In the UK, WhatsApp is used today by nearly 40 million users, including for business purposes. The app has become a household name, and with its various tools for communication, photo sharing, and planning, it’s easy to see why.
WhatsApp’s owning company Meta, have made great attempts to emphasise the security of the application, emphasising the end-to-end encryption offered by the app. Due to this added security, many users feel free to use the app with confidence, including in a business setting. However, there are unforeseen risks that employers and business owners should be specifically alive to when it is being used in a workplace setting, particularly in respect of how it relates to UK GDPR (“GDPR”) laws and protections.
This article explores the potential risks of using WhatsApp for workplace communications, the implications for GDPR compliance and under UK legislation, and provides practical tips for employers to mitigate these risks.
Risks of using WhatsApp in the Workplace
Blurring Personal and Professional
The clearest risk of using WhatsApp for work related use, is the blurring of lines between personal and professional. In the same way that using teams chat or slack can encourage informal messaging, using WhatsApp often results in much more informal conversations than would be via email. In some situations, this can be a benefit, particularly for team building for remote based workers. However, with this informality, comes a heightened risk of employees sharing personal opinions, and making jokes (often labelled as “workplace banter”), which may be discriminatory or derogatory. Under the Equality Act, both the employee and the employer may be liable for this, if they are considered to be in the course of employment. If the chat is used often, or primarily for work related communications, there is a real risk of these being able to be relied upon in an Employment Tribunal.
Lack of Control and Oversight
Employers may find it challenging to monitor and control the flow of information within WhatsApp groups. Unlike other communication channels, WhatsApp messages are not stored on company servers, making it difficult to track and manage data. This lack of oversight raises the risks of unauthorised sharing of sensitive information, creating compliance issues. In August 2023, NHS Lanarkshire Hospital was reprimanded by the ICO for unauthorised use of WhatsApp to share patients’ personal data, including medical/sensitive data.
Data Breach Risks
Where employees use WhatsApp, they often do so on personal devices, usually mobile phones. This significantly increases the risk of data breaches, due to the risk of the employee’s phone being lost, stolen, or hacked. Sensitive company information could therefore be exposed, and is without the additional protections that companies’ often place on their hardware.
Inadequate Data Retention Policies
Another, perhaps less obvious risk, is in relation to data retention. Under the UK GDPR, companies are strictly regulated regarding data retention, and must be clear in their policies about how and when personal data will be deleted. WhatsApp does not provide robust tools for data retention and deletion. Messages can be easily deleted, edited, and even sent privately, without leaving a trace, complicating efforts to maintain proper records and comply with data retention requirements under GDPR. The inability to effectively manage and retrieve communication logs poses a significant challenge for data governance. This is particularly complicated when employees are using WhatsApp on their personal device, as the line is blurred between what is the personal property of the employee, and what is company property that they can reasonably demand records of.
WhatsApp’s owning company Meta, have made great attempts to emphasise the security of the application.
2026 and the consequences of introducing AI in the workplace
There is an increasing focus on the risks associated with “shadow IT” and the use of unapproved communication tools within organisations. Where employees rely on platforms such as WhatsApp outside employer-sanctioned systems, this can significantly limit oversight, weaken governance controls and create gaps in audit trails. This is a key issue because it undermines an employer’s ability to monitor compliance with internal policies and regulatory obligations, particularly under data protection law. It also increases the risk of inconsistent practices across teams, potential data loss, and difficulties in investigating complaints or misconduct where relevant communications are not readily accessible.
Alongside this, employers are facing growing scrutiny in relation to AI and data usage policies, particularly where messaging apps are used to share or process business information. The interaction between informal communication channels and emerging AI tools presents heightened risks around confidentiality, data security and the misuse of sensitive or proprietary information. This is especially important where employees may input business data into AI-enabled tools without proper safeguards, potentially leading to unintended data exposure or loss of control over how that information is stored and used. As a result, clear and enforceable policies are essential to mitigate legal, regulatory and reputational risk.
There has also been continued evolution in expectations around evidence handling and disclosure, particularly in the context of litigation and Employment Tribunal proceedings. Employers are increasingly expected to identify, preserve and disclose relevant communications across a wide range of platforms, including those held on personal devices or within private messaging apps. This is a key issue because failures in this area can lead to adverse inferences, procedural sanctions or weakened legal positions. It also places greater emphasis on having robust data retention practices and clear protocols for capturing and retrieving business communications, ensuring organisations are properly prepared for disputes and regulatory scrutiny.
Employers are increasingly expected to identify, preserve and disclose relevant communications across a wide range of platforms, including those held on personal devices or within private messaging apps.
Practical Tips for Employers
Looking at the above, the risks may seem high, but for many employers and employees, WhatsApp is integral to a smooth running and friendly workplace. So what can employers do to mitigate these risks, whilst still making use of a good instant messaging tool?
Consider a different official communication channel:
Whilst WhatsApp certainly has clear benefits, there are similar services that are more specifically designed for business use, without resorting back to email, and employers may find that by encouraging a swap to one if these tools, also encourages more work appropriate communications. We recommend employers encourage the use of official, secure communication platforms that offer better control, oversight, and data protection features.
Develop Clear Policies
It is really important not to ignore WhatsApp as a potential issue – particularly if you know that employees are using it unofficially. We do not recommend an outright ban of WhatsApp, as this will be impossible to enforce and may negatively impact employee relations. Rather, you should establish comprehensive policies regarding the use of personal devices and applications for work-related communication. Clearly outline the acceptable use of WhatsApp, including examples of what is and isn’t appropriate, and the responsibilities of employees in safeguarding personal data.
Training and Awareness
Educate employees about the risks associated with using WhatsApp for work and the importance of data protection. Regular training sessions across all levels of the workforce can help reinforce best practices and compliance with GDPR.
Data Protection Measures
If you choose to continue with WhatsApp, consider implementing technical measures such as device encryption, secure backups, and regular audits to ensure the security of data shared on WhatsApp. It is also worth considering limiting its use to work devices only, though this will entail providing such devices to employees.
Obtain Consent and Document It
If you do not provide work devices to employees, ensure employees provide explicit consent to use their personal numbers and devices for work purposes. You should maintain records of such consents for accountability and compliance purposes.
We understand that this may seem daunting for some employers. If you need tailored advice about how to navigate this, please reach out to our team, who would be happy to help.
