GDPR came into force on May 23, 2018 and organisations are still working out exactly what they can and can’t do within its confines. Dr Dragan Grebovich, distinguished engineer: systems, security, networking at Avaya outlines some of the legal ramifications for videoconferencing and UC. He speaks to Tim Kridel.
TK: The D in GDPR stands for “data.” Videoconferencing and unified communications are data in the sense that they’re IP traffic. Does the GDPR cover anything and everything that’s IP traffic? For example, in the case of a videoconference, does the GDPR apply to all video, audio and any other data, such as PowerPoint presentations? Anything else?
DG: Avaya has a wide portfolio of collaboration solutions for healthcare, financial, public safety, and others. Avaya solutions are media-independent, with voice, video and data all under the GDPR umbrella. Our understanding is that regardless of the media, or if it is a two-way communication or a multi-point voice/voice conference, settings have to be made such that GDPR requirements are followed. It is the data controller’s responsibility to set these settings. Avaya, as a data processor can work with all our customers, who will generally be the data controllers, assisting them in configuring their systems to be operated in a GDPR-compliant fashion. That is part of what we provide to customers with our Professional Services offering – our knowledge and expertise to help them address these important questions.
Note that GDPR is not about the protection of “data” generically, but about the protection of “personal data”, which is defined as any information relating to an identified or identifiable individual. So it is a very ample concept.
TK: Some AV firms offer VC and UC as hosted/managed services. I’m also seeing some AV firms expand those managed services into archiving/storage and transcription. How does the GDPR apply to those services when participants are in multiple countries? For example, if one participant is in the UK, another is in Germany and another is in France, does the GDPR mean the managed service provider has to store each participant’s data on a server in their respective countries?
DG: One of the foundational objectives of the EU is to create a single EU market. It is very difficult to have a single EU market if you have barriers or restrictions as to where personal data is stored or can be accessed from within the EU. So the GDPR enshrines this principle of free movement of personal data within the EU in its first article.
Hence GDPR is completely agnostic as to whether personal data of EU origin is stored or can be accessed from Germany, France or any other country within the EU.
Data can also be stored outside the EU, provided there is a legal basis to do this. For instance Avaya is within a select group of companies that has Binding Corporate Rules approval. Only approximately 90 multinationals in the world have this approval, which is granted by the EU data privacy authorities. This approval enables Avaya to store personal data of EU origin internationally, on an intra-group basis. So EU personal data can be held not only by Avaya in Germany or in France, but it can also be held by Avaya entities outside the EU.
International personal data exports to companies outside the Avaya group can also be done just as long as you have a legal basis to do it. This legal basis might for instance be a contract between the entity exporting the data outside the EU and the entity importing the data.
To conclude, GDPR contains no prohibition as to the location of personal data of EU origin. What it does contain is certain requirements which need to be met to export personal data outside the EU.
TK: Does Avaya offer any tools or product features that help AV firms and/or their enterprise clients to ensure compliance in these and other AV use cases?
DG: Yes, Avaya has plenty of tools and product features within its solutions which enable customers to comply with GDPR--features such as consent mechanism for recording videoconferences or conference calls, or deletion mechanisms for documents containing personal data.
It is obviously up to the customer to use these features in the most appropriate way to comply with GDPR, as the “correct” treatment of personal data varies depending on specific circumstances.
TK: When you talk with enterprises and/or Avaya sales channel partners, are there any other questions about GDPR compliance for audio and video that come up? If so, how do you address those?
DG: We do get questions about GDPR. But customers understand it is their responsibility to be compliant and that Avaya will provide them with functionalities within Avaya solutions and with Professional Services to assist in designing and implementing their solutions in a way that complies with GDPR.
You can read an article on the wider ramifications of the GDPR on a wide range of areas that impact AV professionals here.