It all started earlier this month when Alistair McCapra, CEO of the CIPR, shared a link with us about how WhatsApp isn’t GDPR compliant.
Knocking the CIPR Yorkshire & Lincolnshire WhatsApp newsletter on the head was a tough decision to make as it was gaining traction, but once you read the article it makes sense. And as I was the one with 10 minutes to spare, I turned it into a learning outcome to share with everyone via Influence.
Since then, some things have changed… and some haven’t.
WhatsApp decided to allow people to download the data it holds on people who use the app. Lots of tech companies are letting users do this now.
But the key element of the security article hasn’t changed; under GDPR, “companies are liable for the protection of clients’ and staff data”.
Now: when people signed up to our newsletter all we got was a mobile phone number. The mobile phone number connected to the Group’s WhatsApp account is used on a phone which is only used for the WhatsApp newsletter. There is no cross-contamination of data from the phone to other phones, and for there to be a data breach someone would have to lift the phone – always possible, but unlikely.
The trouble is that the WhatsApp app also grabs data from people who sign up. And CIPR Y&L has no control over what it grabs and where it stores it.
There is an argument to say that if you’ve already installed the app you have explicitly given permission to WhatsApp to store whatever it wants (because you read it in the Terms and Conditions and still accepted them).
You could argue that… but then you’re not one of the volunteer Executive Officers of a CIPR regional group. And we just can’t take that risk that a data breach at WhatsApp exposes the details of our subscribers, because WhatsApp can match phone numbers to people in a way that we can’t. We’d be liable, because it’s our newsletter.
And, to answer your next obvious question; yes, email newsletters are in the same position, if the platform you use stores any data to which you have no access. CIPR newsletters only go to CIPR members; and the CIPR holds all of that data. In theory (great last words), we could invite people to sign up to a Y&L-only email newsletter which would go to members and non-members alike, where the CIPR holds all the member details and Y&L holds all the non-member details.
But if people read email newsletters we wouldn’t have tried WhatsApp…
It’s ironic, but we find ourselves in the position of having to deny people access to something that, for once, they actually want!
Our next steps will be to see if WhatsApp changes, or if there are any GDPR-compliant platforms out there. But I suspect that there won’t be.