At our workplace, video conferencing has become one of the most used technologies during this year. Despite working in a tech-savvy company, we would seldom use video conferencing on a regular basis before, but more than often we just would walk into our colleagues office and discuss the matter at hand. This, among other things, has drastically changed.
Choosing the right video conferencing system is often about finding a solution that offers the required features, is easy to use and integrate, and, above all, does not cost a fortune. The privacy aspects are more than often overlooked, especially when everybody just "needs to get this running", as was the case in the early days of COVID.
A lot of meetings that would have been a private chat between two colleagues in an office have moved to video. Almost everybody would have the presence of mind to close the door to their office or meeting room when discussing sensitive matters, or matters that require more privacy. This might not be the case for a video conference, or any other online conversation, for that matter.
The challenge arises from the fact that while tools like video conferencing try to make anybody feel like they are just a (sophisticated) extension of the physical world, in reality your private conversation might travel around the world and use services you never knew about.
Choosing a solution
The legal and security aspects should be assessed together with the functional aspects when choosing a video conferencing solution. Video conferencing tools do process personal data, and as such are subject to data privacy laws like the GDPR, as well as other laws and regulations depending on your concrete situation.
In addition, how you plan to use the tools, as well as other requirements like confidentiality or integrity, contractual constraints or company policy will shape whether a specific video conferencing solution will fit or not.
The Data Security Officer for Berlin, Germany, Maja Smoltczyk, has released a note on the use of video conference solutions that might be helpful in assessing the different offerings available on the market:
- For the press release
- For the review
While the note primarily is targeted at public offices in Berlin, the observations and general conclusions are valid for anyone using video conferencing. The approach described in the note can also be used as a blueprint for own reviews of tools.
The review consists of two steps:
- The lawfulness of the data processing agreement with the provider is verified, based on publicly available information provided. Also, a cursory check is conducted whether all sub-providers in use are listed in the agreement
- A check to identify which security measures for authentication, authorization and encryption are provided "out of the box", i.e. without any adjustments
When a solution was deemed unsatisfactory during one step, the remaining steps were not conducted in this review, and not all solutions have therefore been reviewed for their security measures, for example. Also, the review is based on the publicly available agreement for the solutions reviewed, and does not take into account that other agreements can be negotiated.
Still, the review gives a good overview over the current state, and what details to focus on when reviewing data privacy agreements.
We will reveal our findings and conclusions in next blog post: