If you’re like me then someone in almost every WhatsApp group you’re in has reached out to you this week and asked “Should we be moving to Signal?” At initial glance, it feels as if we’re caught between the meme intersection of zero trust in Zuckerberg’s Facebook and slavish devotion to all things Musk. But what’s really going on here? Is it a big deal? And are there any lessons to learn.
Zack Dorfman in his Forbes article, provided the below image that compared the various messaging products and accurately identifies the situation:
“This isn’t about WhatsApp sharing any more of your general data with Facebook than it does already, this is about using your data and your engagement with its platform to enable shopping and other business services, to provide a platform where businesses can communicate with you and sell to you.”
For those of us in Europe, we are protected by the GDPR, so WhatsApp had never and still doesn’t share data with Facebook – it was a requirement of the EU regulators approving the purchase. For the rest of the world, the data sharing has already been happening, the facebook group just had to be more explicit about it as a result of Apple’s recent mandatory privacy labelling requirements and Facebook move to monetising WhatsApp. Apple’s decision to require privacy labelling dovetails with the global explosion in global data protection regulations. The people’s growing awareness of privacy and interest in how companies are using their data which is a trend we’ll no doubt see evolving throughout 2021.
Ok. On to the learnings.
The need for clear and understandable privacy notices
As people become more interested and aware in how their data is being used, the privacy notice will matter more and more. If it is easy to understand it will install more trust for new customers and reinforce it for old ones. If your company already has a trust issue with many users – like Facebook – then a dense privacy notice will merely serve to reinforce the mis-trust.
The privacy notice offers transparency it is a window into a companies practices. Which brings me to the next learning.
Data protection and Privacy by Design matters
There is an inherent tension between commercialisation and providing data security to a user base. Commercialisation by its very nature often requires access to various sorts of personal data in order to be able to deliver the contracted service. To address this tension, the GDPR requires data protection impact assessments be undertaken to ensure that processing undertaken by a company to provide it’s commercial service is done in a way that provides people with clarity over how their data is being used as well as the ability exercise their rights in relation to their data.
When WhatsApp released it’s new privacy notice it was actually acting in correctly – it just blew up in their face because of the lack of trust people have in Facebook. When Facebook purchase WhatsApp it was a private messaging platform. Facebook always intended to monetise WhatsApp and is now doing so by offering it to businesses as a customer service channel. For this to work, the businesses using it as a channel will have to store logs of these WhatsApp chats on their servers, so they have records of these customer service communications. WhatsApp rightly need to disclose this. The problem arose from the product being designed for secure communications and now being changed to being used for business communications.
Facebook’s lack of trust and transparency about data sharing coupled with opaque communications created this crisis. The forced privacy notice update coming quickly on the heels of Apple’s mandatory privacy labels which highlighted how much data WhatsApp was already sharing with Facebook further fed the fire.
So the takeaways?
- How understandable is your privacy notice? If you can’t answer that question – it’s not understandable enough. Transparency and clear understandable communication on how you’re using individual’s data is a core business requirement.
- Treat the personal data you hold as something borrowed from your customers. It’s a precious commodity that you must protect – it’s expected nowadays. So do impact assessments – and when you consider the sections in the impact assessments on purposes, legal basis and ensuring data subject rights – think about how you’re going to communicate these to the people who are being impacted.
GDPR365 offers an all-in-one solution highly affordable. Starting at £45/month, a license will include all features from data mapping to data breach management but also DPIA (Data Protection Impact Assessment) and Data Subject Access Request (DSAR). Click now on the button below to book a demo and see our software can speed up your compliance.