How To Have Secure GDPR Compliant Online Meeting Recordings

With almost everyone working remotely after the rise in the COVID-19 pandemic, the concept of virtual meetings took over the business world. One of Reddit’s user rants described it perfectly “Virtual meetings are the second pandemic.”

As the way of communication & team collaboration changed, individuals & organizations started relying more on video conferencing providers. According to the Global Market Insights Industry Report, “Video conferencing market size exceeded USD 15 billion in 2020 and is projected to expand at around 23% CAGR from 2021 to 2027.”

Image Source: GMI 

With the ease of communication comes the heavy responsibility of ensuring that these online meetings are not vulnerable to cyber-attacks and fulfill GDPR compliance requirements.GDPR and virtual meetings are not concepts you would think would gel well together.

This blog will discuss how you can have secure virtual meetings that will allow you to meet crucial compliances like GDPR. Not only that, we will introduce you to VIDIZMO’s enterprise video platform that will help you securely store, manage and share recorded meetings while fulfilling all the GDPR requirements. Let’s start with what’s GDPR & GDPR requirements.

What is GDPR?

GDPR is Europe’s recently introduced (effective from May 25, 2018) data privacy & security law. It is designed to give users more control of how their personal data is accessed, collected, processed, handled, shared or protected online. It is the toughest law drafted & passed by the EU.

General Data Protection Regulation (GDPR) directly impacts businesses that control or process people’s personal data from this region. Personal data could be any personally identifiable information like name, address, images, videos, recorded meetings, health history and much more.

In simpler words, if any organization or website is processing the data of EU residents/citizens or offering any product or service to these people, then GDPR applies to them. GDPR applies to companies even if they’re not in Europe. The 99 articles of GDPR are organized into 11 Chapters, with 173 recitals, briefing about:

• Data protection principles
• Accountability
• Data security
• Data protection by design & default
• When you’re allowed to process data
• Consent
• Data protection officers
• People’s privacy rights

It’s a lot to digest! To make it easy to understand for you, we’ll discuss the articles involving virtual meetings, recording meetings & recorded video management.

Article 5 GDPR for Virtual Meetings

• Businesses should only process necessary information.
• If the meeting is recorded, all the recordings and data collected from meetings should process lawfully, fairly, and transparently.
• There needs to be strong security on the platform where your meeting recordings are stored, and it is crucial to limit access to only authorized personnel.
• Video conferencing providers like Zoom cannot fulfill these requirements. For this purpose, businesses need to opt for an enterprise video management platform like VIDIZMO that can integrate with online meeting solutions to resolve these challenges.
• Above all, the controller (businesses that collect this data) is held accountable for meeting these GDPR principles.

Article 6 GDPR for Recorded Virtual Meetings

GDPR Article 6 relates to the grounds on which a meeting can be recorded and information from it can be collected. Businesses must obtain consent from the meeting attendees before recording a meeting unless necessary for other purposes mentioned under this clause.

Read More: How To Make Your Work Meetings Valuable Assets by Maintaining the Record

Article 32 GDPR for Video Conferencing Tools

GDPR Article 32 applies to the processing tools, including video conferencing solution like Zoom and enterprise video platforms like VIDIZMO used by businesses for storing, managing and sharing recorded meetings.

It is necessary to maintain the “confidentiality, integrity, availability and resilience” of the processing systems you opt for.

Plus, for processing recorded meetings, in particular, Article 32’s second clause is also relevant. It states that businesses must ensure that processing systems have privacy measures like data segregation and access controls.

Data is protected by ensuring it is not accessible to unauthorized viewers and is not accidentally or unlawfully destroyed or altered. This is why managing and sharing recordings through an enterprise video platform helps meet compliances. Even secure video conferencing solutions like Zoom won’t provide critical capabilities (like access control and content segregation) to maintain your meeting recordings’ data integrity and confidentiality.

Enterprise video platforms like VIDIZMO work in tandem with video conferencing solutions through a simple integration. Once integrated, platforms like Zoom’s meeting recordings are automatically ingested into VIDIZMO for:

• highly secure storage
• user authentication system
• extensive access controls
• data segregation capabilities

Learn More: Meeting GDPR Article 32: How Data Segregation Helps?

Moreover, you can manage these recordings alongside all your other video content to create a secure, centralized video library where your content can be organized and searched easily and accurately.

Choosing a GDPR Compliant Video Conferencing Tool

Now that you are aware of the main GDPR requirements & principles you must fulfill, you must choose an appropriate video conferencing tool accordingly. Here are two critical factors that you must consider while selecting a video conferencing tool:

1. Data Protection Capabilities

   First and foremost, the video conferencing tool you opt for must-have security and data protection at the forefront of its priorities. Hence, that would include essential security features like password-protection, waiting rooms, meeting lock, end-to-end encryption for meetings and recordings, authentication system, etc.

