How to keep video conferencing GDPR compliant

published on 27 April 2020 | reading time approx. 4 minutes
by Sabine Schmitt, Rödl & Partner Nuremberg, and Bastian Schönnenbeck

Due to current contact bans and exit restrictions, business meetings more and more take place online. In particular, the video conferencing platform “Zoom” has achieved great popularity in the past few weeks. However, over the same period Zoom has also been exposed for having security gaps and data protection problems.

This lack of security is leaving the meetings open to all sort of mischief. For example, unauthorized parties are joining Zoom meetings and overhearing them or sharing their screens to broadcast offensive content.
 

Considering that many of these business meetings contain personally identifiable information and classified information, companies should really ask themselves if it is worth the risk to use video conferencing tools.
 

Hereafter there are a few issues for companies to take into consideration from the perspective of the data protection. We also explain the challenges your IT security teams face with the new digital resources and how proactive risk management could look like.

• Selection of an appropriate video conferencing tool »

• Before first use: what you need to know »

• Risk management in the use of video conferencing »

Selection of an appropriate video conferencing tool

At the selection stage companies should already take a closer look at the data protection regulations to comply. In particular, you should pay attention to the following points:

• Video conferencing solution for business

  Business Versions are suitable for both internal company communication and conferences with customers and business partners. Only these versions usually offer the required security standards. Consumer-grade or unlicensed software without the authorization of your IT department are not suitable for business video conferencing.

• Prefer EU providers

  Video and online conferencing tools from providers located in the European Economic Area should be preferred, as they are directly subject to the provisions of GDPR.  If you plan to use the video conferencing system of a third country provider, it must be ensured an adequate level of protection data protection comparable to that in the EU.

• Ask for a Data Processing Agreement (DPA)

  Video conferencing providers are data processors. So make sure you sign a data processing agreement that meets the contractual requirements set out in Article 28 GDPR before using the services for your company meetings. You will receive a relevant DPA on the providers’ website or at least on request.

• Data protection officer

  The DPO should be involved in the selection of an appropriate video conferencing system. He ensures that the data protection rules are respected.

• Data protection by design

  The GDPR requires you to put in place appropriate technical and organizational measures to implement the data protection principles and safeguard individual rights. Data protection by design is about considering data protection and privacy issues upfront in everything you do. It can help you ensure that you comply with the GDPR’s fundamental principles and requirements. When choosing a video conferencing tool you should in particular watch out for: 

• Video transmissions should use end-to-end encryption.
  Caution applies here for persons subject to professional secrecy: a video conferencing tool using a system that transmits data over the network in unencrypted form constitutes a failure to comply with the obligation of secrecy.

• Use password protected meetings to keep unwanted participants out
   

Before first use: what you need to know

Before using the selected video conferencing service for your company meetings, you should also considering the following points:

• User configurations

  To accomplish the required security level it is necessary to adjust the settings manually. If you are planning to use tracking, observation, logging, screen-sharing and recording functions, you should always ask whether it is necessary to use these functions.

• Screen sharing

  Only information, which is relevant for the meeting, should be displayed. Close all content that is not required. E.g., you could use a second desktop with no files or shortcuts on it.

• Employee training

  Before the first use all employees should be informed which data is allowed to share via the video conferencing service. The exchange of documents should be avoided if it contains confidential information. Furthermore, it should be ensured that no personally identifiable information is exchanged via the chat function. Depending on the provider, it cannot be excluded that recordings of the chat progress are saved after the end of the conversation.

• Information in accordance with Art. 13 GDPR

  You must provide attendees with information about on the processing of personal data in the context of video conferences. The relevant information can be included in the e-mail invitation.


Risk management in the use of video conferencing

Within the IT infrastructure, security teams are aware of the need to evaluate critically the used tools, services and resources in terms of their intended use. In addition to the widely described data protection aspects, cybersecurity ratings are playing an important role in corporate risk management. The evaluation of third parties or their tools and applications is particularly important when situations and scenarios change almost daily and decisions have to be made under high pressure. Due to the current increase of employees working from home the threat level is rising. Studies show that home networks pose a significant cybersecurity risk (malware infections, phishing attacks, etc.).
 

Within the risk management of your company, a cybersecurity rating can be supplemented easily and practically. Such a rating takes a three-dimensional view of the environment of your company or a third party (e.g. a video conferencing tool that is planned to be introduced).
 

The main indicators, such as the use of certificates, patch and update levels, encryption technologies, spam distribution and the presence of compromised end devices and servers are checked. Therefore the rating provides valuable information about the resistance of the own security eco-system to various attack scenarios.
 

In view of the expected increase of employees in home offices and the general rise in the use of video conferencing tools, it is advisable to have a stable cybersecurity management system as part of your risk management. We contribute to the security of our clients too. For this reason, the instrument of cybersecurity rating is available at special conditions until the end of 2020.