If you’re using video calls for customer interaction, then you’re most likely talking to customers about personal matters. And you might be sharing confidential, sensitive information over a video connection - like a mortgage loan, investments or a health insurance.
That’s why there are international regulations and compliance certificates to help you ensure that any personally identifiable data of customers and employees that is shared during a video call, is secured – and protected against phishing, fraud, hacking, and data breaches.
Which compliance regulations does your organisation need to be aware of when it comes to video calling for Customer Engagement? How to protect access to video calls? Where to store recordings securely? And what audit logs are relevant for video calling?
In this blog, you'll find a complete checklist for compliant video calling:
General security & compliance criteria for video calling with customers
Compliance checklist for video call technology
01. Protect confidential information during a video call
02. Restrict access to video calls with user roles
03. Inform your customers about security in a compliant way
04. Document video conversations if you have to
05. Choose how and when to store video call reports & recordings
06. Collect the right audit logs
Conclusion: a case for configurable video call technology
You might also like ✅
Want to learn more about GDPR compliance and video calling? 👈 Check out the link to the left
Which general security & compliance criteria apply to video calling with B2C clients?
Regardless of what types of conversations you’re having with customers via video, it is important to be aware of some general compliance criteria which apply to your video calls with customers.
First off, when you share personal data over the internet, the data always needs to be encrypted. That way, if a conversation or call is being hacked, there’s a smaller chance of your data actually being deciphered by third parties.
And as for compliance, there are international regulations that you need to comply with as a business to handle confidential customer data responsibly - i.e. in a secure and compliant manner. Such regulations, like GDPR, PCI or MiFID II, cover the protection of personal data, consent, and secure storage of sensitive data.
For example, a requirement of the European MiFID II legislation is that all ‘electronic communication’ discussing financial transactions needs to be recorded:
"Records shall include the recording of telephone conversations or electronic communications relating to, at least, transactions concluded when dealing on own account and the provision of client order services that relate to the reception, transmission and execution of client orders."
Article 16, paragraph 7, MiFID II
Compliance regulations cover 3 general domains:
Documentation of customer conversations
You can be required to document all customer interactions in the form of a written summary or a recording - in audio or video - which is securely stored for at least an X amount of months or years afterwards, for example according to the MiFID II text above.
TIP 💡 Check if your video call technology can automate and guarantee the creation of recordings and accompanying reports, e.g. through AI-powered speech analysis? This makes it easier and more time-efficient to meet compliance requirements for video calling.
Verification of video call participants (customers as well as agents)
Another compliance requirement could stipulate that you have some sort of check in place to verify the identity of a customer first – before discussing financial matters, personal health, or starting an application process over a video call.
And the same goes for verifying the identity of agents of course, who need separate access credentials.
For example, to make sure your agents are talking to the right customer during a video call, you can require customers to log in to your environment first - or install an integration with a digital identification or ID verification tool, like DigiD or ID Contact in the Netherlands.
Second example: to assure to customers that they are talking to a verified advisor from your organisation, host video calls on your own domain, which should look like [xxx.yourcompany.com] - not on an external vendor’s, third-party domain. It's a lot easier for hackers to pretend to be an advisor from your company and perform a phishing attack by hosting a video call on a third-party domain from Zoom or Teams.
You might also like
Like to learn more about how to guarantee the security & compliance of your video calls with customers? Download our whitepaper '7 key criteria for secure & compliant video calling' 🔒✅
Traceability of events: audit logs
In case a security incident does take place, any recordings or reports you have collected of video calls should actually convey ‘meta data’ on relevant events that happened during a video call, or actions that were performed in your video call tool.
You can use those so-called audit or event logs to trace the origin of the incident, and prevent it in the future. Examples of ‘audit logs’ for the compliance of video calls can be data points like call duration, the customer’s email address, internal device number or agent ID, or more detailed security logs.
The importance of audit logs for SaaS security is also highlighted by the UK’s National Cyber Security Center (NCSC). Skip ahead to learn more about audit logs for video calls >
Compliance checklist for video call technology: 6 criteria to check
In short: when using video calls for customer interaction, you want to be sure that the video call technology and processes you have installed are compliant with international, national and internal regulations for privacy and data security.
So what minimum requirements around compliance does your video call technology need to meet? Here’s our checklist of 6 key compliance factors 👇
1. Data protection | Protect confidential, personally identifiable information during a video call
The goal of compliance checks like ISO 27001 is, in the first place, to minimise the risk of any confidential or personal information of your company, your employees, or your customers falling into the wrong hands - i.e. from being misused by or leaked to third parties.
Look for these video call capabilities 🔒
- End-to-end encryption of in-transit data (i.e. of the video and/or audio stream)
- Option to anonymise or remove specific customer data in transcripts and data exports from a video call
For example, the capability to anonymise customer reviews. Or to remove email addresses, phone numbers and home addresses which customers entered in a video call booking form, from being displayed in your data dashboard.
TIP! If you want to be able to hide sensitive information on a web page or document that you’re sharing via video, choose co-browsing over screen sharing. A co-browse session allows you to mask specific fields - so that the agent can’t see a customer’s bank account balance, or credit card details.
2. Data protection | Restrict access to video calls with authentication & user roles
A key capability to minimise the risk of attackers hacking into your video calls and causing security breaches, phishing attacks or fraud, is for the technology to restrict permission to start a video call to authorised users only.
What configurable video call technology offers, is user management with different user groups, roles and admin rights.
