For 36% of CX leaders, one of their top 3 priorities in 2021 was ‘upgrading customer data privacy tools and compliance processes’ – according to Genesys’ State of CX report. And it was one of their top challenges at the same time.
When you offer video calls for interaction with B2C customers, it’s your responsibility to ensure that your video call technology and processes comply with international regulations for data protection - like the EU’s General Data Protection Regulation (GDPR).
The only obstacle… not all video conferencing tools automatically offer the right features and configurations for discussing confidential topics with clients in compliance with GDPR. Shortly after the pandemic hit, it became clear that popular tools like Zoom had some severe security issues. They lacked end-to-end encryption, for example, and headlines spread about them not being GDPR-compliant.
How do you make sure that the video call technology you use meets European GDPR compliance?
What GDPR regulations do you need to be aware of when using video calls for customer interaction? And what if you need to record video calls – how to store recordings securely?
In this blog, discover the main GDPR compliance requirements you need to know about when video calling, and what they require of the video call technology you use.
👩⚖️ What is GDPR?
Why does GDPR compliance matter for having video calls with clients?
💻 GDPR regulations for video calls (in-transit data)
1. Only work with GDPR-compliant technology vendors (Article 28)
2. Your video call vendor should process confidential, personal data securely (Article 5 and 13)
🎥 Specific GDPR compliance for video call recordings (in-rest data)
3. Collect a customer’s Legal Consent for recording (Article 6)
4. Allow customers to access or delete their personal data (Article 15 and 17)
5. Securely store recording files (Article 32)
📗 Learn more in our Security & compliance whitepaper
What is GDPR again?
The GDPR or ‘General Data Protection Regulation’ is a set of laws on data privacy and security introduced by the EU in 2018. Its goal is to protect the personal data of European citizens and give them more control over how their data is collected, processed, accessed, shared and stored online.
Personal data is any personally identifiable information (PII), or information that can directly or indirectly identify an individual. For example, a name, address, email address or gender, but also biometric data shown on an image, video stream or recording.
What’s important is that GDPR not only applies to organisations within the European Union, but also to entities cooperating with European organisations throughout the world. That means, for example, that a business located in the United States but serving customers in the EU (even if it’s just one!) also needs to comply with GDPR.
Why is GDPR compliance important for video calls with B2C customers?
Regarding video calling with B2C customers, we’ve already discussed general compliance criteria for video calls in a previous blog. GDPR is another major compliance law you need to be aware of, and compliant with.
So how does GDPR compliance matter to video calling?
To protect the data privacy of end customers, the European data protection law distinguishes 3 main roles:
- Data subject: a person whose data is collected
- Data controller: an entity that processes personal data. In the case of video calling for B2C customer engagement that’s you, your organisation
- Data processor: the entity that is hired by an enterprise to process data on their behalf, e.g. a vendor of video call technology like 24sessions
When you use video calling to interact with clients, the technology vendor you use is considered a ‘Data processor’ under GDPR’s legal terms. That’s because it processes the personal data of your customers on your behalf – like their name, email address, and biometric information (their facial features showing up on screen during the video connection).
And one key criterion for GDPR compliance is that you, as a ‘data controlling’ entity, are responsible for ensuring that the Data processor handles your customer’s personal data securely.
There are 5 more GDPR regulations that apply to video calling with customers. In this blog, we discuss compliant video calls in these 2 rough categories:
a) GDPR compliance regulations for video calls themselves (in-transit data)
b) Specific GDPR compliance for video call recordings (in-rest data)
a) GDPR compliance for video calls themselves (in-transit data)
1. Only work with GDPR-compliant vendors (Article 28, Data protection)
A video call technology vendor processes your customer’s personal information, and is therefore treated as a Data Processor under GDPR.
GDPR compliance article 28 requires you to only use the services of a data processor that is GDPR-compliant itself too. What’s more, if you fail to comply with GDPR regulations you can be fined for up to 20 million euros (or 4% of your company’s annual revenue, whichever is higher).
