Don’t forget about POPIA when using WhatsApp for business communication

23 August 2022 ,  André van NiekerkDr Damian Viviers 7031
More and more businesses are migrating their client communication and marketing efforts towards platforms such as WhatsApp. But take note, there are some legal considerations and risks you should be aware of when doing so.

When your employees communicate with clients via WhatsApp, there is a high likelihood that employees may receive personal information of clients, which in turn triggers legal compliance in terms of the Protection of Personal Information Act 4 of 2013 (POPIA). 

Remember, that the monitoring of such employee-client communications could be complicated, particularly if employees use their personal devices to communicate. Creating a business account on WhatsApp could help limit this risk, but again may require regular monitoring.

Another concern is the security of such personal devices. Who has access to the device, what if the device is hacked and clients’ information is obtained or someone hijacks the account and communicates fraudulently with your clients under the guise of one of your employees? POPIA again requires businesses to have security safeguards in place to protect against such eventualities and ensure the safety and integrity of personal information being processed by businesses. Do devices used by employees to communicate with clients and receive (and thereby process) personal information live up to these standards?

Also consider the location of the chat conversations and backups. Such chats and backups if not stored on the device only may also be backed up to cloud storage on servers around the globe. Such a cross border flow of information also gives rise to certain compliance obligations in terms of POPIA, even if a message is sent between two persons located domestically.

Lastly, remember that an employer remains responsible for the conduct of its employees under POPIA, and should an employee share personal information of a client obtained on WhatsApp with other third parties without the consent of the client, your business will be liable for such conduct in contravention of POPIA.

As convenient as platforms like WhatsApp are, the above demonstrates that you cannot go blindly into using WhatsApp for client communications. Your business data security policies should cater for such use, including security features such as encryption, password security for devices etc. In some cases, a clear policy on personal device use may even be required based on the scope and extent of such use in your business. Employees must also be educated about the acceptable use and risks involved in using such platforms to ensure they understand their obligations and pitfalls.

So, whether you are contemplating moving your business to WhatsApp or have already done so, or if your employees unofficially use WhatsApp to communicate with clients and customers, keep the above in mind and if necessary, consult with a data privacy specialist, in order to assist and help evaluate and update your policies to cater for this new communication channel in your business.

Disclaimer: This article is the personal opinion/view of the author(s) and is not necessarily that of the firm. The content is provided for information only and should not be seen as an exact or complete exposition of the law. Accordingly, no reliance should be placed on the content for any reason whatsoever and no action should be taken on the basis thereof unless its application and accuracy has been confirmed by a legal advisor. The firm and author(s) cannot be held liable for any prejudice or damage resulting from action taken on the basis of this content without further written confirmation by the author(s). 
Related Expertise: Data Security
Related Sectors: Technology