Whilst I have mentioned Coronavirus in this article, the advice within applies to all scenarios of where you may be using video conferencing services, not just during the Covid-19 pandemic
With the Coronavirus pandemic changing the way businesses operate, we’re all looking to doing more and more business online and that includes the way we hold meetings and communicate, with video conferencing being the go-to way to maintain contact, hold meetings with clients, networking and maintaining human contact.
But, have you considered the GDPR and privacy implications of using such services?
Video conferencing services such as Zoom, GoToMeeting, etc. are no different than any other online service provider – if they’re processing any personal data from your use of the service, they will be your data processor and in GDPR terms that means you need to be sure they are GDPR compliant and that you apply the GDPR Article 28 requirements to ensure there is a contract in place with regard to the processing of that personal data. And, yes, that includes when you have a team meeting or invite people to an online discussion via the service (because of the wide definition of processing in GDPR).
Minor note: if you’re reading this, but are not using an online video conferencing provider because you run your own internally hosted service, then you probably will only need to worry about the “controller” aspects, rather than the processor ones too
What are the GDPR implications of video conferencing services like Zoom?
There are a couple to things to consider:
- You, as the host (i.e. the organiser of the online conference) will be the data controller. This means that you will need to consider the implications of what you need to do when it comes to being a controller (right to be informed, what you’ll do with the data, the fact that any data you process via the system is covered by GDPR, etc.) as you will be processing personal data
- As the video conferencing provider is online/cloud-based they will be your data processor. The GDPR requires you to ensure any processors you use are GDPR compliant and that there is a controller-processor contract (sometimes call a data processing agreement or DPA) in place. You will also need to be clear and understand what the provider does with data that it may collect from your (and your attendees) use of the system
What does this mean in practice?
As a controller:
- If you plan on recording the session, you should make it clear to the attendees that this will be happening and what you plan on doing with the recordings and/or transcripts (e.g. sharing with all attendees) and spell out the implications for the attendees (e.g. if they turn on their camera their image will be available to everyone in attendance, depending on how they set up their account, their name, email, etc. may be available to other attendees, what they say will be recorded, etc.). Also be clear that if they screen share or discussion confidential (or special category) information, this too may be retained as part of the recording, so they should be mindful of their own privacy requirements – you may need to seek consent for such special category data processing or stop the recording!
- Make sure you sign a data processing agreement (whether separate or part of terms of service) that meets the contractual requirements set out in Article 28
Using Zoom as a case study
Zoom seems to be getting a lot of attention at the moment as the go-to platform for holding video conferencing calls, meetings and I’ve attended some great online networking via Zoom too. However, other video conferencing services are available and the same issues are likely to arise with them – you will need to check their terms and conditions of service and privacy notices.
That said, I’m using Zoom here, as a case study, not least of all because of various privacy concerns that have been raised recently (since Zoom’s popularity has risen):
- Forbes “Zoom’s A Lifeline During COVID-19: This Is Why It’s Also A Privacy Risk”
- BBC “Coronavirus: Zoom is in everyone’s living room – how safe is it?“
- CNET “Now that everyone’s using Zoom, here are some privacy risks you need to watch out for”
- Vice “Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account” (Zoom say they’re changing this in the next update, so it might be in your interest to comment that attendees are using the latest software)
But there’s also some useful advice out there too:
You can use some of this information for your DPIA risk assessment if you wish. So, considering using Zoom:
- Decide what you’re going to use Zoom for and what data you are likely to collect, keep, process from the use of Zoom for your calls. As I say above, consider carrying out a DPIA. Consider the fact that you will have registrants data, data you may collect when people access the Zoom call as well as the recording itself, plus any other functionality that Zoom may provide that you can use a “host” of the call (noting the privacy concerns in the above articles)
- Document your due diligence on Zoom. This means, look at their GDPR statement and review and sign their DPA
- What information you collect from hosting a Zoom call and what you’ll do with that data
- Add a section about what happens when sessions are recorded, spelling out that others on the call will be able to see them, their name and hear them. They may also be able to see the attendees surroundings which may include other people in the background or information, unless they use a virtual background
From a privacy perspective, as the above media articles intimate, you should consider privacy risks with video conferencing platforms. A lot of these articles (and the underlying report that led to the Forbes article, for example) are slightly scaremongering and rely on users ignoring privacy policies and cookie settings. Provided you can demonstrate you have assessed Zoom’s compliance, are happy about the platforms compliance in line with GDPR processor requirements and are open and clear with your attendees, you should be fine.
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR