The complete guide to making GDPR compliant video calls

Businesses looking to incorporate video calling to engage their EU customers become responsible for handling their personal data under GDPR, the data privacy law of the European Union. This guide will provide an overview of this regulation and how it applies to customer engagement experiences utilizing video call technology, to help your business stay compliant.

‍

Let’s start with an important concept: when handling customer data you and your business are ultimately responsible for it. Whether B2B or B2C, Article 24 of the EU’s General Data Protection Regulation (GDPR) states that your business is the key decision-maker, with the overall say and control over the reason and purposes behind data collection, and the means to decide which providers are used.

‍

This doesn’t mean a provider of video call technology is absolved of responsibility; they have a different set of responsibilities for how to process and store customer data in a secure, compliant manner. Infact, a helpful provider will provide features and customer support to make your compliance with the law simple and easy. What’s important to know is the ultimate burden is on your business to ensure a provider processes and complies with GDPR, or any international regulations for data protection.

‍

“Work with a video call provider that offers the features and customer support to help your business stay compliant with GDPR and other data privacy laws”

‍

With 99 articles and 173 recitals, GDPR can seem an intimidating set of laws to comply with. This article will introduce you to what GDPR regulations to be aware of when using video calls for customer interaction, the necessary steps to gain consent from your customers to handle their data, and tips to help you stay compliant with the letter and the spirit of the law.

‍

–––––––––––––––––––––

‍

Crikle is not offering legal advice. The aim is to provide you with a comprehensive but easy to understand guide on how GDPR applies specifically to the use of video chat and video call technology, to help you stay compliant. We recommend consulting with a data privacy consultancy or legal firm.

‍

–––––––––––––––––––––

‍

What is GDPR?

‍

The GDPR (General Data Protection Regulation) is a set of laws on data privacy and security, introduced by the European Union in 2018. It’s designed to protect the personal data of European citizens and give them much greater control over how their data is collected, processed, accessed, shared and stored online.

‍

GDPR directly impacts any business that controls or processes the personal data of EU residents/citizens. Personal data could be any personally identifiable information (PII) that can directly or indirectly identify an individual. For example, name, address, email address or gender. But also biometric data displayed on an image, in a video stream, or through a recording.

‍

“The moment your business collects any personal data from an EU customer, it becomes a data controller – and is ultimately responsible for protecting it”

‍

It’s important to note that GDPR not only applies to businesses within the European Union, but throughout the world. That means, for example, that a business located in the United States but serving customers in the EU also needs to be compliant.

‍

The 99 articles of GDPR are organized into 11 Chapters, with 173 recitals on the subjects of:

‍

• Data protection principles
• Accountability
• Data security
• Data protection by design & default
• When you’re allowed to process data
• Consent
• Data protection officers
• People’s privacy rights

‍

GDPR is large and far-reaching. With it, the EU is signaling a firm stance on data privacy and security, at a time when increasingly more people are entrusting their personal data with cloud services, misuse of that data often rife, and breaches a daily occurrence. Yet GDPR is also fairly light on specifics, making compliance a daunting prospect, particularly for small and medium-sized enterprises.

‍

–––––––––––––––––––––

‍

Crikle is committed to making every effort to build product features that align with GDPR requirements and foster protection of the personal data processed through our services. For more information about our data practices, please see our Privacy Policy, or you can send an email to privacy@crikle.com if you have any GDPR-specific questions.

‍

–––––––––––––––––––––

‍

What are your responsibilities as a business holding video calls with customers

‍

To protect the data privacy of EU citizens and residents, GDPR law recognises 3 distinct roles:(there are 5 roles. Just 3 are the subject of this article)

‍

• Data Subject – the individual within the EU whose data is collected
• Data Controller – an entity that processes personal data. In the case of live video calling for customer engagement, that’s you and your business
• Data Processor – the entity hired by a business to process data on their behalf. For example, a provider of video call technology like Crikle.

‍

From the perspective of a video call, a data subject is an EU citizen or resident who engages with your business through your video call provider. A data processor is the video call provider that processes the data of your customers on your behalf. A data controller is you – the business that your customers engage with through the video call experience incorporated into your customer journey.

