GDPR webinar

Hi everyone and welcome to this Webinars, TwentyThree, about the GDPR. The GDPR Webinars, And it's going to be pretty fun. Like this is one of those subjects that... We talk a lot about sort of in corners of companies and we sort of Well. We should allow around a lot of lingo about data exports and GDPRs and fines and data processing agreements and all those kind of things but this is actually a thing that matters a lot to our world sort of to the way that we operate services both out of Europe but also as As European marketers or... consumers and the GDPR has sort of become this foundational way of how we perceive our services and what we expect from services as well. So this is something that a lot of work has sort of gone into. probably in your organization, probably from your end. but also something that's, I want to say, underserved in terms of knowledge and certainly in the context of firms. Video, so that's what we'll do here is like we'll talk a bit about the GDPR, feel free to ask questions if you have any. I'm trying to figure out our point up here. So the questions box, if you do have any questions. please feed them in otherwise i have a jam-packed agenda that will take us through a bit about the GDPR itself. why it's important, why it's there. a bit of the history, and then we'll dig into how it matters specifically for. People that Video, professionals or Webinars, professionals. and sort of what those intersection lines are. First of all, let me introduce myself. I'm Steffen. I'm one of two co-founders here at TrainFree, so I serve as a CTO. I work on our engineering and product teams, but I've also been working with the GDPR. since 2018 or before 2018. In making sure that everything that we do is GDPR. ...compliant that we serve not only the way for our customers, but also allow our customers... customers that are using us Video, and for Webinars, to have. both compliance but also the tools that allow compliance to to actually take shape, right? So do the reporting and everything else that ties into that. before we dig into the GDPR and this will be We do a bunch of Webinars, TwentyThree,. Some of them are pretty, I don't want to say geeky, but... They're designed to be detailed. They're designed to... talk about the subject matter that we care about, talk about all the things that are will matter to our businesses and to our customers. So yes, it's geeky, but it's also important to say that before we dig into sort of the moral rights of human beings and the European Union, all those kind of things that we will... We'll get into it, I promise. It's important to say... that Video, the human side of digital. This is one of the foundational parts of what we believe TwentyThree,. And I think it's sort of the foundation part probably of why you're tuning into AA. Webinars, about Video, about Webinars, on the the GDPR, that Video,, in a lot of cases, sort of the antidote to the timestamp. Video, a way of having somebody stand in front of OnCamera, and tell a story. to kind of progress a narrative, all the kinds of things that we do in real life. When we meet at the marketplace, you can close your eyes and imagine that marketplace of of the 1700s, where you were well you will feeling the apples that you were buying right that's in the metaphor of the marketplace That marketplace over the span of the last 30 years has moved online. That marketplace has become digital, it's become about apps where you buy everything. It's become... web pages and sort of everything in between. And that can become pretty functional. That can become pretty... sort of mechanic as well. It can become... sort of a way of not being present, of not showing people, of not... ...telling stories. And when we say that Video, the human side of digital... we sort of mean it we mean that humanness we mean that this is a way of injecting real people into real conversations. in real ways. And this is something that We'll say in a lot of kind of context because we are passionate about allowing our customers to do all these things. But it's also important to state here, because we will be talking about data and we will be talking about well engagement forms and metrics and data storage and encryption but foundationally this is all about how do we get to Video, and moving media. to tell our stories. TwentyThree, a European company. We're based in Copenhagen, Denmark, and we make products that enable Video, be working everywhere in the company. That's everything from Video, marketing. Platform, is sort of all Video, hosting, all Video, branding, all the web bits. that you need to Video, work in your organization as a part of Marketing strategy. also all the data that comes from the backside of that. We have a Webinars, Platform, in one already, but it's also So sort of the way of professionalizing all the touchpoints around the Webinars, before a Webinars, would sign up. emails that are going out in the Webinars, itself, but also afterwards. We have Video, library product for companies to will enable access for every employee to all Video, content that's being made. And finally, we have Personal, video product. that is made for companies to be able to communicate. quickly with videos, but also record and make videos together. So just to say that we have a Steffen video suite and when we start talking about video and Webinars, It's in the context of this because we want to be telling the stories, but we also want to make sure that we can will collect the data behind the scenes for everything that matters here. We are a, as I said, European company. And we've... been subject to the GDPR, but also have believed in the GDPR for the better part of a decade, which also means that we We ordered ourselves, so we have an annual. auditor's assurance report about our information security measures, the sort of... is a way for us to have somebody come in. and ask all the right questions, all the hard questions. about how data is processed, how we basically live up to our promises. on the GDPR. This is a report that was published in the most recent form back in fall. You can still find it on our webpage. But more widely, it's also saying that TwentyThree, owned and hosted in Europe. So this is where our data centers are. This is where we create control what we do this is where we kind of have a hub for our data governance we are audited in compliance yearly. We have fully documented security by design. measures, again, you can find those on our webpage. But more than that, we are also not just people that are ticking boxes. And I think... We'll get back to that again and again for this Webinars,. that there are ways of sort of saying that your GDPR compliant just by ticking the boxes. But it's also important to say that well, as digital marketers out of Europe. This is not necessarily something that is just something we do. is actually something that we fundamentally should believe in. because there are human rights and there are digital subject rights that are part of everything that we do here. All right. So all of that just to kind of give an intro to why am I excited about talking about the GDPR. but also why you should be excited about it. How the GPR can help further along your businesses. in ways Video, can be. All right, so what will we be doing today? Well, we'll start by kind of leaning in a bit to what is the GDPR, kind of understanding the... the foundation of it, and then we'll take that as a starting point to talk about what makes video special. in this particular case. Well, spoiler alert, Video, very special and also it isn't really that special. It falls subject to a lot of the same things. But there are things that you need to be aware of and think about when you get to... to Video, space. And finally... will kind of guide you through making your Video, and Webinars, ready for. for the gdpr As I said before, there are ways of asking questions. We'll sort of raise them at the end. at the tail end and you can also as you already see you can hang out and talk to the people from Barcelona and from Nuremberg. Again from Copenhagen with Cecilia sitting right here behind me. We did a Webinars, last week and we were talking about we should have They have OnCamera, on Cecilia so we can wave and say hi. We didn't get there. That might be next time where I'm not the sole guy on. on slides and OnCamera,. Either way, make sure you feed in, ask questions. This is meant to be something that will make us all better at all the stuff that we do. Okay. So a lot of preamble. Let's start by understanding the GDPR. The DPR is sort of a lot of different things and if you are in a In a European organization, you'll have one vantage point of it that becomes a lot about. data processing agreements and reviewing vendor terms. But I wanted to start from a different place where we talk about the GDPRs, these kind of three different things. Partially, it is actually a moral right. GDPR starts a lot of legislation. from this idea not that we should have codified legislation, but rather we as human beings have rights. And I want to start there in 2nd, and then we'll talk a bit more about sort of... What is the actual legislation? And finally, Also, what is the practice and the process around it? And I think without pursuing too much, probably the practice and the process. is something that we're all at this point pretty aware about. But it's important to sort of get a bit of a primer on the fundamentals. So let's start exactly where I said we'd start on. on the moral rights and honestly If you only take one thing away from my talk today, my Webinars, here, it is that people are not data points. Right, this is something that we're all aware of, but it's it's sort of the foundational idea of of what the EU GDPR is sort of there to do and will into a lot more of sort of why it's not just It's a kind of a one-liner in a piece of legislation, but it's important to say that Whenever we interact with digital services, we leave a digital footprint. We'll leave our cookies around, we'll have tracking. sort of like knowing what pages did I visit. What forms did I fill? What pages did I come in from? And we all as marketers live in this. This world where that data is an important part of our world and we've quickly fallen into this idea of Well, let's generate a contact list for ourselves with... the 10 000 leads and then we just like do stuff with leads but ultimately it's important to say that every Personal, that list is a real person and a real human being. that actually has specific rights. In screen 3, we do well standard training internally and this is more saying that this is something that You'll find versions of in your internal slide decks and your internal training. but for us it's important to say that our customers trust us with that data and As a service provider in this space, we need to guarantee that that data is treated securely. And it's all about this idea of integrity and trust. So whenever we talk about the GDPR, it can again become about checkboxes and all those kind of things. but it's really about the idea of human rights. The data is a crucial part. for all of us TwentyThree, years, but for all of you guys as well. Data is a part of delivering great services. We need to believe that companies that are storing this data should be doing so. with an actual responsibility and also with a clear purpose. And we should be open and we should be transparency about that, right? So whenever we talk about these things, It's really about serving that idea of integrity and trust. So these are from some internal training slides that I wanted to share. just because it's sort of part and parcel of the idea of why we're all kind of buying into a conversation like this one. A different way, though, of looking at the moral rights is that we are all acting. in an extremely complex world, right? There's no way. well we could say that three years ago there was no way of having Any overview of sort of what went into the services that we're interacting with, the apps that we're using. What about the... video surveillance that we interact with when we take our daily commute. All of those different things. And in the age of AI, that's sort of even more complex. So there's