The DropBox and WhatsApp Dilemma

whatsapp dropbox dilemma

So first off, I have a confession to make: I stole the title of this post from someone else! 

The companies were called Dracoon and NetSphere and they did a joint presentation which I saw at this year’s Infosecurity Europe conference. The former developed a file sharing app and the latter an instant messenger, both of which are fully GDPR certified.

Amongst all the presentations, theirs was one that seemed to me to strike at the heart of a real-world problem that most of us can relate to, but the specifics of which might not be obvious to all — though one of our charity clients raised some related concerns in a recent meeting. 

That concern was around how, when communicating with young people using a forum like WhatsApp, you can control not only the content of the messages – to prevent abuse or inappropriate language perhaps – but also protect the personal details – i.e. the phone number – of the group members. Who has the responsibility to police the conversations and the material shared? How do you do that? Where exactly is that data stored for GDPR purposes?

The problem of using third party, and often free, tools like WhatsApp (to have conversations) and DropBox (to share files) in a GDPR regulated world is not trivial. The paid-for versions are less of a problem, because you get some additional security through the SLA but also through some form of centralized management. But the convenience of free messaging and file transfer services is simply, in many cases, too easy to pass up.

Now, this isn’t a sales pitch for any specific alternative products, but it is worth just briefly explaining their thinking. The problem they are addressing is how to use messenger and file sharing applications securely, keeping it within your managed environment and under your control. Since email is now considered pretty old fashioned and an overly formal way of communicating, and instant messaging is so prevalent and easy to use, the question of how to control what’s stored there is an increasingly important one in order to prevent your data leaking out all over the place.

What’s the problem?

Take file sharing. You need to transfer a file to someone outside your organisation but it’s too big to email. Without thinking, you upload it to your personal DropBox, or maybe WeShare, and send it on. What do you do next? Do you delete that file from your personal DropBox account? Probably not. Do you stop sharing that folder with the person after they get it? Again, maybe not. Have you shredded only that file or folder? Are you sure?

So you have a GDPR problem; you don’t know where all your company data is anymore, nor who it’s shared with.

The problem from a compliance point of view is simple: if you are not in control of your data, including files and personally identifiable information, you may have a breach.

What’s the Solution?

Now here’s where I pitch using Office 365, right? Well, sort of. In fact, it doesn’t actually matter what you use, as long as you are in control of it. 

Yes, we use Office 365, and so do all our clients. Do they also use DropBox and WhatsApp? I’d be surprised if every single one of our supported users didn’t use at least one of these two things.

We only use our Office 365 account for all file access and storage, plus a limited selection of tools on our office server (no data though). We communicate almost exclusively through the Teams mobile app, again all kept within the Office 365 environment, though we also use Signal, a great – and highly secure – alternative to WhatsApp for more social messaging. 

If we need to share a document with anyone, we set a time limit on the access, and set Read Only to prevent the person from editing it. We have separate controls on sending emails to external recipients that alert us if someone has sent anything that matches certain data formats, such as a bank account sort code or account number, national insurance number, or other identifiable data, so we know if someone has sent anything outside our organisation that they perhaps should not have done.

Can you force people to use your tools?

This is difficult. It’s hard to force people not to use WhatsApp on their phones. If you provide staff with company mobiles you can manage them with things like Intune to restrict what applications they can install on them, but not their personal devices.

You can prevent people from installing DropBox on their company PCs quite easily, by restricting admin rights. You can also use basic web filtering to stop them from accessing 3rd party file sharing sites on their PC or on personal devices on your network. But unless you want to get very draconian about it, it might be more trouble than it’s worth totally restricting all these things, and there is always going to be the odd exception to the rule.

What you can do is provide the tools to everyone that they should be using and make it clear that they shouldn’t be using anything else. If you have written policies that govern this—and you should—then you should make everyone sign up to your code of practice. That way you can at least prove that you have taken reasonable steps. If someone breaches those rules you can prove that you did make it clear that they shouldn’t have used anything else, and the fault is on the user; though as the employer you might not totally escape liability.

As always, user education and awareness are key. Give people the tools they need to do their job and make it clear why they are there and what the implications are for going outside that.

If your interested in learning more, give us a call. We’re always happy to chat. 

Like this article?

Share on twitter
Share on Twitter
Share on linkedin
Share on LinkedIn
Share on email
Share by Email

Subscribe to our monthly newsletter.
Get the best IT tips in your inbox.

We promise to keep your information safe. Unsubscribe at any time. Read our privacy policy.

Further reading

cyber essentials certification is it worth it

Cyber Essentials: is it worth it?

For some companies, Cyber Essentials or Cyber Essentials Plus certification is a must-have. Usually this is because their position in the supply chain—e.g. supplying to central or local government—dictates that they must have it.  But, for the rest of us, is it worth it? Certification against any standard usually looks like a lot of effort.

Read More »
office snacks productivity

Let’s Talk About Snacks, Baby

It’s time to talk about your office snack situation. Granted, the contents of the level 3 vending machine are probably not high on your agenda. But in the world of office management, snacks may be more worthy of consideration than you think. After all, good nutrition begets good health — and good health makes for

Read More »