Unauthorized messaging apps for business purposes
Today, there is hardly anyone who doesn’t use an instant messaging app.
WhatsApp – often for family chats or, as parents will surely confirm, schoold groups; Messenger – for socializing; Signal – for more security-conscious users.
Choosing a tool in private life is a matter of preference – some prioritize convenience, others security or some other additional features. Everyone privately uses a messenger that meets their preferences for convenience and security.
The private sphere vs professional duties
The GDPR clearly distinguishes between these two realities. Article 2(2)(c) excludes data processed purely for personal purposes from regulation. An employer has no right to interfere in employees’ private conversations. However, the boundary shifts immediately when business data is involved. At that point, the responsibility falls on the controller’s shoulders – meaning the organization.
This means that a company should not only specify which tools are allowed but also anticipate risks, define the purposes of data processing, control data retention, and implement rules that will prevent security incidents.
Are all messaging apps secure?
It depends; this topic needs to be viewed very broadly.
This text does not directly evaluate the technical safeguards of the apps, but is based on general options prevailing in the cybersecurity world. They are merely an element of consideration regarding the security of using this type of application.
- Signal
An open-source solution with full end-to-end encryption. As a non-profit project, it is perceived as one of the most secure tools, also due to the lower risk of commercial data exploration. In other words? Theoretically, there is a lower chance here that our data will be sold or used to train AI. Tis messenger has a strong reputation within the information security community.
It provides encryption, but it belongs to the Meta corporation – hence, privacy concerns arise. Is is a program that enjoys a good reputation regarding the level of security it offers. Does Meta actually use the content of conversations for its business purposes? It is difficult to assess unequivocally, but it is also hard not to have doubts when seeing certain ads appear after mentioning various products during chats.
- Microsoft Teams
A commercial solution dedicated to business entities. It is part of the paid Office 365 suite offered by Microsoft. Its biggest advantage is full control on the organization’s side you can easily remove users, configure retention, and enforce 2FA (Two-Factor Authentication). And upon termination of employment, the employee loses all access to the chat history and business data transmitted through it. Google Chat is a similar solution.
- Telegram
Default chats in this app are not end-to-end encrypted. Although this can be enabled in private communications, it requires considerable effort; moreover, the encryption methods used there are not fully proven, as it uses unverified and unaudited encryption protocols that rely on a proprietary protocol. Furthermore, many different security controversies have emerged around this messenger.
Allowed messengers in the organization
An organization should define which communication methods is uses and considers secure to maintain control over processed data, including personal data. The controller has specific obligations here in connection with personal data processing. For example, after a certain period, they should be deleted from all locations, including the messenger. In the case of organizations, corporate solutions, such as those from the Office 365 suite, are generally recommended due to the wide range of options for building security measures.
Risks associated with using unauthorized messaging apps
When employees use private messengers at work, the organization loses control over the data. The apps are often not properly secured and/or do not meet the organization’s security requirements.
This created specific problems:
- Lack of controll – the company has no influence over what happens to the transmitted materials or whether they were adequately protected.
- Risk of hacking attacks – a compromised messenger account can mean unauthorized access to confidential data.
- Possibility of leaks – sending sensitive documents through applications not covered by a risk analysis threatens serious legal and reputational consequences.
- Issues upon employee departure – a person who stops working at the company may still have access to chat histories and documents if a centrally managed tool was not used.
What messenger security requirements should be applied?
- Use only authorized tools: Use only company-approved applications for business communication. They are properly and provide greater control over data. They also meet the organization’s security requirements for processed data.
- Care for security: If you have any doubts regarding the security of the tools used, contact the IT department or the Data Protection Officer (DPO).
- Report problems: In the event of a suspected data security breach, report it immediately to the DPO.
How to document compliance?
When implementing security documentation, one must certainly keep in mind that it should correspond to the real business needs of the organization.
In micro-enterprises, there may not necessarily be a need to create an extensive communication policy; a simple communication stating that only communication methods considered secure by the organization are to be used might suffice.
For larger entities, however, it is recommended to create a specific communication policy within the internal documentation, which will define:
- What is to be communicated, when, with whom, and how to communicate;
- Which messaging apps are permissible for business purposes (it is worth consultanting technical issues with the IT department here);
- That transmitting personal data related to the work performed through channels other than the permitted ones is prohibited;
- If the company does not use a centrally managed tool like Microsoft Teams or Google Chat – the rules for access control, account creation, etc., in other messengers should be defined;
- Rules for the retention of personal data proessed using messengers;
- Authorization rules during login (preferably using two-factor authentication);
- Rules for contacting clients via selected communication channels;
- Rules for transferring information files – e.g., using a network resource with access restricted to a specific recipient.
The above issues should be included in a separate document and communicated to employees, and training should be conducted in this area, so that, for example, during an information security audit, there is tangible proof that employees are aware in this regard.
It is also worth remembering that the use of a selected messenger should be entered into the Register of Processing Activities (RoPA) and included in the risk analysis related to data processing operations.
FAQ - Frequently Asked Questions
Why shouldn't private messaging apps be used for work purposes?
Because the company loses control over the data shared there. In the event of an employee’s departure, an account compromise, or an application failure, the organization has no way to recover and secure the information.
Are WhatsApp, Messenger, or Telegram secure for work?
These applications were not designed with business requirements and GDPR in mind. Even if they offer encryption, they do not give the organization full control over data retention, access, or deletion. Therefore, business solutions, such as Microsoft Teams or Google Chat, are recommended for work.
What risks does a company face if employees use unauthorized messengers?
The most common risks include: personal data leaks, issues during audits and inspections, difficulties in documenting GDPR compliance, as well as the real possibility of sensitive information being intercepted by cybercriminals.
Which messaging apps are recommended for business use?
Most commonly, tools from corporate suites (e.g., Microsoft Teams, Google Chat) are used, as they allow administrators to manage accounts, set data retention policies, enforce two-factor authentication, and easily revoke access upon termination of cooperation.nych (np. Microsoft Teams, Google Chat), które pozwalają administratorom zarządzać kontami, ustalać zasady retencji danych, stosować logowanie dwuskładnikowe i łatwo wycofywać dostęp po zakończeniu współpracy.
What should an employee do if a client insists on communicating via WhatsApp, for example?
It is advisable to refer to the company’s policy and propose a secure, authorized communication channel. If the client insists on a private messenger, this should be consulted with a supervisor or the IT/DPO department.
Looking to enhance your cybersecurity?
Contact us!
Leave your details – we’ll call you back
Our specialist will get back to you no later than the next business day. You don’t have to fill in the message field, but a brief note about the topic you’re interested in will be a valuable hint for us.
