GDPR and Video Conferencing: How to Comply
Everyone is talking about the “F-Word” (furlough!) but just as many people are talking about a brand new “Z-Word”. If you hadn’t heard of Zoom video conferencing pre-lockdown then you almost certainly will have done by now. Other video conferencing platforms are also available but whichever site/app takes your Company’s fancy, the same considerations regarding GDPR and data protection apply.
The ICO has said that it understands that resource may be diverted away from compliance matters which is helpful however, they have not said that they will turn a blind eye completely. In this article, we seek to give you some practical tips for ensuring that your video conferencing activities meet with your data protection obligations.
Check the Provider
The current demand for video conferencing is entirely unprecedented and it appears that some of the conferencing platforms are unprepared to handle such demand when it comes to implementing and adhering to strict privacy obligations. It is however, an employer’s obligation to ensure that any video conferencing platforms they might use meet with their own internal and domestic data protection obligations. Some conferencing platforms have received an amount of bad press recently and employers who fail to take steps to verify that the use of such platforms will enable them to meet with their own data protection obligations may find themselves the wrong side of the GDPR and the ICO. Make sure that you do your due diligence on the security measures offered by the video conferencing provider.
Update your privacy notices
Your employee privacy notes will need to be updated to include the use of video conferencing, and so will your client notices/website privacy notices, especially if you are going to be recording the meetings/calls or, there is any exchange of IP data.
Encourage or instruct employees to include a short message referring to the Company’s stance on GDPR and link to the Company’s privacy notices on any conferencing invites.
Transfer of Data
If your employees’ personal information will be sent outside of the UK or EEA then you must ensure that you advise your employees of this fact and that any transfer complies with GDPR. Ensure that you take advice as to the data protection laws which apply in the country to which you are transferring data.
Security Measures and Password Control
Ensure that you update your internal Company policies so that they address the use of video conferencing facilities. Ensure that you have a standard set of instructions for all employees when it comes to the settings of any conferencing apps/sites which may include who in the meeting can share their screen. Rules on password security and exchange and the storage of recordings should also be considered and communicated.
Storage of Data
Ensure that you have proper processes in place for the storage of any personal data which the Company or your employees gather through any video conferencing activities. Remember: data acquired through video conferencing can still form part of a Data Subject Access Request!
If you want to understand more about your GDPR and data protection obligations when it comes to your employees and the Company’s use of video conferencing services please speak to a member of the Employment Team on 01274 864999.