‍

The moment your business collects any personal data from an engagement with an EU customer, you automatically become a data controller. Data controllers are the key decision-makers who have the overall say and control over the reason and purposes behind data collection, and the means and method of any data processing. Accordingly, Article 24 of GDPR is clear: your business is ultimately responsible for customer’s personal data and must therefore adhere to the strictest levels of GDPR compliance.

‍

This means you must actively demonstrate compliance with all data protection principles, including taking the necessary steps to gain consent from your customers to handle their data. It is equally necessary for your agents to be educated, to be extra attentive of potential data privacy issues that may occur while having a customer conversation over a video call.

‍

Making GDPR-compliant video calls for customer engagement

‍

With the overview of GDPR and your compliance responsibilities completed, it’s time to get into the details. As mentioned previously the regulation is fairly light on the specifics, making it tricky to understand how it applies to a video call. The following sections will detail how GDPR articles and principles relate to customer engagement experiences utilizing video call technology, and what your business can do to remain compliant.

‍

Only work with GDPR-compliant video call providers (Article 28)

‍

Article 28 puts a very specific obligation on businesses to only use providers that are GDPR-compliant themselves.

‍

Businesses must consider the protection of ‘data in transit’ – any customer data actively moving from one location to another, such as across the internet or through a private network. In the context of holding video calls, this is the communication your agents hold with customers through the video stream.

‍

Some providers also have features to collect and store ‘data in-rest’ – any customer data not actively moving from device to device or network to network, such as data stored in the cloud or on a device. This is usually details such as names and email addresses captured when scheduling calls, or recordings made during calls.

‍

The GDPR basics for protecting in-transit and in-rest data are the same. Failure to take adequate data protection steps comes with a heavy price, with fines for up to 20 million euros (or 4% of a company’s annual revenue, whichever is higher). Daunting, but it’s important to put it into perspective, as you should already have a process in place, as selecting a video call provider is no different than selecting any other provider to process personal data on your behalf (e.g. your CRM, email list provider, etc.).

‍

Compliance checklist:

‍

• Carry out due diligence on the provider to ensure you are happy they are GDPR compliant – you should already have a process for this.
• Sign a DPA (Data Processing Agreement) with the provider before rolling out video calls as a new engagement channel. The DPA can be separate or part of your provider’s terms of service, documenting the scope and purpose of processing, and can usually be downloaded from your provider’s website (link to Crikle’s here).
• Consider carrying out a mini-DPIA (Data Protection Impact Assessment, link) in which you document how the provider protects the data privacy of video call participants.
• Consider the sensitivity of the information you’ll be discussing during a video call. Most business use cases are served with the flexibility of client-to-server encryption. But where data is particularly sensitive, such as personal health information, end-to-end encryption may be required.
• Where does the provider store customer data? Personally identifiable information of EU citizens should be stored explicitly within the EU.
• Does the provider offer a free video call plan? If so, then it’s always possible that your customer’s data might be shared with 3rd parties.

‍

Make sure you and your video call provider processes personal data securely (Article 5 and 13)

‍

Article 5 outlines the fundamental principles for data security within GDPR. Just as your video technology provider must process personal data ‘lawfully, fairly, and transparently’, your business must also take all the necessary steps to do the same.

‍

When collecting and storing any customer data in a video call interaction, be that the name and email entered when scheduling the call, or the recording of the meeting, you will be collecting personally identifiable information. This means that your business will automatically become a data controller, and will need to comply with Article 5.

‍

Article 13 compliments Article 5, and states that customers in the EU have the right to be informed that their data will be collected and processed. To compliantly host video calls, you must notify all participants – i.e. your customers as well as your employees – about processing their personal data within the context of the video call.

‍

Compliance checklist:

‍

• Check your provider enables you to ask customers for consent to process their personal data before the video call starts, for example in the email invitation, call confirmation, or in a notice clearly displayed before the call.
• As it’s your business that needs to gain consent from your customers, it’s helpful to work with configurable technology which allows you to display your own cookie and/or privacy policy across the customer journey. Crikle’s Privacy Policy Setting is an example of this.
• Be clear about the purposes your business is collecting customer data within its privacy policy. A good video call provider will often have a line of text to copy and paste into it.
• Collect only the data that is necessary for the purposes of the interaction. Remember: you can only use the personal data for a new purpose if either this is compatible with your original purpose, you get consent, or you have a clear obligation or function set out in law.

