From WeTransfer to WhatsApp: How Unapproved Tools and “Shadow IT” Could Threaten UK GDPR Compliance

Businesses and self-employed professionals are in a constant pursuit of efficiency and productivity.  There are, as a result, no end of tools and products available to smooth digital workflows.  However, this convenience can come with significant corporate risk, as highlighted by the recent WeTransfer controversy.  The incident, while initially framed as a data privacy issue for individual users, has a number of lessons for both the users of online tools, and for organisations which process data, implementing data policies and terms and conditions.

The controversy arose when WeTransfer updated its terms and conditions, including a clause that could be interpreted as permitting the use of user-uploaded files to train machine learning models.  The change was framed as an “update to its Privacy Policy and Terms of Service”. WeTransfer, however, quickly reversed the change and clarified its policy, but not after causing a great deal of consternation amongst its users.

“Shadow IT”

The incident exposed a critical vulnerability in many organisations: the use of “shadow IT.”  Employees, seeking to get their jobs done efficiently, often turn to unapproved online services, such as WeTransfer to share large files or WhatsApp to enable faster communication without checking with their IT or compliance departments if it is safe to use such platforms/tools.  These tools are chosen for their ease of use, not their data security protocols or legal terms.

This should serve as a wake-up-call for businesses about the importance of robust and well-communicated internal data usage policies.  It demonstrates how an employee’s seemingly innocuous act of using a third-party tool for work can inadvertently expose a company to legal and reputational risks.  In some cases, employees may not even know that they are not permitted to use tools which are not approved by the organisation.

This behaviour poses a significant threat to a company’s compliance with UK data protection law.  Under the UK General Data Protection Regulation (UK GDPR), organisations are responsible for the personal data they process, and this accountability extends to how that data is handled by their employees on third-party platforms.  If an employee were to upload sensitive company data, such as client lists, employee records, or commercially sensitive intellectual property to a service that then used it to train an AI model, or was insecure in some other way, the company could be in breach of its UK GDPR obligations.  Such a violation could lead to substantial fines, mandatory reporting to the Information Commissioner’s Office (ICO), and a severe blow to a company’s reputation.

The solution lies not in banning online tools outright, which is often impractical and ineffective, but in implementing and enforcing clear, comprehensive internal policies. Companies must establish and communicate a list of approved online tools for specific tasks and provide guidelines on how to handle different types of data. Crucially, these policies must be backed by regular employee training that goes beyond legal jargon to explain the practical risks. Employees need to understand why using unapproved services is a threat to both their work and the company, and what the potential consequences are, from data breaches to compliance failures.

Social Media Policies

The same risk exists in relation to social media tools, such as messaging platforms. Tools such as WhatsApp are familiar from personal use, the capabilities are well known and they are trusted with the most sensitive aspects of user’s personal lives, so it is not unreasonable that employees wish to make use of them in a professional setting. However, again, this comes with significant risks for their employers.

Using WhatsApp as a specific example, the messaging service does not allow for the level of control over data that is required by data controllers under UK GDPR. An organisation using it for business purposes is not likely to be able to meet its obligations in lawfully processing data, sharing any data with third parties, and data storage, access and retention.

Employees are unlikely to be familiar with the obligations of UK GDPR, but will be keenly aware of their need to work efficiently and achieve results for the business. In such scenarios, robust and regular training on compliance with the UK GDPR is needed to reinforce the obligations that employees are subject to ensure organisations remain compliant with the law. Clear social media and generative AI policies help to set the boundaries of what is permissible and safe for the business, and what is not.

Data Protection Policies

The WeTransfer incident underscores a growing “AI trust crisis”, where vague and expansive legal language is no longer acceptable to a privacy-conscious public.  This incident brings into sharp focus the protections afforded by the UK’s data protection framework, primarily the UK GDPR and the Data Protection Act 2018.  These laws are technology-neutral, meaning they apply to AI and machine learning just as they do to any other form of data processing.  A core principle is that personal data must be processed fairly, lawfully, and transparently.  Organisations must be clear about what data they are collecting, why they are collecting it, and what they plan to do with it. Clear and robust data protection policies with clear training can go a long way to ensuring that employees understand the parameters of using these types of platforms and tools to comply with data protection laws.

What can organisations and individuals learn?

The WeTransfer incident provides a stark example of a common scenario: an employee using a trusted, consumer-friendly service to perform a work task without knowing about the fine print.  For organisations, the lesson is clear: Proactive measures such as transparent internal and external policies, employee education, and secure, approved alternatives are essential components of data governance.  Ensuring efficient working practices are part of the solution to an organisation’s data protection obligations, not the problem, is the only way to safeguard your company’s data and its future.

The cost of such training will be dependent on the business’ requirements, length of training and topics covered. Please do not hesitate to contact a member of our data protection team.

As AI continues to transform the workplace, download our Generative AI Policy. This policy offers clear guidelines to help your organisation navigate the complexities of AI while ensuring compliance and ethical use.

Data Protection Policies

The WeTransfer incident underscores a growing “AI trust crisis”, where vague and expansive legal language is no longer acceptable to a privacy-conscious public.  This incident brings into sharp focus the protections afforded by the UK’s data protection framework, primarily the UK GDPR and the Data Protection Act 2018.  These laws are technology-neutral, meaning they apply to AI and machine learning just as they do to any other form of data processing.  A core principle is that personal data must be processed fairly, lawfully, and transparently.  Organisations must be clear about what data they are collecting, why they are collecting it, and what they plan to do with it. Clear and robust data protection policies with clear training can go a long way to ensuring that employees understand the parameters of using these types of platforms and tools to comply with data protection laws.

What can organisations and individuals learn?

The WeTransfer incident provides a stark example of a common scenario: an employee using a trusted, consumer-friendly service to perform a work task without knowing about the fine print.  For organisations, the lesson is clear: Proactive measures such as transparent internal and external policies, employee education, and secure, approved alternatives are essential components of data governance.  Ensuring efficient working practices are part of the solution to an organisation’s data protection obligations, not the problem, is the only way to safeguard your company’s data and its future.

The cost of such training will be dependent on the business’ requirements, length of training and topics covered. Please do not hesitate to contact a member of our data protection team.

As AI continues to transform the workplace, download our Generative AI Policy. This policy offers clear guidelines to help your organisation navigate the complexities of AI while ensuring compliance and ethical use.