Look for these video call capabilities 🔒
- User roles to prevent unauthorised users from being able to schedule or start a video call
- Meeting templating, so you can choose which types of agents are authorised to configure which types of settings
- A verified login process for agents, and a separate process to start a video call for the agent and the customer
- Make sure your video call technology runs web-based on your own domain, never on the app or client of a video conferencing tool
Hosting video calls on third-party apps like Zoom or Teams makes them prone to phishing attacks. Anyone can create an account, give it your organisation's name and send an email invite for a (fake) meeting.
A separate authentication process for agents helps prevent phishing or fraud. Even if a malicious attacker somehow obtains a customer’s access URL, they can’t use it to have a video call posing as a fake advisor from your company.
Some features to check your video call technology on, in order to restrict access to video calls by unauthorised participants, and prevent phishing. Discover more security features in our Security & compliance paper >
3. Communication | Inform your customers about security in a compliant way
Some internal compliance regulations might specify that you inform customers about the way in which their personal information is processed and secured during a video call.
Or whether the video call is being recorded, for what reasons (when you’re recording a video call for training purposes only, European GDPR legislation actually requires you to ask customers for legal consent to the recording first).
You might also like ✅
Want to learn more about GDPR compliance and video calling? 👈 Check out the link to the left
Video call capabilities to look for 🔒
- Custom email automation, so you can send customers relevant information about an upcoming video call in a password-protected environment or from a custom email domain
For example, inform your customers about how to check that their video call is a secure connection - by looking for the closed padlock 🔒 encryption sign - in an email sent from your secure email domain.
- Custom notifications via other channels, like SMS reminders containing the unique video call link.
Or a disclaimer message in a custom waiting room informing customers that the video call is being recorded.
- Configurable meeting types through meeting templating
So you can adjust the settings of what the notifications should say, when and to whom they should be sent differently for each type of video meeting.
4. Documentation | Document video conversations with customers if compliance requires you to do so
Depending on the type of service you offer via video, compliance might explicitly demand or forbid that you document certain customer conversations – like the MiFID II example above stipulates for investment-related digital conversations.
Such documentation of customer conversations can be in the form of a text report, or a recording in audio or video.
Look for these video call capabilities 📋
- Recordings of video calls, in either video or audio-only
- Automated video call transcripts
For example, 24sessions' video call technology generates automated transcripts through Natural Language Processing (NLP) with the Speech-to-text feature.
You might also like
To learn more about the requirements for GDPR-compliant video call recordings, check out our blog on GDPR compliance for video calling with clients
5. Documentation | Make sure you can choose how & when to store video call reports or recordings
If you’re documenting your video calls with customers in the form of text reports or recordings, then compliance regulations such as GDPR also require you to securely store those reports or recordings.
But these compliance regulations differ according to what industry your organisation is in, and to what type of service you're offering video calls for. In order to meet the compliance requirements that apply to you, you need flexible storage options for video call recordings 👇
For example, for video calls about wealth management advice, you might need to collect recordings in video format, and keep those video recordings safely stored for at least 7 years – in compliance with MiFID II regulations.
However, for other types of customer interactions, your organisation could decide to only record video calls for internal training purposes, and delete recordings after 1 year.
One of our customers, for example, offers 2 different types of video banking services, remote mortgage advice and wealth management via video. MiFID II compliance requires the wealth management conversation to be recorded and securely stored for 7 years. The bank needs to notify the customer of the video call being recorded before it starts. The mortgage consultation, on the other hand, doesn’t have to be recorded and requires way fewer compliance configurations of the video call technology used by this bank.
Video call capabilities to check 🎥
- Make sure you're able to choose whether or not to record video calls per meeting type
Manually for each video call, or with recordings turned on/off automatically for a specific meeting type. - Configure how to record video calls
In video format or audio-only. Audio-only has fewer privacy implications because it records less personally-identifiable information like visual and biometric data. - Choose where to store recordings
On-premise or in-cloud storage. - Configure how long video call data is stored
Make sure you only store recordings for a period of time that complies with your privacy statement, GDPR or other regulations.
To sum it up, check if your video call technology offers meeting templating: can you configure settings for video call recordings depending on the type of service you offer via video?
6. Traceability | Collect the right audit or event logs
A quick recap – for compliance reasons you could be required to track data points or audit logs of relevant actions happening during a video call (in case a security incident takes place and you need to establish which information could have been exposed). These audit logs allow you to track which actions a user has performed during a video call or in your video call technology settings.
Having different types of customer conversations via video, means that compliance regulations require you to track different audit logs.
For example, one of our customers is required to add the organisation’s internal agent ID to their video call data logs, so they can always retrace in security reporting which agent conducted a video call.
Other relevant audit logs of video calls with customers are:
time stamp when the video call was scheduled - when it started - when it ended; a log of recording being enabled - when a recording is being listened to or downloaded; of someone cancelling the video call; when a user changes settings to a meeting type; or when some creates a new meeting type.
Look for these video call capabilities 🔒
- Does the technology allow you to edit or add custom audit logs, so you can collect the data points you need to check on your video calls with customers for compliance reasons?
- For example, is there a flexible API that you can use to build your own data points around?
Conclusion: A case for configurable video call technology
Compliance requirements differ for each different service you offer via video calling.
The solution to meeting such differing requirements when you offer video calls for customer interaction? Ideally, you want to create configurations for each type of video call service you offer, so you can meet all compliance rules for that specific service – like automatically recording video meetings or not.
Configurable Customer Engagement technology - such as 24sessions’ solution - allows you to do just that 🤓 You can configure settings for security, communication, documentation and traceability, allowing you to crack the compliance code and build video call workflows that meet your organisation's requirements.
Like to learn more about how to meet compliance requirements for video calling with customers?
To discover more a complete checklist of criteria to guarantee secure and compliant video interactions, download our whitepaper '7 criteria for secure and compliant video calls' 👇
