With the coronavirus pandemic changing the way businesses operate, many enterprises are looking at doing more and more business online and that includes the way they hold meetings and communicate with clients and not only. The video conferencing industry has gained during the Covid-19 outbreak, with many companies as well as government organisations considering video conferencing an ultimate solution to connect with remote workers/clients/employees, preventing direct contact with people whilst effectively maintaining human contact and networking. In particular, a number of video conferencing platforms have achieved great popularity in the past few weeks. Nevertheless, over the same period, these platforms have also been exposed for not meeting critical GDPR requirements such as failing to secure data and meeting compliance and regulation prerequisites.
Companies need to be cautious about the platforms which they use and their Data Protection Officer should be involved in the selection of an appropriate system. To what extent are there known vulnerabilities with these platforms? And equally importantly, to what extent do these platforms reserve the right to use or share the data which is exchanged through them? Again, an “audit” of the platforms would be advisable, with a focus on guiding users to platforms that are designated for business use. It is somewhat naive to assume that company employees will not also engage in other forms of social contact and communication therefore strict instructions or at least guidance should be given to ensure that work – related matters are not conducted in any platforms other that those designated by the company.
Hereafter there are a few issues for companies to take into consideration from the perspective of data protection. This article also explains the challenges the IT security teams face with the new digital resources and how proactive risk management could look like.
Selection of an appropriate video conferencing tool
At the selection stage companies should take a closer look at the data protection regulations they need to comply with. In particular, companies should pay attention to the following:
a) Prefer EU providers
Video and online conferencing tools from EU providers should be preferred as they are directly subject to the provisions of the GDPR. If companies plan to use the video conferencing system of a third country provider, an adequate level of data protection comparable to that in the EU should be ensured.
b) Video Conferencing Solution for Businesses
Business versions of platforms are usually suitable for both internal company communication and conferences with clients and business partners. These versions generally offer the required expected security standards.
c) Ask for Data Processing Agreement (DPA)
Video conferencing providers are data processors. Therefore, businesses should ensure the signing of DPA that meets the contractual requirements set out in Article 28 of the GDPR before using the services for any company meetings.
d) Data Protection Officer (DPO)
The DPO of the company should be directly involved in the selection of an appropriate video conferencing system to confirm that the data protection rules are adhered.
e) Data Protection by Design
The GDPR requires businesses to put in place appropriate technical and organizational measures to implement the data protection principles and safeguard individual rights. Data protection by design is about considering data protection and privacy issues upfront in everything companies do. It can assist with company compliance of GDPR’s fundamental principles and requirements. When choosing a video conferencing tool, businesses should watch out for video transmissions that use end-to-end encryption. Nonetheless, caution applies here for persons subject to professional secrecy as a video conferencing tool using a system that transmits data over the network in unencrypted form constitutes a failure to comply with the obligation of secrecy. Equally important is the use of password protected meetings in order to keep unwanted participants out.
f) Improve employee awareness
Businesses should ensure that all employees are GDPR compliant and that they are using solely approved and contracted video conference platforms, as per analogous instructions and guidelines which ought to be issued by companies.
Risk management in the use of video conferencing
Within the IT infrastructure, security teams are conscious of the need to assess critically the used tools, services and resources in terms of their intended use and purpose. In addition to the widely-described data protection aspects, cybersecurity ratings are playing a vital role in corporate risk management. The evaluation of third parties or their tools and applications is significant when situations and scenarios alter almost daily and decisions have to be under high pressure.
Working from home
Due to Covid-19 pandemic, many companies employ practices to ensure business continuity, such as working from home. Studies show that home networks pose a significant cybersecurity risk (malware infections, phishing attacks, etc.). However, GDPR should not be or act as a barrier to increased and different types of homeworking as, according to the Regulation, businesses will simply need to ensure that they “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed”. The main indicators, such as the use of certificates, patch and update levels, encryption technologies, spam distribution and the presence of compromised and devices and servers should be checked frequently. Within the risk management of companies, a cybersecurity rating can be supplemented easily and practically.
In view of the expected increase of employees in home offices and the general rise in the use of video conferencing tools, it is advisable and recommended to have a stable cybersecurity management system as part of a company’s risk management. And of course, company’s management and DPO should have in mind that controllers must document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. This documentation may retrospectively be examined by the regulator should the regulator undertake any regulatory investigations of the data breach.
For more information on the above, you may contact us at firstname.lastname@example.org.