Data Privacy Day: Implications for Enterprise Security and Compliance Teams | Blog

Data Privacy Day is an international effort to empower Internet users to protect their privacy and control their digital footprint. It’s celebrated annually in approximately 50 countries. The day was initiated by the Council of Europe back in 2007, and its focus has continued to expand to include families, consumers, and businesses. In honor of Data Privacy Day, we spoke to Evelyn de Souza, a renown trust and privacy expert on our advisory board to understand one of the central business challenges facing enterprises today: the use of personal messaging apps like WhatsApp and Telegram.

Since Data Privacy Day’s origins, the world of business communications has undergone transformational change and upheaval. In 2007, no one predicted how a worldwide pandemic might change how people work and communicate. Today, millions of people use personal messaging apps like WhatsApp and Telegram to not just communicate with friends and colleagues but even with customers and prospects. This behavior became a necessity under lockdown, when in-person meetings in many countries were stopped altogether.

Regulators have caught up to this reality. Settlements to the tune of more than $2 billion over the last two years with a dozen global financial firms show they failed to monitor employees’ communications on unauthorized messaging apps. In some cases, supervisors and senior executives responsible for ensuring compliance with the firms’ communications policies themselves violated the firms’ communication policies. De Souza tells us that many companies have had to bring in “fleets of compliance consultants” to address these compliance issues.

Where is the boundary today between “personal” and “business” communication channels?

In speaking with many of our compliance customers, at SafeGuard Cyber, we’ve learned that transparency and trust have led to higher user adoption among employees than enterprise teams anticipated. Most employees recognize the reality that WhatsApp and Telegram are critical to business growth, especially in emerging markets, where email and calls are not how local populations prefer to communicate. 

These employees also recognize the value of their personal brand. Clients and prospects with whom they’ve built relationships are less likely to answer messages from “unknown” corporate numbers.

So what should organizations do?

Prohibiting apps has often proved not to be the right strategy, says De Souza, as many employees may find a workaround and will continue to conduct business on personal devices as the SEC fines show. This is in big part due to the blurring of work/life boundaries and the rise of individual brands enabled by applications such as TikTok, YouTube and Instagram for example.

De Souza says “the right strategy is a mix of investing in the right processes, procedures, training, attestations and technology to protect organizations.” She points out that many employees hear WhatApp offers “end-to-end encryption” and may assume therefore it’s a secure messaging app and may not see some of the broader risks. This means helping employees understand the risks, and training employees to obtain consent from customers to receive communications via WhatsApp. Once again, transparency is critical. 

From our vantage point, companies must start by making the decision on BYOD vs. managed devices. BYOD will mean enabling personal WhatsApp accounts, compared to managed devices (with separate phone numbers) which can use WhatsApp Business accounts. The next step is working with stakeholders to develop specific use cases and guidelines.

For workers using personal mobile apps for business communication, these messages need to be reviewed and flagged for any risks, messages retained in compliance with key business and internal mandates and other safety and privacy messages put in place.

In consultation with De Souza, our top three recommendations for navigating this process are:

1. Double down on transparency: Enterprise teams need to prioritize clarity in articulating their plans for monitoring business communications on apps like WhatsApp and Telegram. Where possible, employees should be involved as stakeholders in the planning process. Some companies and employees may agree on managed corporate devices, while smaller, more nimble teams may decide personal devices are fine.
2. Establish clear guardrails: From the planning and buy-in stages, companies need to set clear policies on what can and should be communicated on mobile messaging channels. This should also include clear guidance on what will be monitored and how. Will the information be archived? If so, for how long.
3. Give employees the choice to opt IN. Transparency is the foundation of trust. After articulating the plan, after negotiating the terms, finally employees must be given a choice.