With the rapid growth in video conferencing set to continue, and increasingly stringent data protection and privacy regulations to consider, now is the time to get serious about understanding what happens to your video conferencing data.
Early in the Covid-19 pandemic, many public and private organizations got away with ignoring the security concerns of popular cloud-based providers due to the urgent need to stay connected. Those days are over. Let’s take a closer look at the tough but important questions you should be asking about your video conferencing solution to ensure data compliance in an increasingly complex threat and regulatory environment.
1. What type of video conferencing data is important, and why?
When it comes to data protection, your first thoughts might be about where and how your organization stores its confidential documents, intellectual property, or financial information. But there is plenty of personal data shared and handled via video conferencing as well. Considering the fact that remote and hybrid meetings using video conferencing are now a standard way of communicating in most professional settings, it’s critical that your team understands why data protection matters here, too.
The personal data that is shared over video is subject to GDPR protections in Europe, PII regulations in the U.S, and other local- and industry-based compliance standards, and for good reason. When participating in video meetings, sensitive information could be shared verbally, but there are other considerations as well. What about:
- The names of the meeting participants?
- The title and context of the meeting?
- The content shared during a meeting, or recordings of the meeting?
All of this could potentially be at risk.
Making this data vulnerable to hostile states, competitors, cybercriminals, or the general public could get you in serious trouble with customers, partners, and employees, and could even mean facing criminal charges. These issues are especially critical if you are in the public sector, you're a healthcare organization, or you're in the financial services industries.
Video interactions like government agency meetings, remote court sessions, telehealth visits, or financial consultations deal with highly sensitive user information. Consider the implications if government secrets were compromised, or a banking customer's financial information was leaked. This could result in strategic disadvantages, PR crises, costly liability suits, or even heavy fines.
2. How does video conferencing data get from point A to point B (data in transit)?
You may be aware that encryption is an important way of securing data and is among the regulatory requirements in the EU and elsewhere for sensitive and personal data. But it’s not enough to simply check if a video conferencing provider has encryption as part of its security standards. Keep in mind that a video call is always “in transit” because media is being exchanged back and forth. This means you need to make sure that:
- The media data (the information shared on the call) is encrypted.
- The process of transporting the media to where it’s going is encrypted, too. This type of encryption is called Transport Layer Security (TLS) and the latest version is TLS 1.3.
3. Where is video conferencing data stored (data at rest)?
Where video conferencing is physically located determines what national laws and regulations it is bound by. If data is stored outside your country, this potentially gives another country (or whatever actors are in that country) access to your information. You may also be required to keep certain types of data within the national borders of your country.
If you use a consumer-grade cloud video conferencing vendor, consider the following:
- Do you know what country your data is stored in?
- Does the vendor even know?
- Can you trust the vendor not to move the data around, and to comply with data protection standards?
Remember that data should also be encrypted at rest, meaning the place it is stored. So, when considering a video conferencing solution, always ask about encryption both “in transit” and “at rest” if you want to be on the safe side.
4. What countries can I trust with my video conferencing data?
If your organization is based in Europe, using video conferencing cloud services based in countries outside of Europe could give you headaches for several reasons. For one, the recently updated European Commission SCC’s following the Schrems-II ruling makes transferring data from the EU to the U.S. and other third countries very stringent and difficult. Additionally, your data may be subject to the laws of that country, where it can be caught up in bulk surveillance efforts by that nation’s government.
But even if your business is located elsewhere than in Europe, many European countries must follow GDPR, which has some of the strongest privacy and data protection regulations of any policies. This makes European-based video conferencing vendors a good option for multinationals or businesses in other parts of the world that have concerns for privacy and security of their videoconferencing data.
5. How do I regain control over my video conferencing data?
If you want to be sure of where your data is and whether it is safe, the most surefire way is to take back control over it. Using a self-hosted video conferencing solution will ensure that the data stays in your own data centers. This provides the greatest privacy in a walled garden where no one else can access your data.
But what if you don’t have the internal resources to maintain a video conferencing platform in-house, yet you still want to be in control of your data? Then you could look for a private cloud solution. This means that, instead of sharing servers and resources with thousands of other companies, a vendor manages the solution for you but keeps your data completely separate and secure. This way, you can still be in control of your data, choose what country to keep it in, and adjust settings for how it is managed, stored, and processed.
To find a vendor you can trust to manage a private cloud solution for you, consider whether they also take precautions to protect your data from their own eyes. This means that the video provider cannot see the names of video meeting participants, the titles of meetings or the content discussed or shared in them.
Pexip gives you the freedom of choice for securing video conferencing data
At Pexip, we offer a self-hosted solution, Pexip Infinity, and a private cloud solution called Pexip Private Cloud. We also offer a cloud-based solution, the Pexip Service. All of these solutions are fully GDPR compliant. With multiple deployment options, you can choose what to do with your video conferencing data and how you want to manage it.
Pexip’s products and features are designed around our “security-first” culture, and we carefully monitor and implement the latest data protection regulations and best practices for encryption standards, protocols, and methods. We are based in Norway, a European country with a strong reputation for respecting privacy and GDPR compliance. We provide easy-to-use tools for managing, controlling, and understanding your video conferencing data.
Do you have questions or challenges related to data handling for your video conferencing solution? Don’t hesitate to get in touch today.