What it means for your video calls.
✅ Make sure you sign a DPA (Data Processing Agreement) with your video call vendor before rolling out video customer contact
✅ A DPA documents the scope and purpose of processing, and you can usually already download it from your vendor’s website (e.g. find the 24sessions by Messagebird DPA here)
2. Make sure your video call vendor processes personal data securely (Article 5 and 13)
GDPR article 13 simply states that for hosting video calls, you have to notify all participants – i.e. your customers as well as your employees – about processing their personal data within the context of virtual video meetings.
Article 5 outlines some core principles for data security. You as a business or Data Controller, have to check and guarantee that the technology you use processes personal data ‘lawfully, fairly, and transparently’.
GDPR defines:
- That a data processor processes only those personally identifiable data necessary for delivering its services
- Doesn’t store personal data for longer than necessary
- That the Data Controller, i.e. your organisation, is ultimately responsible for checking that any data that is processed, is being processed and stored securely. And for being able to prove this with some form of documentation if necessary – e.g. in case a security incident has taken place.
What it means for video calling.
To ensure that your video call vendor processes personal data securely, lawfully and in compliance with GDPR, make sure that you:
✅ Check that the video call technology allows you to ask customers for consent to process their personal data before the video call starts, for example in the email invitation – or in a pop-up message if you’re having an instant video call.
✅ To ask for consent it’s helpful if you work with configurable technology which allows you to show your own cookie and/or privacy policy in the customer journey
✅ Does your vendor process data using end-to-end encryption? Both for the video connection itself (in-transit data), as well as for any data that’s being stored (in-transit data) like a recording?
✅ Ideally, work with an EU-based vendor that specialises in video call technology for Customer Engagement and offers security at an enterprise level
✅ Carry out a compact security assessment or DPIA of your vendor, in which you document how they protect the data privacy of video call participants.
For example, in your assessment you can include a check on whether the video call technology offers a security certification like ISO 27001.
But look beyond certificates too.
Research the organisation you contracted as Data Processor for video calling: for instance, do they offer a free video call plan? Then it’s always possible that your customer’s data might be shared externally. You know the rule of thumb: if an online service is free of charge, then it’s highly probable that its users’ personal data are the real currency.
You might also like 📗
Discover more ways to check if your video call vendor is secure in our whitepaper on Secure & compliant video calls >
b) GDPR regulations on storing video call recordings (in-rest data)
Depending on the service you offer via video calling, other compliance regulations – such as MiFID II for discussing financial transactions online – might require you to document customer meetings. Meaning that you keep a text report of every video call, or that you record your video calls.
So if you’re recording video calls with customers, how do you ensure that you store recordings in a GDPR-compliant way?
The GDPR basics are the same as for having a video call (processing in-transit data). But to lawfully and securely process your customer’s personal data when recording video calls, you are required to:
- store recordings securely, and no longer than absolutely necessary (see above)
- provide customers and employees the right to access and erase the recording with their personally identifiable data (Data subject rights)
- restrict access to recording data, e.g. through different user roles offered by configurable video call technology (Article 32)
3. Ask a customer's Legal Consent for recording (Article 6)
First things first – there need to be legal grounds for recording a video call, such as complying with specific legislation about sharing customer data online that applies to your industry.
If you’re recording for training purposes only, then according to GDPR article 6, you need to ask customers for legal consent before the video call starts.
What it means for recording video calls.
✅ Always double-check with your legal department if you really have to record a video session with a client.
✅ In case you’re recording a video call for other than legal purposes (legislation like Mifid II for discussing financial transactions online), ask your customers for consent in advance – so they get the chance to object.
✅ For example, before you switch to a video call from a chat interaction or phone call, mention explicitly that you will be recording it.
