With everyone working from home, the uptake of video conferencing services to hold virtual meetings has increased significantly. This has also become a hot topic in the news, particularly on the security and privacy aspects of video conferencing. The GDPR places strict controls on people who handle personal information. Here are 6 tips to help you keep your video conferencing GDPR compliant.
Let’s first take a look at some of the GDPR’s key definitions.
Personal data means any information relating to an identified or identifiable person directly or indirectly. This definition is not limited to the names and addresses of individuals. It also includes images, audio, IP addresses, video recordings and so on.
If you’re hosting a virtual meeting, you will be acting as a controller and if you’re using a company to provide video conference services, such as zoom, skype or cisco, then such company will be acting as a processor on your behalf.
It’s important that you understand your role when it comes to personal data, so that you can comply with the GDPR. Under the GDPR, the ICO (UK public body) has the power to act against controllers and processors. Also, individuals whose personal data you obtain, can bring court claims for compensation and damages against both controllers and processors.
As a controller, you are the decision maker and responsible for deciding why personal data will be collected and the way in which the personal data will be processed. Processors must process personal data on behalf of, and under the controller’s specific instructions.
You are also required to comply with the GDPR’s key principles which are central to complying with the GDPR. I refer to some of the key principles later on in this post.
6 TIPS FOR GDPR (DATA PRIVACY) WHEN VIDEO CONFERENCING
Here are 6 tips to comply with the GDPR when you’re the person hosting the virtual meeting (controller):
1. What personal data will you collect?
Create a list of the personal data that you would like to collect from a virtual meeting. Examples are names, email addresses, mobile numbers, usernames, video recordings etc.
Your list should only include the minimum amount of personal data that you need to meet your purpose for collecting the personal data.
‘Data minimisation’ is a key principle of the GDPR.
2. Why will you collect personal data?
State why you will collect personal data from an individual (this includes employees) and what you intend to do with it (processing).
You cannot say you will collect personal data and leave it at that. As a controller, you have to explain the purpose for collecting the personal data and such purpose cannot conflict with the processing of the personal data.
‘Purpose’ is one of the key principles of the GDPR.
You also need to select the lawful grounds for processing personal data. There are six lawful grounds to choose from and more than one may apply.
3. Impact assessment
Consider doing an impact assessment, particularly if you are contracting with a new company to provide video conferencing services. If you are already using such services, it may still be a good idea to do an impact assessment if more employees from your organisation have started participating in virtual meetings or you have started a new data processing activity.
An example of what to consider when doing an impact assessment is to check whether any personal data will be shared by the company providing the video conferencing services with another third party. If it will be shared, ask the company providing the video conferencing services for an explanation, and raise an objection if it’s not consistent with the purpose for collecting personal data.
You also need to check and control who will have access to the personal data within your own work environment and review whether the security measures are appropriate.
An impact assessment will help to identify any risks and how you can reduce or avoid such risks.
4. Contractual requirement
As a controller, you are required to enter into a written contract with the video conferencing provider (processor).
Before you enter into the contract, carry out pre-contractual checks on the company providing the video conferencing services. This will help to check if the company can provide the technical and organisational measures to comply with the GDPR and make the personal data safe and secure. This will also help to understand the extent of the personal data processing activities that will be undertaken by the company providing the video conferencing services and whether or not they are consistent with your requirements as the controller of the personal data.
Most video conference service providers are large corporations and they are likely to have their own terms and conditions, data processing agreement and privacy policy. Make sure you review these and if they are not acceptable, ask for changes to be made before you enter into the written contract.
As stated above, the controller of the personal data is the decision maker and has the responsibility to determine the purpose for collecting personal data and the way the personal data will be processed.
5. Inform the individuals whose personal data you collect
You are required to inform all the participants that you will be collecting their personal data and the data processing activities that will be undertaken by the processor on your behalf. This is a right that individuals have under the GDPR.
You are also required to inform individuals of how long you will keep their data (retention periods). You should not keep personal data for longer than you need to, and you should be able to justify your decision. ‘Storage Limitation’ is a key principle of the GDPR.
Inform individuals by explaining everything in your privacy policy and so make sure it’s up to date and that it’s brought to everyone’s attention before you start collecting and processing personal data. You could also make an announcement at the start of the virtual meeting that the meeting will be recorded. This is what most call centres do at the start of a phone call.
Individuals should be given the opportunity to exercise their individual rights such as the legal right to object.
Some companies that provide video conferencing services such as Zoom, notify participants if the host of the virtual meeting is recording the meeting. However, participants of the meeting could miss this notification and so it’s unlikely that this will be enough under the GDPR.
‘Transparency’ is another key principle of the GDPR.
6. Video conferencing policy
Consider introducing a video conferencing policy.
This could include a list of approved video conferencing providers, rules that need to be adhered to when participating in a virtual meeting, whether confidential and trade secrets of a business can be disclosed in a virtual meeting.
In 2 April 2020 the NOYB (European Center for Digital Rights) produced a report on privacy policies for video conferencing.
On 21 April 2020 the UK National Cyber Centre published the following guidance notes on video conferencing:
- How to set up and use video conferencing services, such as Zoom and Skype, safely and securely.
- Video conferencing services: security guidance for organisations
If you need any advice on Data Privacy or any other Services that we offer, please call us on +(0)7309256698 or email us on [email protected].
Post created 17 April 2020 (last updated 21 November 2020)
Important Notice: This page is for reference purposes only. It does not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking or deciding not to take any action. Please email us ([email protected]) if you have any questions.
