Using online tools in compliance with GDPR
In the current situation, companies are forced to reduce, if not limit, personal contact with their employees, customers and business partners to a minimum. A great portion of the daily work is moving onto digital platforms and tools for video conferencing. It’s important to know the impact of these tools on digital privacy and security and how to manage them. One priority must be the implementation of appropriate technical and organizational measures to ensure compliance with the applicable data protection laws.
What do you need to consider now?
It would be a mistake to believe that manufacturer or developer of online tool take data privacy into consideration reliably and responsibly. Although the ´ Privacy by Design´ and ´Privacy by Default´ principles (maintaining data protection through technical design and settings) were introduced by the GDPR many online tools have not implemented these legal requirements yet. In the end it is each user and each company as a controller, who is fully responsible that all online tools used are GDPR-compliant. Therefore, each company using online tools is obliged to take appropriate technical and organisational measures that effectively implement the principles.
How do I implement data protection through technology design?
The technical measures depend on the planned processing and the category of data that are shared or collected via the tool. Please note that the measures previously selected need to be reassessed concerning the Covid19.
1. Taking technical measures
The technical measures presented here are only exemplary and not conclusive, ultimately (as explained above) it always depends on the individual case.
- Pseudonymization. Where possible process personal data in a manner that the it cannot be attributed to a specific person.
- Encryption of data: Any file containing personal data that is shared or transmitted should be protected, preventing accidental transmission or unauthorized access.
- Privacy notices and warnings e.g. when sharing your screen.
- No use of shareware or freeware tools like WhatsApp and FaceTime for business purposes; in most cases business versions are available that allow specific privacy settings.
- Restriction of log files: Data should only be used for the – clearly communicated – purpose and deleted after the purpose has been omitted.
- Chat history and file exchange, automatic deletion within defined period of time.
- Recording of web conferencing only with explicit prior consent of all participants.
- Establishment of access restrictions and registration requirements. Allow the participation of guests only with the prior consent of the organizer or only after the organizer opens the conference. Notice of the incoming persons for all participants.
2. Taking organisational measures
- Training of employees how to use the tools properly
- Desktop sharing only, it relevant for the meeting. Take appropriate precautions, such as closing the mailbox, any other documents that are not needed.
- Digital factory tours. If you define routes, inform the affected worker in this area.
- Background blur. Make sure that only you are visible during the video conference, and not your background.
- Conclusion of a contract processing agreement with the respective provider of the tool (Art. 28 GDPR)
- If possible, do not transfer data outside the EEA area. Make sure that the servers of the provider are not located outside the EEA area or the providers have committed themselves to GDPR-compliance.
Using web conferencing software to communicate with employees?
Of course, you can also use the web conferencing software for internal communication. However, make sure that you do not use the tool for working time control by collecting the attendance information (present/employee/absentee) of the respective employee. If you want to make use of the data, you must involve your works council or provide a contractual basis.