Video conferencing tools such as Zoom, Skype and House Party facilitate communication when working from home. So the question we’ll be looking at in this article is ‘Is Zoom GDPR Compliant?‘ and how to ensure you don’t experience data protection issues when using video conferencing tools.
Using video conferencing tools has its benefits, but you must also guard against data protection issues.
Issues such as:
- Transferring unprotected data (solution – send data using end-to-end encryption).
*Using end-to-end encryption means only users and recipients have access to data*
* Update: Whilst Zoom has now incorporated end-to-end encryption, they have been criticised because this is only available for users who have a premium subscription.
- Abiding by multiple countries data protection regulations when sending data across borders (solution – use a VPN).
- Meetings infiltrated by outside parties (solution – use password protected meetings or the alternative video conferencing tools we’ve suggested below).
An extremely popular video conferencing tool that we’ll take a look at is Zoom. When using it for work related communication we have to consider whether Zoom is GDPR compliant.
Quick plug! But it’s something that will really help you by preventing data protection legal issues.
GDPR compliance sometimes gets overlooked until it’s too late, leading to fines, damaged reputation etc. It’s a headache (understatement) that you just don’t need, never mind the fines that can put SME’s out of business altogether.
You can ensure you’re compliant with legislation by trying out our GDPR software. Just choose a time that’s good for a demo to see how it works and then try it out for free to see how it can actually help your company.
Plug over, back to whether or not Zoom is GDPR compliant!
Video chat solutions are booming and Zoom has seen users increase from 10 million to 200 million in four months.
It’s rise in popularity is largely thanks to its ease of use and stability (and increased working from home).
Remote work and data protection issues are something we spoke about in our webinar GDPR Risks When Working From Home, free for you to watch and/ or download.
Data Protection Issues When Transferring to Third Countries
The Zoom cloud service is mainly operated in the USA however, data can be stored in data centers around the world. Something that needs to be considered is an insufficient level of data protection comparable to that in the EU.
The solution is for the provider to adhere to the EU-US Privacy Shield and for all other third countries Zoom offers an EU standard contract.
Navigating data compliance laws can feel like a minefield at times, with hitherto unknown risks and threats can seriously damage your organisation.
In order to help you we’re providing you with a GDPR risk assessment tool, it will give you the following benefits:
- Risk detection – What possible threats are you facing?
- Recommendations – Series of recommendations to ensure compliance.
- Tasks – Actionable list of tasks to mitigate or eliminate these risks so they don’t become problems.
If you think this could be useful for you (hint: it will), you can take the GDPR risk assessment test online really quickly.
Is Zoom GDPR Compliant: Article 28
Being a cloud-based video chat tool constitutes order processing pursuant to Art. 28 GDPR. This means that before using Zoom for your company meetings, you really should form a contract for order processing in accordance to Art. 28 GDPR.
Zoom GDPR Issues
Zoombombing, the infiltration of private meetings by outside parties with malicious intent. Without a waiting room or password, accessing private meetings is relatively easy and has led to pornography and anti semitic material being shared in classes as well as images of alcohol consumption at alcoholics anonymous meetings.
Zoom GDPR issues i.e. the inability to protect users’ private communication puts their data at risk, there could be sensitive proprietary information being shared, information that can be accessed and stolen.
Failure to protect private data indicates that Zoom is not GDPR compliant.
Zoom Software Security Issues
Another data protection issue with Zoom, aside from its non-encryption issues is that it installed a secret web server on Macs, and wasn’t removed even if the user deleted Zoom.
Once again indicating that Zoom is not GDPR compliant, installing secret software is in direct contradiction to a key pillar of data protection rules – informed consent.
Security experts have also raised concerns about “shady” preinstalled code that allowed Zoom to automatically install secret web servers on Macs when a user clicked the download button without going through the usual security protocols.
This approach, which also includes a password prompt that appears to disguise itself as an Apple security prompt when the user is not an administrator, prompted a Princeton professor to call Zoom “malware.”
The installation of secret software again indicates that Zoom is not GDPR-compliant, because it is in direct contradiction to Article 7 of the GDPR, which requires informed consent for data processing.
Even if Zoom has responded with security updates due to the international criticism and some of the points listed may have been fixed in the meantime, neglecting data protection in the early stages of software design (privacy by design) requires further security optimizations.
We therefore strongly advise against using Zoom for online conferences.
Alternatives and recommendations for secure video conferencing
One of the most important things to keep in mind in regards to GDPR compliant video conferencing is the ability to set a password.
Which manufacturers of video conferencing software give you the opportunity to use them in a safe way?
Tixeo, for example, does not allow access without an encrypted and irreversible password.
This is also the only software that is supported by official organizations after going through various tests to ensure the security of the information.
This undoubtedly makes it one of the safest options for video conferencing.
However, other platforms can also enable you to use video conferencing that is compliant with data protection regulations.
Many applications offer options for improving security in their configuration, e.g. Blocking access to meetings without prior checking by the organizer.
For this reason, as is often the case in data protection, training employees is one of the most important aspects to ensure successful information security.
Another tip is not to use platforms that are intended for personal or leisure use, and preferably to choose platforms that are specifically designed for business use.
What would be the best options? Although Signal, as already mentioned, has some security holes, it is a good alternative to WhatsApp as it offers the possibility to make encrypted calls.
Microsoft Teams is a great option for companies using Office 365. Hangouts, the video conferencing software developed by Google, is a good option for video conversations, but does not offer end-to-end encryption, an important data protection mechanism. This ensures that information can only be shared between the user and recipient.
Another popular option is Skype, which can be used for free and provides end-to-end encryption.
Anyone who has attended one of our popular data protection webinars knows that we at Pridatect work with GoToWebinar. We also use the sister software GoToMeeting for meetings with our customers.
All multicast session data is protected by end-to-end encryption and integrity mechanisms that prevent unauthorized parties from eavesdropping on a session or tampering with data without detection.
With all of these aspects in mind, various software solutions can be used for a secure online meeting, provided they offer the ability to provide adequate protection for the meeting, and everyone who attends knows what action to take so as not to endanger the data and information they transmit in this virtual conversation.
For increased security, we also recommend using a VPN network.
Data Processing Communication
Art. 13 and 14 GDPR obliges you to inform communication partners in advance about the data processing at Zoom. Zoom does provide information with regards to what needs to be shared. When holding a meeting with external parties, they need to be sent this beforehand.
Permissibility of Processing
Data input for Zoom:
- Host needs an account (Enter name & email).
- Members only need to enter a link & name.
- Microphone/ Video sharing optional.
During the coronavirus pandemic with a huge portion of the workforce working from home, deficiencies in the video solution have been exposed.
Is Zoom GDPR Compliant When Recording Video Conference Meetings
There are a variety of common reasons for recording meetings:
- Whether it’s a team meeting and you want to ensure you don’t miss anything.
- Recording webinars to share with more interested parties later.
At Pridatect we host regular webinars using our in-house data protection experts but also we’re lucky enough to have guests such as industry expert Simon Hall. The thing is, not everyone is able to attend for the live webinar, so we make a recording for interested parties to view at a later date.
In order to comply with data protection laws we inform participants beforehand that we’ll be recording the webinar to replay later. Our host also informs participants once again when the webinar begins so that there is recorded evidence of us obtaining informed consent.
Zoom DPIA (Data Protection Impact Assessment)
If only Zoom had undertaken a data protection impact assessment, they could have avoided many of the issues they are currently facing. Damages to their reputation, and users opting for alternatives methods of workplace communication.
Conducting a DPIA is a great way to demonstrate GDPR compliance, and as recommended by the ICO, a Zoom DPIA would ‘identify and minimise privacy risks associated with new projects’.
Something we’ve spoken about many times before in order to help you save money in the long run, is privacy by design. According to the ICO, accountability and privacy by design are inextricably linked. If there was a Zoom DPIA, they would been able to see risks before they were exposed, and then take steps to mitigate them, which would have resulted in far fewe instances as we’ve seen recently thanks to the COVID epidemic and workforces utlizing Zoom.
Prevent Data Protection Issues When Using Video Conferencing Tools
- Send data using end-to-end encryption.
- Use a VPN.
- Use password protected meetings.
- Use alternative tools: BlueBigButton & Jitsi Meet.
Hackers may attempt to access and steal private data for any variety of reasons. People even try to access private meetings sometimes just because they think it’s good sport. You should be taking these steps to mitigate data protection risks.
In answer to the big question of the day ‘Is Zoom GDPR compliant?’ it appears that no, it isn’t. Too many security risks directly contradict the safeguards that GDPR stipulates.
This series is related to how communication tools help and affect the companies that use them, but there are always company specific considerations with regards to risk mitigation and compliance, you can take a look at another popular tool for team-based communication in the article: Is Slack GDPR Compliant?
The subject can be complex, fraught with pitfalls and problems you’d never think of. In order to help you fight against data protection issues, we recorded the webinar we hosted with data protection expert Simon Hall on GDPR risks working from home. Learn everything you need to know about mitigating data protection issues with regards to working from home.