Natalie Laurencik
Natalie Laurencik

The blurred lines of data privacy and messenger apps

by Natalie Laurencik. Don’t send company info via messenging apps - you may fall foul of data retention requirements.

by Natalie Laurencik. You have done it haven’t you? We all have. Sent a screenshot of an internal email, sent our customers details on, or forwarded the sales report on our WhatsApp group or Telegram group with our co-workers. It’s fast and effective. But should we really be doing that? The simple answer is NO, we shouldn’t be.

There are a myriad of new messaging platforms, each with their own privacy features – but generally they do not offer the level of security required by the increasing requirements of local (and some international) data protection legislation to which we may have to comply. Think POPI, GDPR. Let’s take one of the most popular messaging apps around, WhatsApp. Put simply, WhatsApp doesn’t even allow you to. WhatsApp, in fact, expressly prohibits any “non-personal use” of its services, unless specifically authorised by it.

Now, WhatsApp has the new WhatsApp for Business feature, which, as its core, is designed to facilitate customer engagement. But unless you are signed up for that, WhatsApp remains strictly for personal use. Even on the business platform, it does not offer sufficient end-to-end encryption of its messages. Any WhatsApp chat may be easily exported and any back-up of a chat will be unencrypted. Once these messages exist, they cannot be deleted by one user. If a user leaves a group, their access often remains. Ex-employees for instance may still have access that cannot be revoked. While POPI does not speak to exactly what encryption is required, it does state the best and most appropriate organisational, technical and security safeguards must be put in place and maintained.

Amplifying these requirements is the development of section 99 of POPIA, which allows for an employer to be held liable for the actions of its employees. This could be especially dangerous if there can be negligence attributed to the employer in having personal information, which qualifies for protection, out in the ether with ex-employees whose access can’t be revoked. Other failing points are that WhatsApp can terminate your account at any time and without providing any back up. Any duty to maintain records therefore becomes impossible to fulfill. This should raise a red flag in relation to other messaging apps which offer secrecy and deletion of messages too. Whilst it may seem safe, to have no records available to be stolen, you may fall foul of data retention requirements which also form part of the data protection legislation. POPI requires data be kept for the minimum amount of time, but it also interplays with other legislation which requires accurate records be retained for legislated periods of time.

Data protection legislation goes a long way to stating that third parties touching the data must be extremely limited and have, at the least, defined purposes, processing limitations. As we are all aware by now, the big tech companies have eaten up many smaller players. Facebook owns WhatsApp and any information you are sending though WhatsApp is interfaced through Facebook, Messenger and Instagram. Lines begin to become blurred. This is definitely not what you want in your quest to compliance. We therefore urge you not to utilise messaging apps for business communications. Ideally, you should have a business communications, acceptable use and privacy policy – which should make it clear to all your staff what the acceptable method of sharing information is.


Natalie Laurencik is co-founder and director of Consilium Legal, a boutique legal and business advisory. She has been a practicing attorney for 13 years. Her expertise lies in commercial law; with a strong focus on the media, advertising, and public relations sector. She also has a keen interest in privacy and data protection, and is immersed in compliance programmes for clients across several different industries. Laurencik is also completing a PECB certfied GDPR DPO certification. 


– Receive the Retailing Africa newsletter every Monday and Thursday • Subscribe here