   This is only possible if the video conferencing tool has data protection by design and does frequent security updates to keep improving their security. If you can’t find a video conferencing solution with end-to-end encryption to store your meeting recordings, opt for integrating your meeting solution with VIDIZMO, where all your recordings will be end-to-end encrypted both in transit and at rest.

2. Built for Business Use Cases

   Opting for free video-conferencing tools is not advised as they will have minimal security capabilities and are designed to be easier to use. Hence, enterprise-grade security needs cannot be met in the free versions. The business version can also handle a greater number of meeting attendees. They also allow you to hold webinars.

How to Obtain GDPR Recording Consent for Meetings?

You can obtain consent to record your meetings by signposting your privacy policy in your meeting invitation link and encouraging all your participants to go over it before agreeing to enter the meeting.

It is also good practice to verbally let the participants know that they have agreed to the privacy policy at the start of the meeting. Most secure video conferencing solutions also directly let the meeting attendees know when the host starts recording the meeting so they can also object at that point.

Learn More: How to Enable GDPR Consent form in VIDIZMO

However, suppose a participant later requests erasure of their data. In that case, you can also use VIDIZMO’s automated GDPR redaction tool to easily and accurately redact the data subject from the video/audio rather than deleting the entire recording.

What are the Security Concerns of Processing Recorded Meetings?

Securing and controlling access to meeting recordings is critical as they contain personally identifiable information (PII) that could reach the wrong hands if not protected.

As discussed earlier, the requirements set in GDPR Articles 5 and 32 have to be met for you to be GDPR compliant when storing and managing them.

Let’s discuss how you can achieve this:

Data Protection:

This is an area where video conferencing solutions are lacking. They are built as a communication platform and not as a video content management system with security and compliance coverage for recordings.

Hence, wise businesses integrate these meeting tools with efficient enterprise video platforms like VIDIZMO. Once meetings are auto- ingested in VIDIZMO, they can be deleted from your video conferencing solution. It will then utilize the following capabilities to provide you with a secure video solution that meets all your GDPR requirements:

1. Access Control:

   VIDIZMO has 6 default user roles with pre-set permissions controlling what video actions different team members may perform. Plus, your recordings can be accessible organization-wide, or their access may be restricted to certain users or groups.

   
   

   You can also share externally with anonymous users or securely send external users email invitations with expirable, password-protected links. These shareable links can have a certain limit defined on availability and the number of views allowed.

   Learn How to Share Zoom Recordings Securely

   Hence, these capabilities will allow you to share and manage access for recorded meetings.

2. Data Segregation:

   You can segregate your content by sharing it with different organizational units. These can be created on VIDIZMO by creating user groups.

   You can also create multiple autonomous video portals with a separate authentication system for content with varying sensitivity levels.

3. Identity Management System:

   VIDIZMO provides you with single sign-on integration with various authentication providers like directory services (such as Azure AD) and Identity Access Management (IAM) services (such as OneLogin).

4. Audit Trail:

   GDPR Article 30 requires both controller and the processor of activities performed on personal data like recorded meetings to be maintained.

   Hence, VIDIZMO allows you to maintain an audit trail of all activities performed on your recordings, like sharing or deleting.

   

   You can also generate an audit trail report if a supervisory authority requests it.

You should have your recordings stored in an efficient enterprise video platform like VIDIZMO that allows you to set a custom retention period for the data based on two factors provided by GDPR:

• Purpose of why your recording needs to be stored
• Any requirement (legal or regulatory) which requires recording to be retained for a specific time period

Businesses should securely dispose of the meeting recordings once they are no longer needed.

Read More: GDPR and Video Surveillance: How to Meet The Stringent Requirements?

Accepting Data Subject’s Rights:

Data subjects have certain rights that you must ensure are met for the recordings and other videos you have stored:

• Right of Access: According to Article 15, data subjects can request to access their personal data like a recording. Companies would have 30 days to fulfill this request as denying it is not allowed.

• Right to Erasure: According to Article 17, data subjects can request their personal data to be deleted. VIDIZMO allows you to securely dispose of your recordings if such a request is made to your business.

Learn about VIDIZMO’s automated video redaction tool for GDPR.

Summing It Up!

It must be pretty apparent how important it is to fulfill GDPR requirements. With a penalty that can go up to €20 million or 4% of your business’ revenue (whichever is higher), businesses can definitely not afford to violate this law.

You must follow our recommendations to hold GDPR compliant virtual meetings and utilize their recordings. You should also train all your employees handling these tools to understand the proper methods and be highly vigilant.

VIDIZMO’s enterprise video platform helps you fulfill GDPR requirements for recorded meetings, and all other video data, for that matter. Contact us to set up a trial of your VIDIZMO video platform today.