With the rapid growth in video conferencing set to continue and increasingly stringent data protection and privacy regulations to consider, now is the time to get serious about understanding what happens to your video conferencing data.
Early in the Covid-19 pandemic, many public and private organizations got away with ignoring the security concerns of popular cloud-based providers due to the urgent need to stay connected. Those days are over. Let’s take a closer look at the challenging but essential questions you should ask about your video conferencing solution to ensure data compliance in an increasingly complex threat and regulatory environment.
1. What type of video conferencing data is essential, and why?
Regarding data protection, your first thoughts might be about where and how your organization stores its confidential documents, intellectual property, or financial information. But plenty of personal data is shared and handled via video conferencing as well. Because remote and hybrid meetings using video conferencing are now a standard communication method in most professional settings, your team must also understand why data protection matters here.
The personal data shared over video is subject to GDPR protections in Europe, PII regulations in the U.S., and other local- and industry-based compliance standards, and for a good reason. When participating in video meetings, sensitive information could be shared verbally, but other considerations exist.
- The names of the meeting participants?
- The title and context of the meeting?
- The content shared during a meeting or recordings of the meeting?
All of this could be at risk.
Making this data vulnerable to hostile states, competitors, cybercriminals, or the general public could get you in serious trouble with customers, partners, and employees and even mean facing criminal charges. These issues are especially critical if you are in the public sector, a healthcare organization, or the financial services industry.
Video interactions like government agency meetings, remote court sessions, telehealth visits, or financial consultations deal with sensitive user information. Consider the implications if government secrets were compromised or a banking customer's financial information was leaked. This could result in strategic disadvantages, PR crises, costly liability suits, or heavy fines.
2. How does video conferencing data get from point A to point B (data in transit)?
You may be aware that encryption is an important way of securing data and is among the EU's and elsewhere regulatory requirements for sensitive and personal data. But it’s not enough to check if a video conferencing provider has encryption as part of its essential standards.
Remember that a video call is always “in transit” because media is being exchanged back and forth.
This means you need to make sure that:
- The media data (the information shared on the call) is encrypted.
- The process of transporting the media to where it’s going is encrypted, too. This type of encryption is called Transport Layer Security (TLS); the latest version is TLS 1.3.
3. Where is video conferencing data stored (data at rest)?
Where video conferencing is physically located determines what national laws and regulations it is bound by. If data is stored outside your country, this potentially gives another country (or whatever actors are in that country) access to your information. You may also be required to keep certain types of data within the national borders of your country.
If you use a consumer-grade cloud video conferencing vendor, consider the following:
- Do you know what country your data is stored in?
- Does the vendor even know?
- Can you trust the vendor not to move the data around and to comply with data protection standards?
Remember that data should also be encrypted at rest, meaning where it is stored. So, when considering a video conferencing solution, always ask about encryption “in transit” and “at rest” if you want to be safe.
4. What countries can I trust with my video conferencing data?
If your organization is based in Europe, using video conferencing cloud services in countries outside of Europe could give you headaches for several reasons. For one, the recently updated European Commission SCC’s following the Schrems-II ruling make transferring data from the EU to the U.S. and other third countries very stringent and challenging. Additionally, your data may be subject to the laws of that country, where it can be caught up in bulk surveillance efforts by that nation’s government.
But even if your business is located elsewhere than in Europe, many European countries must follow GDPR, which has some of the strongest privacy and data protection regulations of any policy. This makes European-based video conferencing vendors a good option for multinationals or businesses in other parts of the world concerned about the privacy and security of their videoconferencing data.
5. How do I regain control over my video conferencing data?
If you want to be sure of where your data is and whether it is safe, the most surefire way is to take back control. A self-hosted video conferencing solution will ensure the data stays in your centers. This provides the most significant privacy in a walled garden where no one else can access your data.
But what if you don’t have the internal resources to maintain a video conferencing platform in-house, yet you still want to be in control of your data? Then you could look for a private cloud solution. This means that, instead of sharing servers and resources with thousands of other companies, a vendor manages the solution for you but keeps your data separate and secure. This way, you can still control your data, choose what country to keep it in and adjust settings for how it is managed, stored, and processed.
To find a vendor you can trust to manage a private cloud solution, consider whether they also take precautions to protect your data from their own eyes. This means that the video provider cannot see the names of video meeting participants, the titles of meetings, or the content discussed or shared in them.
Pexip gives you the freedom of choice for securing video conferencing data
At Pexip, we offer a self-hosted solution, Pexip Infinity, and a private cloud solution called Pexip Private Cloud. We also provide a cloud-based solution, the Pexip Service. All of these solutions are fully GDPR compliant. With multiple deployment options, you can choose what to do with your video conferencing data and how you want to manage it.
Pexip’s products and features are designed around our “security-first” culture, and we carefully monitor and implement the latest data protection regulations and best practices for encryption standards, protocols, and methods.
We are based in Norway, a European country with a strong reputation for respecting privacy and GDPR compliance. We provide easy-to-use tools for managing, controlling, and understanding your video conferencing data.
Learn more about our secure video meetings solution.
- Meet & collaborate securely
- Secure meetings