‍

Ask a customer's legal consent before recording (Article 6)

‍

Article 6 broadly covers the lawfulness of processing the personal data of customers – there must be a basis in law for your business to collect customer data under one of the principles outlined here.

‍

One such legal ground is complying with specific legislation that applies to your industry. Regulations such as MiFID II for discussing financial transactions online or HIPAA for discussing personal health information, will require you to document meetings with customers through notes or video recordings. However, if you’re recording for training purposes only, then customers must be explicitly asked for consent before the recording begins.

‍

Compliance checklist:

‍

• Double-check with your legal department if you really have to record video meetings with customers. Not only does the recording compel you to be compliant with GDPR, it can also impact a smooth customer experience by putting unnecessary checks ahead of addressing the customer’s primary concerns.
• If meetings must be recorded, obtain consent by signposting your businesses privacy policy in the meeting invitation link and encouraging all your participants to go over it before agreeing to enter the meeting. Again, Crikle’s Privacy Policy Setting supports this signposting.
• Follow good practice by verbally letting the participants know that they have agreed to the privacy policy at the start of the meeting. Most secure video call providers also inform meeting attendees automatically when an agent starts recording the meeting, allowing the customer to also object at that point.
• Also be clear that if they screen share or discuss confidential (or special category) information, this too may be retained as part of the recording so they should be mindful of their own privacy requirements.

‍

Securely store video call recordings (Article 32)

‍

Article 32, as previously mentioned, focuses on ensuring you work with a GDPR-compliant provider.

‍

In relation specifically to recordings, this means checking that a provider has the technical measures in place to protect any stored recordings. In other words, you must verify provider has the right security capabilities to prevent customer data from being leaked, hacked, eavesdropped, or ‘Zoom bombed’ by third parties and malicious actors.

‍

Compliance checklist:

‍

• Once a video call recording has been generated, it should be securely stored and encrypted – just like the video streams themselves.
• Make sure the provider stores recordings in the EU, and no longer than necessary.
• GDPR data protection requires access to recording data be restricted. That means your business should only allow access to stored recordings to authorized employees. Training sales and support staff in GDPR often satisfies this requirement.

• The provider should offer the ability to access and erase the recording with customer’s personally identifiable data, whether through a setting or by contacting them.

‍

Allow customers to access or delete their personal data (Article 15 and 17)

‍

Article 15 and Article 17 of GDPR deals with the rights of data subjects – the customers of which you are collecting personal data. The rights of data subjects within GDPR must be met for the recordings, videos, and other personal data you have stored.

‍

Right of Access: According to Article 15, your customers can request access to any personally identifiable data your business has stored, with a period of 30 days to fulfill this request. Denying such a request is not allowed. Also beware that a specific process must take place for fulfilling this request.

‍

Right to Erasure: According to Article 17, data subjects can request their personal data to be deleted. VIDIZMO allows you to securely dispose of your recordings if such a request is made to your business.

‍

Compliance checklist:

‍

• Making sure your provider can assist you with deleting any customer data held on their platform.  
• Make sure any historical recordings stored with the provider (or copies on your own systems) are stored only as long as necessary. This should be clearly stated within your privacy policy,
• Look for video call technology which has the option to configure the retention period of recordings i.e. allowing you to configure for how long you store recording data. Either a set retention period for all video calls, or a different period for each different type of video call.

‍

In summary

‍

Whilst it’s crucially important to fulfill your businesses obligations under GDPR, it’s more than just following the letter of the law; consumers increasingly understand and question how third parties manage their data.

‍

Businesses who put the customer first ultimately win, not because legislation mandates these consumer protections, but because they are truly aware of the rights to privacy and data ownership, taking customer concerns seriously.

‍

Learn more about making GDPR compliant video calls

‍

Following the recommendations within this article will help your business to hold GDPR compliant video calls with customers. For more details on how Crikle can support your business to create GDPR compliant customer experiences with video calls, contact us to set up a trial today.