Is WhatsApp Business GDPR Compliant?
Is WhatsApp Business GDPR Compliant?
I was surprised recently (or more accurately it caught me off guard) when a couple of our customers informed me that their Data Compliance team did not view WhatsApp as GDPR compliant. I thought I would write this week’s blog on the topic to address some of the concerns and highlight why WhatsApp is a GDPR compliant service, especially compared to A2P (Application to Person) SMS which is the current dominate messaging service to engage and notify clients.
How A2P SMS works and is it GDPR compliant?
A2P SMS refers to the process of sending automated messages from applications / businesses to over a global SMS network (a series of global SMS aggregators) and delivered to individuals by their mobile service provider. These messages can include transactional notifications, marketing alerts, authentication codes, and more. A2P SMS is widely adopted across various industries due to its simplicity, ubiquity, and high open rates and already used be tens of thousands of organizations and deemed GDPR compliant communication channel.
There are a few key elements on A2P SMS communications that can impact GDPR compliance:
- A2P SMSs are not encrypted. If intercepted, they can be read.
- Data transfer: SMSs get delivered through a global network from Business to User, and there are no controls how the SMS/data will flow. For example, an SMS from a business in EU to another individual in EU may pass through a non-EU country without any adequate EU controls.
- Note some domestic SMS are delivered through direct connects to mobile providers.
- There is no Verified Sender with A2P SMS. The Sender can be spoofed, and this is the source of most Phishing attacks today.
- Most A2P SMS communications are one way. This impacts how individuals can Opt in and Opt-out (unsubscribe). This has implications for ‘consent’ when
Figure 1: A2P SMS communication in Clear Channel
How WhatsApp Business works and why it is GDPR compliant
WhatsApp Business works differently from A2P SMS, as the communication is over the internet and is encrypted end to end, which has the benefit that if communication is intercepted it cannot be understood. Business Messaging apps such as WhatsApp, Facebook messenger, Google RCS business messaging enables businesses to automate engagement through business platform services such as Payemoji.
- Business Messaging like WhatsApp are encrypted end to end. If intercepted, they cannot be understood.
- The sender of a WhatsApp Business Platform (such as Payemoji) is verified and cannot be spoofed. The customer knows they are talking with the business, whereas for SMS they may be talking to someone spoofing the business.
- Business Messaging are delivered from Businesses to individuals through the Internet.
- Verified Sender is available with Business Messaging.
- Business Messaging communications are interactive and two ways. This makes Opt in and Opt out very easy to do and fulfils the ‘consent’ obligations of GDPR.
- Data sovereignty: WhatsApp messages are delivered from the user WhatsApp client over an encrypted data channel to the WhatsApp Business Platform. For example, Payemoji WhatsApp business platform is located in the EU, and never transfers data outside the EU.
Figure 2: Business Messaging (e.g. WhatsApp Business) communication is encrypted.
Does META say WhatsApp Business Platform is GDPR compliant?
WhatsApp is a data processor as per GDPR, and you can see their Data Processor Addendum here, and the WhatsApp business terms are located here. WhatsApp Business platforms such as Payemoji are integrated into the WhatsApp cloud API and META provide a very good explanation on how this service works here. As WhatsApp is encrypted, META or WhatsApp cannot see into this message, but some extracts below elaborate on this
- ‘When a user sends a message to one of these businesses, the message travels end-to-end encrypted between the user and the Cloud API … WhatsApp cannot access any message content exchanged between users and businesses.’
- ‘WhatsApp acts as the transport service … It has no visibility into the message content being sent. It protects the users by detecting unusual messaging patterns (like a business trying to message all users) or collecting spam reports from users.’
- ‘Messages sent or received via Cloud API are only accessed by Cloud API, no other part of Meta can use this information. Messages have a maximum retention period of 30 days to provide the base features and functionality of the Cloud API service’
- ‘No message content is shared or sent to WhatsApp at any time and no WhatsApp employee has access to any message content.’
Payemoji WhatsApp Business Platform GDPR compliance
Payemoji is a GDPR compliant WhatsApp Business Platform. We are a Data Processor according to GDPR guidelines and never see any messages from individuals or businesses. Payemoji platform is located in public cloud in Europe and ensures data never leaves the EU. The Payemoji DPA is located here. Payemoji have implemented privacy by design into our systems and processes.
Conclusion:
Ensuring GDPR compliance in A2P SMS and Business Messaging practices is not only a legal requirement but also a vital step in building trust with customers. Businesses must adopt transparent and ethical practices, obtain consent, secure data, and respect individuals' rights to mitigate the risks associated with non-compliance. There are concerns for Businesses that use A2P SMS communication with unencrypted communications, lack of verified sender and Opt-in / Opt-out within the channels. Businesses should consider the advantages of using a Business Messaging channel such as WhatsApp Business to improve their GDPR compliance. Payemoji is a GDPR compliant service and have implemented Privacy by design. Get in touch to learn more.
Addendum: What is Data protection under GDPR?
Thanks for reading this far, here is a little refresher on what is GDPR and what rules apply.
GDPR is the set of rules and requirements that companies and other organisations must comply to when collecting, storing and processing personal data, please see here for details. All organisations within the EU and outside the EU that target people living in the EU must comply to GDPR.
What is personal data under GDPR?
According to GDPR Personal data includes information such as their name, address, identification cards, income, cultural profile, Internet protocol address and any health information. GDPR also specifies specific categories of personal data that cannot be processed such as race, sexual orientation, political opinions, religion, trade union members, genetic or health information and criminal convictions if any.
Data Controller and processors under GDPR?
During processing, personal data can pass through various different companies or organisations. Within this cycle there are two main profiles that deal with processing personal data:
- The data controller - decides the purpose and way in which personal data is processed.
- The data processor - holds and processes data on behalf of a data controller.
Can data be transferred outside of EU in GDPR?
GDPR does allow for data to leave the EU, but the protection offered by the GDPR should travel with the data. This means that if you export data abroad, the non-EU country's protections are deemed adequate by the EU. Your company must ensure appropriate safeguards, such as including specific clauses in the agreed contract with the non-European importer of the personal data. Finally, your company gains consent of the individual.
When is data processing allowed by GDPR?
GDPR states that you should ‘process data in a fair and lawful manner, for a specified and legitimate purpose and only process the data necessary to fulfil this purpose.’ What does this mean
- You have received consent of the individual concerned
- The personal data is required to fulfil a contractual obligation with the individual or satisfy a legal obligation.
- Need the personal data to protect the vital interests of the individual
- Process personal data to carry out the task in the interest of the public
Finally, you are acting in your company's legitimate interests, as long as the fundamental rights and freedoms of the individual whose data are processed are not seriously impacted. If the person's rights override your company's interests, then you cannot process the personal data.
Sounds Interesting – Get in touch now.
We would love to chat with you about how your business could benefit from OMNI channel messaging and WhatsApp business platform with 4X conversion. Contact us at sales@payemoji.com and we will schedule a call.
So go ahead and join the conversation by taking advantage of the 23 hours that consumers spend per week on their Messaging Apps and use that to grow your Business.