Look for these capabilities in your video call technology:
🔒 Can you choose to record or not per type of video call you offer? For some meeting types legislation like Mifid II requires a recording to be made, while others are explicitly prohibited from being recorded. With configurations to automatically turn recordings on/off for a specific meeting type, you can be sure your video call recordings are always compliant.
🔒 For meeting types which you aren’t legally required (or forbidden) to record, can agents activate the recording individually - for each separate video call?
🔒 Are you allowed to configure how to record video calls? In both video and audio, or just audio? Audio-only has fewer implications on data security, because an audio recording doesn’t store any visual and biometric information 👀
🔒 Look for a vendor specialising in Customer Engagement, with configurable video call technology that allows you to customize the customer journey.
That way, you can adjust the video call journey to your compliance needs, for example by adding a link to your privacy policy in the invitation email.
4. Allow customers to access or delete their personal data (Article 15 and 17, Data subject rights)
With data subject rights, GDPR protects the end customer of which you are collecting personal data.
You have to comply with article 15’s Right of Access, allowing your customers to request to access their personal data such as a video call recording (which you have to fulfil within 30 days), and the Right to Erasure or to be ‘forgotten’ (GDPR article 17), meaning data subjects can request their personal data to be permanently deleted.
What it means for video call recordings.
✅ How long you store recordings should be in compliance with your privacy statement, GDPR or other regulations. Don’t store data for any longer than necessary under these requirements.
✅ Look for video call technology which has the option to configure the retention period of recordings i.e. allowing you to configure for how long you store recording data.
Either a set retention period for all video calls, or a different period for each different type of video call.
Good to know 💡
The data subject rights in article 15 and 17 also apply to other personal data than the biometric data stored for video call recordings, such as a customer's name, address, email address, phone number.
5. Securely store video call recordings (art 32)
GDPR article 32 states that both your organisation and the video call vendor you work with should have technical measures in place to protect data privacy during video calls.
In other words, you have to verify that your video call technology provides the right security capabilities to prevent personal customer data from being leaked to, hacked in to, eavesdropped or ‘Zoom bombed’ by third parties.
What it means for your video call technology.
✅ Once you have generated a video call recording (in-rest data), it should also be securely stored with end-to-end-encryption – just like the video streams themselves (in-transit data)
✅ On top of encryption, make sure to store your recording files in the EU, and no longer than necessary
✅ Moreover, GDPR data protection requires you to restrict access to recording data. That means you should have user authentication, access controls and data segregation in place to only allow access to stored recordings to authorised employees.
✅ You also have to store recordings somewhere safe where they can’t be downloaded on personal devices.
Good to know 💡
The requirement to securely store customers' personal data also applies to other data than a video call recording, i.e. also a customer's name, address, email address, phone number.
Look for these technological capabilities for GDPR-compliant recordings:
🔒 Use video call technology that allows you to configure recording storage depending on the type of video call. Can you choose to store recordings on-premise, in a cloud storage of your choice, or a cloud provided by your technology vendor?
🔒 Check that the video platform you use offers user roles, so you can configure who has access to recordings at the meeting-type level. You’ll need to restrict access to one client’s recording data (and all personal data processed for that client’s video call, for that matter) to only those users who actually work with that client.
🔒 Make sure to track audit logs to be able to prove later that the video call technology you use offers secure recording access.
🔒 If possible, connect your video call technology’s user management with your central user federation – for example through a SAML/SCIM integration – to ensure that access roles to video call recordings are always up-to-date.
Tools like Microsoft Teams or Zoom lack such configurations for access controls and user authentication.
But on the bright side of video call compliance... The right video call technology made for Customer Engagement will allow you to assign user roles with different authorisation rights to any team member involved in video calling, and to create different roles for each type of video meeting.
Learn more about video call configurations for compliance
Like to learn more about how to guarantee 100% secure and compliant video calling with customers?
Discover our complete checklist of capabilities & configurations for compliant video interactions, download our whitepaper '7 criteria for secure and compliant video calls' 👇
