The EU’s EU General Data Protection Regulation (GDPR) has been on everyone’s agenda during the last 12 months, and the deadline is approaching fast. Most of you have participated in a number of breakfast meetings and courses investigating the requirements for the GDPR. Many organisations, however, lack information about how the GDPR impacts their use of messaging services.
The last years, there has been a tremendous growth in the workplace usage of messaging apps built for consumer use.
It is essential to identify the risks involved in the use of messaging apps within your organisation. This is especially important since many organisations already use messaging services to carry out their daily business communication, but are not aware of the security and privacy challenges.
Employees have started using these popular messaging services since it is more convenient and efficient to message a colleague or a customer rather than calling or emailing. However, the majority of these messaging applications are built for consumer use, and are not suitable to carry out business communication. They don’t meet the EU data-privacy requirements and their service providers often use them for monitoring or advertising purposes. Furthermore, the location where messages are stored or routed is often unknown and often on a different continent and different legislative environment than in Europe.
“Using publicly available messaging apps for business communication involves certain risks and has consequences for both your organisation and information sharing. Of the messaging apps currently in use, few are sufficiently secure to comply with your security policy for internal communication.”
Read the factsheet at the NCSC
As everyone should be aware by now, companies operating in Europe must comply with the new EU General Data Protection Regulation (GDPR) by May 25, 2018. This European law is critical for compliance and risk officers across industry verticals. Its purpose is to protect Internet users and their privacy. The European Commission has warned that they will issue hefty fines to organisations that don’t comply.
Your organisation is responsible for managing the risks involved in the use of messaging apps for daily internal and external business communication.
Conventional messaging and chat services come with a series of challenges. They usually require access to the address book and user data. When using such a service, the contact data in the address book is read, processed, and possibly shared. For this to be compliant with the GDPR, consent must be given up front by every person whose contact data is in the address book. The contacts whose data is shared with the service vendor have no opportunity to make use of their “Right to be forgotten”. This right empowers individuals to request the deletion of their personal data that is held by service providers. In addition to contact data, conventional messaging and chat apps sometimes collect other user data, as for example location, information about the mobile network or other details about the user’s activity. There are also risks that messages may reach other recipients than intended, or that the contents of conversations will be available by the service provider.
As a general rule, it must be assumed that these conventional messaging apps for consumers are incompatible with the GDPR, and that companies should refrain from using them. Non-compliance with the GDPR carries the risk of exorbitant fines.
Consumer messaging services should only be used for strictly private purposes. As soon as business contact data is stored on the phone, it can no longer be considered strictly private use.
At the very least, organisations should carry out a risk assessment regarding the usage of messaging apps in their organisation, both as sanctioned company software, and unofficial use by employees to carry out their daily business.
We are here to help you to succeed with your GDPR compliance. The Crypho secure messaging service is trusted by some of the most demanding organisations in both the private and public sectors. If you are looking for secure and compliant enterprise messaging with minimal effort and cost, feel free to get in touch.
–
Kai Leppänen,
CCO, Crypho AS