Dec 20, 2020 | Articles, Cyber Security, GDPR

Video Conferencing and the GDPR

Howard Freeman

Howard Freeman

Due to social distancing and restrictions enforced by the UK’s tier systems, we are now used to business meetings taking place online.

In particular, the video conferencing platform “Zoom” has achieved huge popularity through the pandemic. However, over the same period, Zoom has also been exposed for having security gaps and data protection problems.

Video conferencing and the GDPR
Lack of security is leaving meetings open to all sorts of risk

This lack of security is leaving the meetings open to all sorts of risk. For example, unauthorised parties are joining Zoom meetings. They are either overhearing them or sharing their screens to broadcast offensive content. This so-called Zoom ‘Bombing’ has created many issues and upset.

Consider the Risk

Selection of an Appropriate Solution

At the selection stage companies should already take a closer look at the data protection regulations to comply. In particular, you should pay attention to the following points:

Video Conferencing Solutions for Business

Business versions are suitable for both internal company communication and conferences with customers and business partners. Only these versions usually offer the required security standards. Consumer-grade or unlicensed software without the authorisation of your IT department are not suitable for business video conferencing.

EU and UK Providers

Where possible, your chosen provider should host their platform in the European Economic Area. This is because they are directly subject to the provisions of GDPR.  If you plan to use the video conferencing system of a third country provider, it must ensure an adequate level of data protection comparable to that in the EU. This matters greatly if you plan to record.

Data Processing Agreement (DPA)

Video conferencing providers are data processors. So, make sure you sign a data processing agreement that meets the contractual requirements set out in Article 28 of the GDPR before using the services for your company meetings. You should have your own DPA as part of your GDPR compliance pack of documents. If you don’t have one, we can provide one for you. If you require one, please contact us here.

Data Protection Officer 

The DPO should be involved in the selection of an appropriate video conferencing system. This person ensures that the data protection rules are respected.

Data Protection by Design

The GDPR requires you to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. Data protection by design is about considering data protection and privacy issues upfront in everything you do. It can help you ensure that you comply with the GDPR’s fundamental principles and requirements. When choosing a video conferencing tool you should in particular watch out for: 

  • Video transmissions should use end-to-end encryption. Caution applies here for persons subject to professional secrecy: a video conferencing tool using a system that transmits data over the network in unencrypted form constitutes a failure to comply with the obligation of secrecy 
  • Use password-protected meetings to keep unwanted participants out
  • Use the waiting room function, where available, to control access to your meeting.

Before using the selected video conferencing service for your company meetings, you should also consider the following points:

User Configurations 

To accomplish the required security level, it is necessary to adjust the settings manually. If you are planning to use tracking, observation, logging, screen-sharing and recording functions, you should always ask whether it is necessary to use these functions. 

Screen Sharing 

Only information which is relevant for the meeting should be displayed. Close all content that is not required. Closing your email client is always recommended. After all, you wouldn’t want the meeting attendees to see your email inbox and perhaps take a screenshot or picture of it. You should consider a second desktop with no files or shortcuts on it which is much safer for you.

Employee Training

All employees should be informed about the type of data that is allowed to be shared via the video conferencing service. Any exchange of documents should be avoided if it contains confidential and/or personal information. Furthermore, it should be ensured that no personally identifiable information is exchanged via the chat function. All participants should be informed, in advance, if the content of the chat is to be recorded.

Information in Accordance with Article 13 GDPR

You should provide attendees with information about the processing of personal data in the context of video conferences. This information should be included in the email invitation and call details.

Risk Management in the Use of Video Conferencing

Within your business, you need to be aware of the need to evaluate the tools you use, and their intended use. In addition to the widely described data protection aspects, cyber security ratings are playing an important role in corporate risk management.

Due to the current increase of employees working from home, the threat level is rising. Studies show that home networks pose a significant cyber security risk (malware infections, phishing attacks, etc.). Therefore, you must assess the risk and build in privacy by design.

We can help you carry out a video conferencing and GDPR audit and risk assessment. We can help you understand whether your solution complies with the requirements of the GDPR and whether you are secure both at the office and for home workers. If you would like to know more, please contact us on 03333 22 1011 or contact us here.


Can we help?