Do you know what’s up with WhatsApp at your organization?

Employees using WhatsApp, one of the world’s most popular messaging platforms, and other non-secure or off-channel applications for work purposes can get their organizations in serious trouble with federal regulators. This may include steep fines, penalties, and reputational damage, including loss of trust. During our recent Education Series webinar, What’s Up with WhatsApp?, panelists Steve Wright, CEO and founder of Privacy Culture Limited, Arlette Walls, Global Records and Information Management Manager at Iron Mountain, and I had a conversation during which we acknowledged the inevitable use of popular social media applications for business transactions, the potential damages they may pose, and what can be done to minimize risk for your organization.

The key takeaway? It’s crucial for you to review and update your social media policy, including acceptable use guidance around this application and others—and ensure employees follow it.

Understand what can lead to regulatory trouble

According to Statista, WhatsApp had 2.44 billion active global users in April 2022, up 6.4% from April 2021. BusinessofApps reports this free, centralized instant messaging and voice-over-IP (VoIP) service has been downloaded more than 5 billion times and is the leading communications channel worldwide due to its free access and ease of use.

Because of its popularity and the fact that it’s the only widely used app in some areas of the world, it has become a staple for business communications, whether chatting with coworkers, providing customer service, and/or nurturing prospects. But with limited governance or oversight, use of these off-channel apps may result in problems and hefty penalties as these communications could violate regulatory standards set by the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission, the General Data Protection Regulation (GDPR), and others.

For example, US regulators, including the SEC, penalized banks and financial firms about $2 billion in 2022 for failing to honor their record-keeping and books-and-records obligations. The reason? Their employees had used WhatsApp and other unauthorized messaging apps in ways that violated record-keeping provisions of federal securities laws.

Take responsibility for how social media is used at work

According to WhatsApp, “Privacy and security is in our DNA, which is why we built end-to-end encryption into our app.” This encryption is valid for personal and business messaging and for payments, the latter of which is available in some countries.

However, in certain scenarios, transactions are not end-to-end encrypted, which is why WhatsApp devotes an entire page on its website to this matter. If you’re using WhatsApp or any other social media platform as your main communication tool with customers, bad actors are waiting.

Bottom line? Do not rely on any social media vendor to protect your data. You are responsible for protecting your data and properly retaining, deleting, and archiving it.

“Mitigate risk imposed by this social media platform and others by knowing what employees share, forming an airtight policy, and ensuring your entire staff follows it.” – Arlette Walls, Global Records and Information Management Manager, Iron Mountain

Monitor company posts to see what’s being said

As such, it’s crucial to have comprehensive record-keeping, cybersecurity, access-management protocols, and guardrails regarding the acceptable use of WhatsApp and other social media platforms. The proper legal language should be included in this policy.

Start with an audit of your organization’s social media traffic. What’s being said? What emojis are being used? Emojis can be troublesome because they can be misunderstood. For example, does a thumb’s up emoji signify the person posting it likes something or to go ahead with an order the parties just discussed?

Nip problematic posts in the bud. Organizations and their employees are accountable for and must own what they put out on these channels. To define your social media policy parameters, it’s recommended you form a committee to oversee it.

Get input on your policy from the top

Your steering committee should include leaders in privacy, information, data, security, and communications. This team will define and solidify your policy regarding the appropriate use of WhatsApp and other social media platforms. Specifically, it must set rules around data security, record-keeping, privacy, and the use of personal devices (or BYOD policies), which should have its own set of rules and security measures if permitted to perform business.

Consider situations in which you would allow WhatsApp for business. For example, if you’re a large insurance company with employees scattered around the world, you might permit the use of this app to reach employees in emergency situations only. But clearly communicating such uses is paramount.

Once your social media policy is solidified, convey it clearly to employees and continue monitoring traffic on company channels.

Steer clear of risky business

More than 100 billion WhatsApp messages are sent per day. The chances are high that your employees are using it for personal messages and calls. But if they’re using it for business-related interactions, your organization could be at risk.

Therefore, it’s critical to know what’s being said on these channels, to form a committee to create or update your acceptable use and social media policies, and to ensure it starts at the top and trickles down to every employee. Clearly communicate what is permitted and what is not.

Lastly, always remember that any business-related data being collected on personal devices poses a risk.

Interested in learning more about this topic and others in the information governance space? Visit Iron Mountain 2023 Education Series to watch the on-demand recording of “What’s Up with WhatsApp?” and to register for upcoming webinars.

Share this content: