Recommendations for video conferencing systems and data protection

The corona pandemic has often forced companies, more or less overnight, to let employees work from home. In order to maintain operations and, above all, internal and external communication, video conferencing has become the new communication standard worldwide, at an almost unbelievable speed. But which video conferencing system is the best choice in terms of data protection compliance?

As is so often the case in the life of a data protection officer, you pant a bit after the suddenly newly created reality.

For companies, of course, it was first and foremost about securing further business and above all sales. Accordingly, it was less about complying with the requirements of the GDPR for video conference systems. Unfortunately, it is nothing new that the governments and supervisory authorities for data protection in the countries were of little help. There were no clear guidelines or guidelines. Much worse still: when asked which video conference system is most likely to be accepted or which comes closest to the requirements of the GDPR, one obviously received a wide variety of statements.

Interested parties can listen to these experiences first hand, in the data protection podcast “Interpretation matter” (No. 12) from Heise Verlag, colleagues report hair-raising statements which, in the worst case, even led to schools in entire federal states using the Microsoft Teams app, which was introduced at short notice were no longer allowed to use. At the same time, on the other hand, entire conferences of European finance ministers were held via “Zoom”. A situation that is of course of little help to the entrepreneur when deciding on the right video conference system.

Basically, however, it can be said that there is currently no perfect, 100% GDPR-compliant video conference solution that is still accepted worldwide.

Rather, you have to look for the famous “golden mean”. Companies must therefore choose video conferencing systems based on what customers accept and what is justifiable under data protection law. As is so often the case, it would be nice if companies would consult their data protection officers more to find out how they might make the solution they have already selected better or more secure. Then you can quickly come very close to the requirements of the GDPR, even with established tools. The data protection officer has to assess the risk of using such a solution anyway. Because in the end it is a processing activity. This has to be documented and, above all, checked for the risks.

And indeed: to optimize the software used in compliance with GDPR, yes, that is usually very easy!

Because after deciding which video conference solution to use, the configuration or administration settings should always be checked first of all:

  • Is the default setting of the creation for participation in conferences at Zoom set correctly?
  • Who in MS Teams has the right to start recordings of the video conference?
  • Which Cisco Webex app is used? Android or iOS? Etc.

When you have answered all of these questions and thus also checked and (hopefully) documented the technical and organizational measures, you can use the selected video conference system with a much calmer conscience.

Whether you still have to ask yourself the question of whether you accept a cloud system or whether you rely on video conference systems, perhaps even proprietary solutions, or on solutions that absolutely have to run “OnPremise”, then perhaps no longer arises.

Beware of generalization!

And let’s be honest: To stand up and to demonize all offers that come from the cloud per se as “data throwers” is already carefully said slightly backwards under current standards. Because if you look at some of the company’s server rooms, the technical or structural protection is so poorly implemented that instead of “on-premise” it is better to go to the cloud and leave the protection of the systems to the professionals.

Basically, one must also assume that companies like Microsoft, who want to and have to establish themselves firmly in the business sector in the long term, cannot risk that their solutions will allow anyone to read along or leave security gaps open for too long out of pure self-interest. Even the US manufacturer “Zoom”, which hardly anyone knew before the Corona era and is now suddenly even being used by politicians, responded to critical security gaps within a week and closed them immediately. So you can clearly see that the manufacturers are ensuring security or at least some GDPR compliance on their own initiative.

However, as far as the guidelines and specifications for the correct use of video conference systems are concerned, the situation has now eased somewhat.

We would like to show you a few suggested solutions as a guide.

Some data protection supervisory authorities, the data protection association GDD, as well as the BSI, the Federal Office for Information Security, have published guidelines. In the following collection of links you will find suggestions with a lot of detailed information, tips and test points. They provide information about what is necessary for the GDPR-compliant use of video conference systems:

Guideline of the State Commissioner for Data Protection in Baden-Württemberg:

“Data protection-friendly technical options for communication” (Link: https://www.baden-wuerttemberg.datenschutz.de/datenschutzfreundliche-technische-moeglichkeiten-der-kommunikation/)

Recommendations for video conference systems from the BSI (Link: https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Remote/Home-Office/home-office_node.html)

This also includes:

“Compendium of video conference systems” from the BSI (Link: https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Remote/Home-Office/home-office_node.html)

Association information of the GDD:

“Practice Aid DSGVO XVI – Video Conferences and Data Protection” (Link: https://www.gdd.de/downloads/praxishilfen/gdd-praxishilfe_xvi-videokonferenzen-und-datenschutz)

This post is also available in: German