Let’s start with an important concept: when handling customer data you and your business are ultimately responsible for it. Whether B2B or B2C, Article 24 of the EU’s General Data Protection Regulation (GDPR) states that your business is the key decision-maker, with the overall say and control over the reason and purposes behind data collection, and the means to decide which providers are used.
This doesn’t mean a provider of video call technology is absolved of responsibility; they have a different set of responsibilities for how to process and store customer data in a secure, compliant manner. Infact, a helpful provider will provide features and customer support to make your compliance with the law simple and easy. What’s important to know is the ultimate burden is on your business to ensure a provider processes and complies with GDPR, or any international regulations for data protection.
“Work with a video call provider that offers the features and customer support to help your business stay compliant with GDPR and other data privacy laws”
With 99 articles and 173 recitals, GDPR can seem an intimidating set of laws to comply with. This article will introduce you to what GDPR regulations to be aware of when using video calls for customer interaction, the necessary steps to gain consent from your customers to handle their data, and tips to help you stay compliant with the letter and the spirit of the law.
Crikle is not offering legal advice. The aim is to provide you with a comprehensive but easy to understand guide on how GDPR applies specifically to the use of video chat and video call technology, to help you stay compliant. We recommend consulting with a data privacy consultancy or legal firm.
The GDPR (General Data Protection Regulation) is a set of laws on data privacy and security, introduced by the European Union in 2018. It’s designed to protect the personal data of European citizens and give them much greater control over how their data is collected, processed, accessed, shared and stored online.
GDPR directly impacts any business that controls or processes the personal data of EU residents/citizens. Personal data could be any personally identifiable information (PII) that can directly or indirectly identify an individual. For example, name, address, email address or gender. But also biometric data displayed on an image, in a video stream, or through a recording.
“The moment your business collects any personal data from an EU customer, it becomes a data controller – and is ultimately responsible for protecting it”
It’s important to note that GDPR not only applies to businesses within the European Union, but throughout the world. That means, for example, that a business located in the United States but serving customers in the EU also needs to be compliant.
The 99 articles of GDPR are organized into 11 Chapters, with 173 recitals on the subjects of:
GDPR is large and far-reaching. With it, the EU is signaling a firm stance on data privacy and security, at a time when increasingly more people are entrusting their personal data with cloud services, misuse of that data often rife, and breaches a daily occurrence. Yet GDPR is also fairly light on specifics, making compliance a daunting prospect, particularly for small and medium-sized enterprises.
To protect the data privacy of EU citizens and residents, GDPR law recognises 3 distinct roles:(there are 5 roles. Just 3 are the subject of this article)
From the perspective of a video call, a data subject is an EU citizen or resident who engages with your business through your video call provider. A data processor is the video call provider that processes the data of your customers on your behalf. A data controller is you – the business that your customers engage with through the video call experience incorporated into your customer journey.
The moment your business collects any personal data from an engagement with an EU customer, you automatically become a data controller. Data controllers are the key decision-makers who have the overall say and control over the reason and purposes behind data collection, and the means and method of any data processing. Accordingly, Article 24 of GDPR is clear: your business is ultimately responsible for customer’s personal data and must therefore adhere to the strictest levels of GDPR compliance.
This means you must actively demonstrate compliance with all data protection principles, including taking the necessary steps to gain consent from your customers to handle their data. It is equally necessary for your agents to be educated, to be extra attentive of potential data privacy issues that may occur while having a customer conversation over a video call.
With the overview of GDPR and your compliance responsibilities completed, it’s time to get into the details. As mentioned previously the regulation is fairly light on the specifics, making it tricky to understand how it applies to a video call. The following sections will detail how GDPR articles and principles relate to customer engagement experiences utilizing video call technology, and what your business can do to remain compliant.
Article 28 puts a very specific obligation on businesses to only use providers that are GDPR-compliant themselves.
Businesses must consider the protection of ‘data in transit’ – any customer data actively moving from one location to another, such as across the internet or through a private network. In the context of holding video calls, this is the communication your agents hold with customers through the video stream.
Some providers also have features to collect and store ‘data in-rest’ – any customer data not actively moving from device to device or network to network, such as data stored in the cloud or on a device. This is usually details such as names and email addresses captured when scheduling calls, or recordings made during calls.
The GDPR basics for protecting in-transit and in-rest data are the same. Failure to take adequate data protection steps comes with a heavy price, with fines for up to 20 million euros (or 4% of a company’s annual revenue, whichever is higher). Daunting, but it’s important to put it into perspective, as you should already have a process in place, as selecting a video call provider is no different than selecting any other provider to process personal data on your behalf (e.g. your CRM, email list provider, etc.).
Article 5 outlines the fundamental principles for data security within GDPR. Just as your video technology provider must process personal data ‘lawfully, fairly, and transparently’, your business must also take all the necessary steps to do the same.
When collecting and storing any customer data in a video call interaction, be that the name and email entered when scheduling the call, or the recording of the meeting, you will be collecting personally identifiable information. This means that your business will automatically become a data controller, and will need to comply with Article 5.
Article 13 compliments Article 5, and states that customers in the EU have the right to be informed that their data will be collected and processed. To compliantly host video calls, you must notify all participants – i.e. your customers as well as your employees – about processing their personal data within the context of the video call.
Article 6 broadly covers the lawfulness of processing the personal data of customers – there must be a basis in law for your business to collect customer data under one of the principles outlined here.
One such legal ground is complying with specific legislation that applies to your industry. Regulations such as MiFID II for discussing financial transactions online or HIPAA for discussing personal health information, will require you to document meetings with customers through notes or video recordings. However, if you’re recording for training purposes only, then customers must be explicitly asked for consent before the recording begins.
Article 32, as previously mentioned, focuses on ensuring you work with a GDPR-compliant provider.
In relation specifically to recordings, this means checking that a provider has the technical measures in place to protect any stored recordings. In other words, you must verify provider has the right security capabilities to prevent customer data from being leaked, hacked, eavesdropped, or ‘Zoom bombed’ by third parties and malicious actors.
Article 15 and Article 17 of GDPR deals with the rights of data subjects – the customers of which you are collecting personal data. The rights of data subjects within GDPR must be met for the recordings, videos, and other personal data you have stored.
Right of Access: According to Article 15, your customers can request access to any personally identifiable data your business has stored, with a period of 30 days to fulfill this request. Denying such a request is not allowed. Also beware that a specific process must take place for fulfilling this request.
Right to Erasure: According to Article 17, data subjects can request their personal data to be deleted. VIDIZMO allows you to securely dispose of your recordings if such a request is made to your business.
Whilst it’s crucially important to fulfill your businesses obligations under GDPR, it’s more than just following the letter of the law; consumers increasingly understand and question how third parties manage their data.
Businesses who put the customer first ultimately win, not because legislation mandates these consumer protections, but because they are truly aware of the rights to privacy and data ownership, taking customer concerns seriously.
Following the recommendations within this article will help your business to hold GDPR compliant video calls with customers. For more details on how Crikle can support your business to create GDPR compliant customer experiences with video calls, contact us to set up a trial today.