Virtual meetings and GDPR are not concepts you would think would gel well together. Here we will discuss how you can have secure virtual meetings that will allow you to meet crucial compliances like GDPR. Not only that, we will introduce you to VIDIZMO's enterprise video platform that will help you securely store, manage and share recorded meetings while meeting all the requirements of GDPR. However, we are getting ahead of ourselves. Let us first see how it all started and why businesses need to conduct these virtual meetings in the first place!
With the onset of the pandemic last year, the world, including our business world, experienced many changes. With businesses experiencing the worst economic downturn since the Great Depression, they all turned to remote work to resume their operations.
The rise in remote work ultimately brought in an influx of virtual meetings to assist in business communication and collaboration between employers and remote employees. In the week of March 14th to 21st, video conferencing tools saw a record 62 million downloads globally. However, with the ease of communication comes the heavy responsibility of ensuring that these meetings are not vulnerable to cyber-attacks and fulfill compliance requirements like GDPR.
Table of Contents
What is GDPR?
General Data Protection Regulation (GDPR) is a law pertaining to the data protection and privacy of residents of the EU and the European Economic Area. It directly impacts businesses that control or process the personal data of people from this region. Personal data could be any personally identifiable information like name, address, images, videos, recorded meetings, health history and much more.
How GDPR Article 5 Applies to Virtual Meetings?
Article 5 of GDPR details several vital principles linked to how personal data (which includes data transmitted and captured through virtual meetings) should be processed. This entails the following for virtual meetings and their recordings:
- Businesses should only process necessary information.
- If the meeting is recorded, then all the recordings and data collected from meetings should process lawfully, fairly, and transparently.
- There needs to be strong security on the platform where your meeting recordings are stored, and it is crucial to limit access to only authorized personnel. Hence, businesses would need to opt for an enterprise video platform like VIDIZMO to fulfill these security requirements.
- Above all, the controller (businesses that collect this data) is held accountable for ensuring these principles are met.
How GDPR Article 6 Applies to Virtual Meetings?
Article 6 of GDPR relates to the grounds on which a meeting could be recorded and information from it could be collected. Businesses must obtain consent from the meeting attendees before recording a meeting unless the recording is necessary for other purposes mentioned under this clause.
Learn More: How to Enable GDPR Consent form in VIDIZMO
How GDPR Article 32 Applies to Virtual Meetings?
Article 32 of GDPR is more linked to the processing tools that include video conferencing solutions like Zoom or enterprise video platforms like VIDIZMO used by businesses for storing, managing and sharing these recorded meetings. It is necessary to maintain the "confidentiality, integrity, availability and resilience" of the processing systems you opt for.
Plus, for processing recorded meetings, in particular, Article 32's second clause is also relevant. It states that businesses have to ensure that processing systems have privacy measures like data segregation and access controls in place to ensure that data is not accessed by unauthorized viewers or is not accidentally or unlawfully destroyed or altered. Hence, managing and sharing recordings through an enterprise video platform will be better to meet these criteria. This is because video conferencing solutions like Zoom don't provide access control and content segregation capabilities to maintain your meeting recordings' data integrity and confidentiality.
For this reason, businesses prefer to opt for enterprise video platforms like VIDIZMO that can integrate with video conferencing solutions like Zoom to automatically ingest meeting recordings for highly secure storage, user authentication systems, extensive access controls and data segregation capabilities. Moreover, they also allow you to manage these recordings alongside all your other video content to create a secure, centralized video library where your content can be organized and searched easily.
Choosing a Virtual Meeting Tool that Fulfills GDPR Requirements
Now that you are aware of the main requirements of GDPR that you must fulfill, you must choose an appropriate video conferencing tool accordingly. Here are some critical factors that you must consider 2 critical factors when selecting a video conferencing too:
Data Protection Capabilities
First and foremost, the tool you opt for must have security and data protection at the forefront of its priorities. Hence, that would include essential security features like password-protection, waiting rooms, meeting lock, end-to-end encryption for meetings and recordings, authentication system, etc. This is only possible if the video conferencing tool has data protection by design and does frequent security updates to keep improving their security.
If you cannot find a video conferencing solution with end-to-end encryption to store your meeting recordings, then opt for integrating your meeting solution with VIDIZMO, where all your recordings will be end-to-end encrypted both in transit and at rest.
Built for Business Use Cases
It is not advised to opt for free video-conferencing tools as they will have minimal security capabilities and are designed to be more easy-to-use. Hence, enterprise-grade security needs are not possible to be met in the free versions. The business version can also handle a greater number of meeting attendees. They also allow you to hold webinars.
How to Obtain GDPR Recording Consent for Meetings?
Security of Processing Recorded Meetings
Even more so than meetings, the access management and security of meeting recordings are critical as they contain personally identifiable information that could reach the wrong hands if not protected. As discussed earlier, the requirements set in GDPR Articles 5 and 32 have to be met for you to comply with GDPR when storing and managing them. Let's discuss how you can achieve this:
This is an area where video conferencing solutions are lacking. They are built as a communication platform and not as a video content management system with high storage and security capabilities for recordings. Hence, wise businesses integrate with efficient enterprise video platforms like VIDIZMO. It can automatically ingest your meeting recordings and delete those from your video conferencing solution after the transfer is done. It will then utilize the following capabilities to provide you a secure video solution that meets all your GDPR requirements:
Access Control: VIDIZMO has certain default user roles with different set permissions that your team member can be assigned. Hence, access to your recordings can be restricted on an organization-wide level, based on user roles or can be directly granted to specific users. You can also share externally with anonymous users or send external users an email invitation. These shareable links will be password-protected, have a certain view limit and time limit of availability. Hence, these capabilities will allow you to share and manage access for recorded meetings.
- Data Segregation: You can segregate your content by sharing it with different organizational units. These can be created on VIDIZMO by creating user groups. You can also create autonomous portals with a separate authentication system for content with varying levels of sensitivity.
- Identity Management System: VIDIZMO provides you single sign-on integration with various authentication providers like directory services (such as Azure AD) and Identity Access Management (IAM) services (such as OneLogin).
Audit Trail: GDPR Article 30 requires both controller and the processor of activities performed on personal data like recorded meetings to be maintained. Hence, VIDIZMO allows you to maintain an audit trail regarding all activities performed on your recordings, like sharing or deleting. You can also generate an audit trail report in case a supervisory authority requests it.
Data Retention Requirements
You should have your recordings stored in an efficient enterprise video platform like VIDIZMO that allows you to set a custom retention period for the data based on two factors provided by GDPR:
- Purpose of why your recording needs to be stored
- Any requirement (legal or regulatory) which requires recording to be for a specific time period
Businesses should securely dispose of the meeting recordings once they are no longer needed.
Accepting Data Subject's Rights
Data subjects have certain rights that you must ensure are met for the recordings you have stored:
- Right of Access: According to Article 15, data subjects can request to access their personal data like a recording. Companies would have 30 days to fulfill this request as denying it is not allowed.
- Right to Erasure: According to Article 17, data subjects can request their personal data to be deleted. VIDIZMO allows you to securely dispose of your recordings if such a request is made to your business.
To sum it up, it must be pretty apparent to you how important it is to fulfill GDPR requirements. With a penalty that can go up to €20 million or 4% of your business' revenue (whichever is higher), businesses can definitely not afford to violate this law. You must follow our recommendations to hold GDPR compliant virtual meetings and utilize their recordings. You should also train all your employees handling these tools to understand the proper methods and be highly vigilant.