Is Slack GDPR Compliant? (And Why It’s Important to Users)

Share on linkedin
Share on email
Share on whatsapp
Share on facebook
Share on twitter

Slack GDPR compliance is important to you as a user, in this article we’ll be looking at the Slack GDPR policy, security breaches and communication tools as a whole whilst discussing the effect of these factors on compliance.

Slack GDPR Policy

Diving straight in, we can look into the criteria we use to assess GDPR compliance:

  • Does the company have an appointed DPO?

On Slack’s privacy policy page, users are instructed that should they want to contact the data protection officer, they can at the email provided. After our own research we were unable to unearth a DPO, the closest we can find is the Head of Security Risk & Compliance, so we’ve reached out but are yet to get a response.

  • Do they conduct regular training sessions related to data protection?
  • Has the company ever conducted an impact assessment?
  • Is there a protocol in place for responding to data breaches?

As we’ll see later, Slack’s response to data breaches has been effective, indicating that a there is a response plan in place.

  • Does the appointed party responsible for compliance know if the company meets the criteria to be GDPR compliant?

As we’re unable to find the DPO or get in touch with the individual, we can’t be sure that A) they exist and B) if the company doesn’t have a DPO, how can they know if they meet the criteria to be compliant?

  • Have they conducted an information audit to map data flows?
  • Is the purpose and duration of personal data storage communicated to the user?
  • Does the company delete all personal data after the stated period? If not, do they state mitigating circumstances for keeping it beyond this period?

More than one of these questions fall under the same remit, we just don’t know for sure, whether or not certain things have been done, information audit for example and regular training.

When examining this criteria we must take into account not only what company’s tell us they do, but look at the actions, consequences and responses to what has actually happened.

This leads us onto…

Slack Security Breach

It was four years after the breach that it came to light that Slack had been compromised by hacker code. They had inserted malware that scraped user passwords. We won’t be going into depth about the breach, it’s old news and was covered perfectly well by Techcrunch at the time.

The things we are concerned with are:


a) there was a security breach

b) data was stolen

c) Slack’s reponse

The breach led to Slack incorporating two-factor authentication, realising the ease at which accounts could be compromised as well as the damage that could be done.

In early 2020, another breach was discovered. Hackers were able to change the location in which files sent through Slack are downloaded. This provided them with an avenue to insert malware (reported by Threatpost).

This breach has been fixed with a patch, but it provides another indication that there are vulnerabilities to Slack data protection that hackers can exploit, and while the response plan has been effective, stronger preemptive measures should be taken.

In not meeting the strictest security standards, Slack is meeting the minimum requirements, but receives a ‘could do better’ by incorporating more strict data protection such as:

  • End to end encryption
  • Newest SSL encryption technologies

Slack data protection could be improved however, in terms of data security by incorporating the more strict measures we’ve outlined in this article (end-to-end encryption & upgrading to the newest SSL encryption tech).

Slack does not meet the industries strictest security measures, which is something for you as a user to consider as it means there is room for improvement with regard to safeguarding your data (we look into this later in the Slack GDPR compliance section).

A surprising number of companies are not compliant with the legislation and so find themselves at high risk of data theft or corruption, fines, loss of trust in the organisation from users etc, and we recommend you do a Privacy Impact Assessment before implementing any new software solution.

Slack is very transparent in terms of communicating its compliance efforts, outlined in the company GDPR commitment, with information on key areas of compliance such as security infrastructure and certifications.

Security certifications such as SOC 2, SOC 3, ISO 27001, ISO 27017 and ISO 27018 demonstrate the success of the efforts Slack has made to ensure GDPR compliance. The certificate ISO 27001 for example is awarded for Slack’s information management system, ensuring adequate protection for user data, a key component of GDPR compliance.

In addition, something we’ve spoken about before in the GDPR starter pack, standard contractual clauses are provided, facilitating adequacy and security requirements for those operating in the EU.

This will be particularly important for UK based companies once the transition period is over, you can find all you need to know on the subject in the extremely informative free webinar GDPR after Brexit.

Slack has taken steps to ensure GDPR compliance, and while the Slack GDPR policy has been successful, it falls just short of being a perfect solution by missing out on a few vital safeguards (as previously mentioned) that would take its security to the next level.

Communication Tools & GDPR Compliance

As the number of teams taking advantage of the benefits of remote work increases, the use of tools to facilitate communication has increased correspondingly, this has however brought to light some issues related to data protection that users need to be aware of.

We’ve spoken about the wider issues and actionable steps you can take to mitigate risks during a recent webinar GDPR risks in working from home, follow the link and you’ll be sent the recording to watch at your leisure.

Many users take for granted that the apps and tools they use are compliant with legislation, meaning they have nothing to worry about, but unfortunately, this isn’t always the case.

You would be forgiven for thinking, ‘Even if the app I use isn’t compliant, that’s their problem right? Not mine?’

Not quite, because the information you send over an insufficiently secure app/tool or network, is at risk.

GDPR compliance concerns both consent and security, if the app or tool you’re using is not sufficiently secure, the data you pass over the tool could be subject to theft.

Sensitive information is transferred over Slack, how many times have you spoken about an upcoming presentation? Or asked for a reminder about the login details to a shared account? This is exactly how the tools compliance and security, affects you as a user.

Slack GDPR Compliance

There are a multitude of technical aspects to data protection that we are concerned with in regards to Slack GDPR compliance.

According to the white paper Slack has provided, it uses TLS 1.2 to protect external data. TLS (Transport Layer Security) is the industry standard for protecting information that is sent online. 

Slack is GDPR compliant but does not meet the most strict security standards. But compliance is not the only important factor, the previous section section provides a clear demonstration of how, despite being GDPR compliant, it could still create issues for you.

Breach reporting is an important aspect of GDPR compliance, whilst preventing a breach is preferable, the response is so important. Slack has a dedicated CSIRT (Computer Security Incident Response Team) allowing them to create specific a response plan to cope with any breaches.

In terms of users accessing data, Slack does a really great job, offering tools to retrieve personal data upon request (and Workspace settings centre to contact the admin for this purpose), as well as the profile deletion tool.

Reduce data protection risks with minimal effort

This series is related to how communication tools help and affect the companies that use them, but there are always company specific considerations with regards to risk mitigation and compliance, you can take a look at another popular tool for team-based communication in the article: is Zoom GDPR compliant?

You can take steps to reduce risk and ensure compliance (with minimal effort on your part) by getting a demo to see how the Pridatect software can help you, and then try it for free to see for yourself, how it works and importantly, results!

Share this article

Share

Share on linkedin
Share on email
Share on whatsapp
Share on facebook
Share on twitter
In our free webinar data protection experts Simon Hall and Lisa Hofmann will share together with HR consultant Tracey Hirst best practices for data protection and working from home. They will explain what GDPR risks your company is facing when your team is teleworking, which security and technical measures you should adapt. >> Watch now

Article written by

Lisa Hofmann

Chief of Legal Operations at Pridatect and certified data protection officer

Related articles

Newsletter

Would you like to receive regular updates on data protection and GDPR? Subscribe to our newsletter and you will be the first to receive our new blog articles, webinars and ebooks.

Free Webinars