Continental’s banning of WhatsApp is the most visible sign yet that enterprises are taking GDPR and data privacy seriously.
Let’s be clear. While the sweeping changes introduced by GDPR have created massive uncertainty and confusion for many, they are fundamentally a very good thing. Not least because it’s put data protection at the top of the corporate agenda.
The news that automotive giant Continental has prohibited the use of WhatsApp, and other social tools, is probably the most high profile example of this to date.
For too many years, businesses have worked to an assumption of ”acceptable risk”. CIOs and CIROs were, I’m sure, never fully comfortable with seeing free, consumer-grade messaging tools like Whatsapp being used in their business for sharing confidential information or client data; but because they met a very real business case for a more immediate chat experience, little was done.
Continental’s chief executive, Elmar Degenhart, should be commended for calling a stop to the use of WhatsApp on approximately 36,000 devices used by a workforce of almost 240,000 employees. The company’s fear was that because such apps could access users’ ”personal and potentially confidential data, such as contacts, and thus the information of third parties”, it violated GDPR’s terms for the processing and storing of personal data.
Not such a problem for individual consumers chatting to their family, but in an enterprise environment, chances are your contact list also includes other employees, partners, and of course, clients.
This is a very real risk, and we should be grateful that GDPR has finally brought the issue to the surface, and forced businesses to look long and hard at the tools being used by their employees.
Companies must be better at regulating their business communications, and actively look to reduce the risk of sharing personal data with third parties. In the case of WhatsApp, there’s no lawful basis for sharing this data, and it shouldn’t be on the enterprise to seek consent from clients to do so.
“We think it is unacceptable to transfer to users the responsibility of complying with data protection laws,” Elmar Degenhart said. “This is why we are turning to secure alternatives.”
Degenhart’s memo recommended switching to a secure messenger like Wire (article in German) as an alternative to its staff.
Here are just some of the reasons why businesses need to be conducting an immediate review of WhatsApp and its use by employees.
That’s the questions businesses now need to ask themselves. Potential fines a business faces if it fails to comply (4% of global turnover) is just one side of the coin.
Even worse is the damage to the brand reputation caused by a potential leak of client confidential data.
Continental has taken a proactive approach to lead the way in implementing appropriate policies and technical measures; not only to protect employee and client privacy, but also to earn goodwill for its brand and protect it from potential damage. I hope to see other big players to follow.
Wire was built with privacy-by-design principles in mind and can help any organization meet the GDPR-related requirements. In particular, Wire does not require sharing of the address book, and it offers businesses full control over the app usage, including one-click removal of ex-employees from accessing chat history, shared files, and contacts.
Morten Brogger, CEO, Wire