant manner - ie either avoiding the use of ECSPs or ensuring that supplementary measures such as end-to-end encryption are applied. One app I've come across that address the challenges I've mentioned above is VCTALK-SAFE, but I'm sure there are others available.

Either way, WhatsApp is, unfortunately, an absolute ‘No No’, whether or not Mr Zuckerberg decides he wishes to cease providing certain services in Europe or not

Replies (4)

Please login or register to join the discussion.

By Paul Crowley
15th Feb 2022 14:05

"How and where we store data is back at the top of the agenda, whether it is Donald Trump refusing to comply with the Presidential Records Act and ripping documents up or using ‘burn bags’, or Facebook (aka Meta) refusing to comply with GDPR and threatening to leave Europe if it is made to do so (my viewpoint on TV)."

Facebook leaving Europe?
First time that I consider that there could be a benefit to GDPR

In reality GDPR always was EU doing what the USA regularly does

Trying to sort out its mess by bullying the rest of the World

EU never really got the data protection thing in the past so massively exaggerates a response: result is any company can be killed by a clever hacker
Cannot punish hackers so punish the company

But GDPR is only about people, not business data.

Thanks (0)
By Duggimon
17th Feb 2022 09:29

Our emails work on our phones if we want them to, and are all stored on a central server. I can't think why we would use WhatsApp for anything.

Thanks (0)
By North East Accountant
17th Feb 2022 10:40

I would be interested in knowing how you get your data out of any of the cloud PM systems such as Accountancy Manager, Senta, Karbon, Pixie etc if you stopped using their software.

Standing data may be exportable but are all the notes of phone calls, meetings etc.

Thanks (0)
17th Feb 2022 15:47

I thought it was bad enough that basic care with clients data has in the main been completely forgotten in this race to homeworking, but it does seem to be superseded by the stupidity of Government, BBC, police and other esteemed organisations thinking that using (thinking the world revolves around) WhatsApp, twatter and related products is acceptable and secure. How many leaks will there have to be, before they have a bit of a rethink.

Thanks (0)