Encrypted messaging apps have become part of the modern workplace, often without formal approval. Tools like WhatsApp, Signal, and Telegram are quick, familiar, and facilitate rapid communication.  But for privacy professionals, they represent a silent and growing risk.

The Rise of Shadow IT in Messaging

Shadow IT is not a new phenomenon. However, when staff use personal messaging apps for business communication, it creates a gap in your privacy controls. These apps operate outside IT governance. There are no usage logs, no retention policies, and no central oversight. From a GDPR standpoint, this constitutues undocumented processing of personal data, undermining an organisation’s  accountability obligations.
Many organisations are required to maintain a Record of Processing Activities (RoPA). If staff are sharing names, phone numbers, case details, orother personal data through unofficial channels, and these activities are not recorded,, then there may be a critical blind spot in your compliance framework.

Regulatory Expectations

Supervisory authorities are becoming increasingly vocal about the importance of maintaining accurate and up-to-date RoPA. In particular, the UK’s Information Commissioner’s Office (ICO) and various EU data protection authorities expect companies to demonstrate control over communication tools used in the workplace. If an investigation or complaint reveals that personal data is being processed via messaging platforms not documented in your RoPA, it may trigger enforcement action or administrative penalties.

This expectation isn’t limited to formal systems. Regulators are scrutinisinghow well organisations manage actual day-to-day practices — including the tools employees may default tounder pressure. Demonstrating visibility and control over these tools is now part of demonstrating compliance.

The Auditability Problem

Encrypted apps are great for protecting confidentiality, but they pose serious challenges for auditability. If something goes wrong – a data breach, a data subject access request, or an HR dispute – there is often no way to retrieve or review messages. You can’t even confirm what was said, when, or by whom. From a data protection standpoint, that leaves you exposed.

Practical Steps to Reduce Risk

There are some quick, practical steps privacy teams can take to mitigate this risk.

Audit Usage

First, audit actual usage. Collaborate with HR and IT to find out what tools employees are using day-to-day. Don’t assume your policy is being followed. Ask what’s the go-to tool for last-minute updates, rota swaps, client contact, or urgent team decisions. You might be surprised.

Map the Risk

Next, map the risk. For each tool in use, assess what type of data are being processes. Are staff discussing identifiable individuals? Are they sharing photos, addresses, or payroll data? Are external parties beingadded to group chats? Is the content retained anywhere your organisation can access it?

Update the RoPA

Ensure your RoPA reflects reality. If personal data is being processed on an unofficial platform, and his is not documented, your organisation may already be non-compliant. Update the RoPA to include these tools where necessary. Be sure document the purpose, data types, categories of recipients, security measures, and lawful basis.

Implement a Comms Policy

Implement a communications policy. You don’t have to ban everything, but you do need clarity. Decide what apps are allowed, and for what purposes. If certain platforms are off-limits, say so clearly. If others are permitted, make sure staff know the conditions: for example, no personal data, or delete after sending.

Review Retention and Access

Review retention and access are managed. If you’re using platforms like Microsoft Teams or Slack, make sure retention settings are applied consistently. Many tools default to indefinite retention unless configured otherwise. Can you access old messages if needed? Are chat exports available? Does legal hold apply?

Raise Awareness

Raise awareness. Most employees aren’t trying to be sneaky. They simply use the tools to get the job done. That’s why awareness is essential. Run short sessions to explain the risks. Focus on real-life examples – a DSAR that couldn’t be fulfilled, a deleted message that became a legal issue, a personal photo sent in the wrong group.

Beyond Technology: Culture and Accountability

This issue goes deeper than tech. It’s about control, culture, and accountability. As privacy professionals, our role isn’t just to draft policies. It’s also help the organisation understand what’s at stake.
Data you can’t see is data you can’t protect. And if you can’t protect it, you can’t be compliant. Messaging apps might feel like a harmless workaround, but they carry real risk. Getting ahead of that risk starts with visibility, then structure, then action.

Are there any messaging tools your staff are using right now that aren’t listed in your RoPA or security register? If so, it’s time to close the gap.