a... fundamentally information asymmetry. In the sense that people will know much more about you than what you... know that they know. And the only way of sort of aligning that with an actual accountability of the information that's being processed about you or about anyone else. all those people that are not just data points. is about codifying it in legislation. So again, this is about sort of the people and not data points, but all fundamentally. We live in a world where there's... Too much complexity to a point where there's no way for us to understand that complexity and the only way of treating that in a way where that is not exploitable. is by taking that information asymmetry. and making sure that there's accountability that goes with it, right? So that's a different, more sort of... fundamental way of saying what are we trying to achieve overall with the GDP. And this is also a case where we can see that there's leadership on this data transparency. We've seen this evolving in the span of the last well decade as well this idea that there are ways of sort of like not only saying well that's some legislation that exists outside of us. but also an actual way of having meaningful leadership and here's a photo of myself with Max Trems who is one of the sort of outside leaders that have been pushing upon not just legislation, not just the process and practice. but the actual rights that are imbued with us. when we get into talking about the GDPR. Okay, so we spoke a bit about moral rights. There's more to say there. It's important to use that as a foundation. but we'll switch into the world the things that we can read right the actual legislation that comes into GDPR. We'll talk a bit about the anatomy and some of the principles and the rights, and we'll get into it. talking a bit about the enforcement. But if you look at the history of basically European legislation in the data protection space. That's actually not just a big date in 2018 when the... GDPR came into enforcement. Rather, this is a long struggle of... of data protection laws both across Europe and in the European Union. or the European community. So already in 1995, there was an EU data protection... protection directive. That was one of the first steps at Codifying this idea that there are ...problems with data privacy. particularly data privacy when you start. Introducing structure. ...the recording, right, basically computers and databases. And that's well, deals a lot with sort of like What the... What are you allowed to send to mail to people? Are you allowed to track what magazine subscriptions people... will have like all the things that sort of came into modernity in the sense that suddenly we would need to know a lot more about people. and the 1995 Act or Directive. of set up these guardrails for how is that data treated. It's a pretty decent piece of... of legislation but also one that was overrun massively. by reality. So you can sort of see the difference between the internet or digital realm of the first half of the 90s. and just sort of walk through in your mind sort of what happens in the late 90s in terms of this dot-com boom. with a lot more services, a lot more tracking, a lot more data. and certainly the tense with... Cloud access, massive scaling, social Platform, that were built. not just for sort of interacting but also for harvesting data for harvesting meaningful Sort of traction and getting people to engage with the services in a different way, right? So you can kind of see the... The difference between the early 19s of the first pieces of legislation and this data explosion that means that through the tens and and up until the early 10s, well, basically all the old rules work. creaking. So this idea of what were we allowed to do before. all of that. and Sorry. All of that was limiting as you went along. So that basically means that there were pushes in the early 10s through to 2016 to adopt A new version of data protection rules. That means that in 2016 the GDPR was adopted, and on May 25, 2018, the GDPR became enforceable. And again, this is more about the GDPR is reactive, just like the Google illustration. that came before that and even the DPD from 1995, all of that sort of reacts to realities that we're in. And the GDPR is very much about that, right? It's starting out with this idea that that guardrails need to be pushed in. We need to have more firm legislation and also have that'd be massively enforceable. So what is the GDPR solving? Well, some of that asymmetry that I spoke about There's a lack of trust in how companies are handling data. And you can, again, just close your eyes and sort of think about the... the American big tech giants of Facebook. Facebook and Google and X and kind of everything in between. that certainly the trust that we can have in how those services are dealing with Personal, data. that is shifting and being on the mind day for day. At the same time, the rules for how to deal with this as a European Union was being fragmented. So it also kind of ended up in a situation where they were unclear. rights for citizens. It was unclear kind of what could I am. could I expect. that might be more kind of we can externalize those pains right there the idea of somebody is over tracking or somebody is It's pulling in way too much data. It's trying to kind of, well... house that data, sell that data, use it for evil things. But we can also say that But we as marketers probably had a pretty widespread, collect everything and hope for the best. practice this idea that okay we just collect all the data We put it in a data lake, whatever we called it in 2016 or 2018 or whatever. And suddenly... We were saying, well, we have a lot of data. We might be using it later. And again, the GDPR is trying to solve for that, where there's not just a requirement of... of knowing what data you track, but also to limit the data to the things that you actually are. are going to be using. The DPR is also solving for weak enforcement mechanisms. and generally cross-border chaos with different parts of the European Union. had different requirements in different parts. The actual