WhatsApp at Work: Advice for Employers

female holding iPhone with WhatsApp screen. WhatsApp is messaging application

By Joanna Jagiello, Marketing Director, The Barcode Warehouse

Many people use WhatsApp as an internal comms tool for work. This can be practical and convenient, but it creates a huge risk. Here, I explain why free-to-use consumer messaging apps could land your business in hot water, and what your better options are.

The standard (consumer-grade) version of WhatsApp is the world’s most popular messaging application, with around two billion users. WhatsApp is very useful: it’s free to use, and its popularity means that most of your contacts will also have it. It’s a great way to catch up with friends and send the odd cat video or silly gif, and many of us use it daily without a second thought. But it is not intended for business use.

Indeed, WhatsApp’s terms of service specifically ban its use for ‘non-personal use’, while its privacy policy for Europe passes a fair volume of liability onto the user, and includes data-sharing policies that organisations may be uncomfortable with. The standard app also generates the risk of data loss; inactive accounts are deleted after 120 days without alerting the user, so your organisation could easily lose vital data, and not know anything about this until it’s too late.

Of course, Meta also sells WhatsApp Business app and WhatsApp API, but these are designed for customer engagement and customer service, not internal comms.

Scarily, there appear to many people that don’t recognise the dangers of using WhatsApp for internal comms and staff often turn to it without thinking. You may, without knowing it, have many staff and teams using WhatsApp right now.

I’ve even heard of some businesses that have strategised or approved the use of consumer messaging apps. That can be a very bad move indeed.


Messaging apps can bring legal and financial sanctions

When the Information Commissioner’s Office (ICO) investigated the UK government’s internal communications recently, it identified multiple risks caused by the use of consumer messaging apps, including WhatsApp. The ICO found that government officials had used them in ways that compromised data transparency, confidentiality and security, and called for greater regulation and monitoring.

In the US, the use of WhatsApp and other tools in ways that circumvented federal record-keeping laws led to fines of $200 million for banking giant JP Morgan Chase. Yet, a survey conducted in the wake of the Morgan Chase scandal found that just 14% of companies in the financial sector were actively monitoring the use of consumer messaging apps for work. In other words, a full 86% of respondents were ignoring the problem.

Some of the biggest names in banking now face similar fines for the same offences. There is clearly either widespread failure to monitor and respond to the problem, and/or a staggering lack of awareness.


Why is WhatsApp unfit for internal comms?

WhatsApp offers end-to-end encryption, but this alone is insufficient for commercial internal comms. What’s more, consumer-grade messaging apps have long been targets for malware and other cybercrime, which introduces further risk.

When teams use unregulated messaging apps it becomes incredibly difficult to monitor who is in which group (and do you want your former staff member, who is now working for a rival, reading your internal communications for weeks, months or years to come?). Even if you can audit your groups, some of your data will remain on the personal devices of former staff members who have read (and automatically downloaded) that information in the past.

There are multiple aspects of consumer apps that you cannot control, each one carrying a security risk. For instance, you cannot block the forwarding of messages, or the sharing of messages with third parties. If staff are using their personal mobile devices for work (and the pros and cons of this alone would fill another article), you cannot enforce data protection hygiene, such as using a password or fingerprint to lock/unlock mobile devices, when they use a consumer app.

The bottom line is that responsible organisations protect their stakeholders and themselves by using only secure devices and platforms – and consumer-grade messaging apps just are not compatible with that.

The employing organisation is almost always legally responsible for the information it holds and processes – including internal data such as working patterns, locations, rotas, and so on – and will be held liable if that data is compromised.


With messaging apps for work, security is not the only concern

Other dangers of messaging apps include the loss of data due to the app’s auto deletion policies, and the related problem of ‘invisible’ audit trails (potentially catastrophic if you are audited or investigated). Unregulated third-party apps generally cannot be integrated with your wider business systems, which can reduce the quality of your business data and any decisions made on the basis of that.

Finally, the use of messaging apps for both work-related and personal communications blurs the boundaries between work and personal time. In one study I came across, of 1,000 UK workers, a crazy 73% said they are contacted by work during their annual leave. This is yet another example of where the risk of liability (for causing workplace stress, etc.) could be removed by using a centrally-managed, rather than a consumer-grade, messaging system.


What is the solution?

Consumer-grade messaging apps are not appropriate for business use. More to the point, there is no need for organisations to be running the risks that WhatsApp and other consumer-grade messaging apps bring with them. There are plenty of communications platforms available that have been designed for business use, and many are tailored for specific sectors, use cases and devices. These are secure, GDPR/UK GDPR- and DPR-compliant and can be integrated with existing software and systems. That’s why a tailor-made messaging platform offers more value add than just messaging and video. It not only reduces risk, but is also a great productivity investment.

Joanna Jagiello