The DropBox and WhatsApp Dilemma

whatsapp gdpr dilemma featured post

So first off, I have a confession to make: I stole the title of this post from someone else! 

The companies were called Dracoon and NetSphere and they did a joint presentation which I saw at this year’s Infosecurity Europe conference. The former developed a file sharing app and the latter an instant messenger, both of which are fully GDPR certified.

Amongst all the presentations, theirs was one that seemed to me to strike at the heart of a real-world problem that most of us can relate to, but the specifics of which might not be obvious to all — though one of our charity clients raised some related concerns in a recent meeting. 

That concern was around how, when communicating with young people using a forum like WhatsApp, you can control not only the content of the messages – to prevent abuse or inappropriate language perhaps – but also protect the personal details – i.e. the phone number – of the group members. Who has the responsibility to police the conversations and the material shared? How do you do that? Where exactly is that data stored for GDPR purposes?

The problem of using third party, and often free, tools like WhatsApp (to have conversations) and DropBox (to share files) in a GDPR regulated world is not trivial. The paid-for versions are less of a problem, because you get some additional security through the SLA but also through some form of centralized management. But the convenience of free messaging and file transfer services is simply, in many cases, too easy to pass up.

Now, this isn’t a sales pitch for any specific alternative products, but it is worth just briefly explaining their thinking. The problem they are addressing is how to use messenger and file sharing applications securely, keeping it within your managed environment and under your control. Since email is now considered pretty old fashioned and an overly formal way of communicating, and instant messaging is so prevalent and easy to use, the question of how to control what’s stored there is an increasingly important one in order to prevent your data leaking out all over the place.

What’s the problem?

Take file sharing. You need to transfer a file to someone outside your organisation but it’s too big to email. Without thinking, you upload it to your personal DropBox, or maybe WeShare, and send it on. What do you do next? Do you delete that file from your personal DropBox account? Probably not. Do you stop sharing that folder with the person after they get it? Again, maybe not. Have you shredded only that file or folder? Are you sure?

So you have a GDPR problem; you don’t know where all your company data is anymore, nor who it’s shared with.

The problem from a compliance point of view is simple: if you are not in control of your data, including files and personally identifiable information, you may have a breach.

What’s the Solution?

Now here’s where I pitch using Office 365, right? Well, sort of. In fact, it doesn’t actually matter what you use, as long as you are in control of it. 

Yes, we use Office 365, and so do all our clients. Do they also use DropBox and WhatsApp? I’d be surprised if every single one of our supported users didn’t use at least one of these two things.

We only use our Office 365 account for all file access and storage, plus a limited selection of tools on our office server (no data though). We communicate almost exclusively through the Teams mobile app, again all kept within the Office 365 environment, though we also use Signal, a great – and highly secure – alternative to WhatsApp for more social messaging. 

If we need to share a document with anyone, we set a time limit on the access, and set Read Only to prevent the person from editing it. We have separate controls on sending emails to external recipients that alert us if someone has sent anything that matches certain data formats, such as a bank account sort code or account number, national insurance number, or other identifiable data, so we know if someone has sent anything outside our organisation that they perhaps should not have done.

Can you force people to use your tools?

This is difficult. It’s hard to force people not to use WhatsApp on their phones. If you provide staff with company mobiles you can manage them with things like Intune to restrict what applications they can install on them, but not their personal devices.

You can prevent people from installing DropBox on their company PCs quite easily, by restricting admin rights. You can also use basic web filtering to stop them from accessing 3rd party file sharing sites on their PC or on personal devices on your network. But unless you want to get very draconian about it, it might be more trouble than it’s worth totally restricting all these things, and there is always going to be the odd exception to the rule.

What you can do is provide the tools to everyone that they should be using and make it clear that they shouldn’t be using anything else. If you have written policies that govern this—and you should—then you should make everyone sign up to your code of practice. That way you can at least prove that you have taken reasonable steps. If someone breaches those rules you can prove that you did make it clear that they shouldn’t have used anything else, and the fault is on the user; though as the employer you might not totally escape liability.

As always, user education and awareness are key. Give people the tools they need to do their job and make it clear why they are there and what the implications are for going outside that.

If your interested in learning more, give us a call. We’re always happy to chat. 

Like this article?

Share on twitter
Share on Twitter
Share on linkedin
Share on LinkedIn
Share on email
Share by Email

Subscribe to our monthly newsletter.
Get the best IT tips and Office ideas in your inbox.

We promise to keep your information safe. Unsubscribe at any time. Read our privacy policy.

Further reading

How to Spot a Fake Email, Part 2: The Anatomy of a Scam

In our post on how to spot a fake email, we covered some easy ways to identify the spams, scams and spoofs that inevitably land in your inbox.

But it’s not easy to write one post covering everything. And it’s not uncommon for us to receive a few reports a day from our clients of scamming: there’s a lot of it out there, much of it increasingly hard to identify.

That’s why we’re going to break it down further today and take you through the anatomy of a scam email.

Read More »
how to tame your inbox

How To Regain Control of Your Inbox

Remember the days when your inbox was all shiny and new and empty? When every email arrived with an excited “ping” and you enthusiastically dove in to read and reply? 

Us neither.

Let’s face it, most inboxes nowadays are more like tentacled sea-monsters. They have you in their grasp, not the other way around. They’re uncontrollable. They’re scary.

Read More »
why you need multifactor authentication

Why Use Multi-Factor Authentication?

As we move increasingly towards online services, securing your account is more important than ever.

While computer viruses still exist, they’re no longer the route of choice for hackers to get control of your data. Instead, the prevalence of online services means that the bad guys are targeting your cloud services, such as your email and file storage.

Read More »

Cookie Notice

This website uses cookies to ensure you get the best experience on our website. Learn More.

it support team macnamara on the case

Want the best IT tips & ideas?

Subcribe to our mailing list and get top IT tips & tactics in your inbox.

Scroll to Top