that revolutionises the way meetings are documented.
In May 2018, the European Union (EU) implemented one of, if not the strictest privacy and security law in the world: the General Data Protection Regulation, more commonly known as GDPR.
This law set a large frame of regulation for any organization, private or public, across the globe collecting or accessing data linked to people in the EU. In case of breach of these standards, the infringers are subject to fines that can reach tens of millions of euros.
If big corporations or worldwide organizations have access to professional legal teams that manage this kind of topic, start-ups and SMEs have to be particularly attentive to these laws. As we stated before, infringing GDPR can prove to be a devastating blow to most companies.
At the European Convention on Human rights of 1950, the countries from the old continents began to set the first stones of privacy rights by stating: "Everyone has the right to respect for his private and family life, his home and his correspondence."
Gradually, as more and more technology was implemented in our daily life and more significantly with the birth of the Internet, the topic of privacy protection has become more and more complex for individuals and lawmakers.
In 1994, we saw the first banner ad appearing on our screens. Nearly 10 years later, Facebook was opened to a wider audience. In the following decade, collecting, analyzing, and selling data became the main business model of this platform. Most tech giants use the hegemony of their products to gather data of their users and sell it to the highest bidder.
After various scandals around data privacy violations, the EU finally declared it required "a comprehensive approach on personal data protection". A few years later the GDPR was voted by the European Parliament.
This law provides citizens and residents that use the internet a large list of rights. The purpose of these rights is to allow people to have better control over the data they communicate with the organization. These rights are the following:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision-making and profiling.
To ensure these privacy rights, organizations have to be compliant with the GDPR.
The scope of application of the GDPR is quite wide. Indeed, as soon as you process the personal data of citizens or residents of an EU state you are supposed to follow the rules. You also have to comply if you offer goods or services to such a population.
And so, even if you or your company is not situated inside the EU.
Let's take the example of the company ABC based in California in the USA, providing most of its professional services in the USA. By monitoring its website visitors (and thus potentially tracking and analyzing EU visitors' activity), this company might have to comply with the GDPR rules.
If ABC company does not respect the provision of the GDPR it might face very heavy fines. The penalties are divided into two tiers that can reach 20 million euros or 4% of ABC's global revenue depending on which is higher.
Additionally, the people whose data privacy has been violated have the right to see compensation which can leave the company with a huge bill.
Of course, this article is just a general presentation on the topic of GDPR. For deeper information, please visit the official EU website:
When processing data from EU citizens, you have to respect the following principles:
- You need to process the data of your customer or visitor in a lawful, fair, and transparent way.
- You may process the data only for the strict purpose that you specified to the individual when you collected it.
- You should not collect more data than you absolutely need.
- You have to keep the data collected accurate and up to date if possible.
- You should only store personal data for as long as you were supposed to.
- You must ensure the security, integrity, and confidentiality of the data processed. This can be realized with data encryption for instance.
- You (the data controller) are responsible for demonstrating that you are complying with all the previous principles.
Another key topic is personal data. Generally, you should stay as far away as possible from personal data you can. There are however some exceptions (e.g. unambiguous consent from the visitor, legal obligation, life-saving situation) that allow you to do but you need to be certain of your justification. the full list can be consulted here.
Consent is an additional principle to take into account. The person you are collecting the data from (data subject) has to give his consent for you to use it. It must be clear, given freely, informed, and documented. The data subject must be over 13 (if not he needs permission from a parent) and must be able to withdraw his consent.
To put it simply, and as complicated as it can be to guarantee, the General Data Protection Regulation must become part of your company's DNA.
Here are some things that you can implement:
- You must consider data protection by design and by default (in every activity, service, or product that your organization offers).
- Train your teams on data protection and data privacy.
- Implement security measures at a technical and organizational level.
- Even if you are not always compelled to do so, appoint a Data Protection Officer.
- Keep a detailed, organized, and exhaustive record of the data collected.
To conclude, it is important to remind that the whole regulation is 88 pages long and that this article is just an overview of the topic. To guarantee that you are compliant with GDPR is critical to complete a complete analysis of your organization and advised to get in touch with an attorney for double-checking.
In the case of online meetings and video conferencing, the main privacy issue arises with recording. Indeed, as soon as the meeting host starts recording the meeting, he begins to collect personal data of the participants. It is then very important to respect the rules we presented before to stay GDPR compliant.
For instance, when recording a meeting you should (this list is non-exhaustive):
- Only collect the data you need and store it securely.
- Ensure that the recording is done in a lawful, fair, and transparent manner (basically ask openly the agreement of the participants to record the meeting).
- Provide participants with the possibility to access, rectify or erase the data.
- Inform participants on the data that will be collected.