legislation It's 11 chapters and 99 different articles. it is covering sort of all the different... I mean, it applies to the processing Personal, data wholly or partly by automated means. All that kind of stuff for a filing system or everything that's meant to be formed as a filing system. Essentially, it is Personal, data in the EU. It has the idea of material scope that has... something about automation, something about going in a database. So if you are only tracking something on a piece of paper and you're planning to maculate it afterwards. finally probably isn't in scope for the GDPR. but for the things that we're talking about here of digital services. there's really no exception for when the GDPR doesn't apply if you track personal data. In terms of territorial scope, it's also sector neutral. It means that there's no particular sectors that are more more subject to this, we are all subject to it. and any company acting. in the EU, or any company in the EU, any company outside the EU that process the data of EU. ...residents, so it also means that it's a pretty wide... piece of legislation that sort of covers not just the EU. but everything related to people that live in the EU. There are, and it actually is sort of fun to... particularly if you've worked with GDPR for a while, to sort of step into this idea of what are the what's actually in the legislation, what are the actual articles. Well, there are principles that are relating to the processing of data. This idea that data should be processed lawfully, collected for specified purposes. You can find plenty of portals out there that will let you walk through. all of the articles of the GDPR, obviously. But it is worthwhile sort of highlighting a few of them, Article 5 being certainly one of them. because you have heard a lot of this language before. So the GPR basically requires much tighter control. of not just data, but also how it's collected, how it's stored, and how it's used. It's important to say that the data that That is being collected, must be processed lawfully, fairly and transparently. It must be adequate and relevant and limited to what's necessary for processing. Again, this idea of limitations. for what is kept in, if you actually track data. you're also required to keep the data accurate. and up to date. It must be kept in a form that the data subjects can be identified. for only as long as it's necessary for processing. So again, if you Personal, data, that you must be Personal,. at a point where you no longer need or have a use for Personal, data. So you don't have data that lingers around just for the sake of it. It certainly must be processed in a manner that ensures security and can only be collected for for specified, explicit, and legitimate purposes. You have heard versions of this before. because these particular terms for people that are not just GDPR professionals, but Marketing professionals or communication professionals. So even digital professionals, you'll have heard this idea of lawful processing or legitimate purposes. But this is actually something that stems from article. level five of the GDPR. And that ties in again to this lawfulness of of processing of how consent is given. How that necessity of processing is instituted. So it's more about saying that we are talking a lot about these ideas of what are the... reasons for us to collect and then ultimately Yeah, process data. So the list is pretty-- short and you can sort of figure out the cases where you're collecting data and certainly in the context, for example, of signing up for a Webinars,. or tracking who is watching Video,. or who is in Video,. that you must be making sure that the data that you process around all of that is tied to these particular purposes. That can be because you are serving a contract. It can be because the data subject has given content. It can be because there's legitimate interest in what you are. selling. You can have a legal obligation to do so. and then as a bit of elasticity in the last time that... Because of the public tasks, this is something that... we won't dig too deep into, but you can probably find criticism in... in how public sector institutions have a bit more real room in terms of data they can process about them. about. should walk people and Personal,. There's also special categories. It's important to say that This one is actually sort of something that is like the thing to really be aware of. As you start building your databases of people that there are special processes are special categories Personal, data For example, reunion. membership, sexuality and other parts. that have a special category. And again, you need to have special... measure special security in place if you track anything. about not just email addresses and IP addresses, but deeply personal data that is mentioned in the them in Article 9 of the GDPR. Okay, so those are sort of like all the things that we're used to. Like, do we have security? Do we collect for legitimate? purposes? Do we have a use of the data that we're collecting? And ultimately, do we have processes for? We're doing that data and make sure that then... that all of that stuff works. All of that ties to this rights of data subjects. And it's always nice to know that your data subject is actually our as like. What are we given as rights as... As more people interacting with digital services, well, we have a right to access the data that we use. that is being tracked on us. We can ask any service again. all those American big tech services, but literally also our services, right? that there's a right to access, there's a right to have the data rectified, there's a right to have it actually be deleted. There's a right to restrict it, and there's a right to take in that data and move it elsewhere. There's a right to object and there's a right around rights around automated decision making around all this stuff right so this is I showed him a picture of Max Trims before. all of the stuff that is sort of in the articles before 12. That is how we deal with businesses. What should we do in order to make sure that we comply with the GDPR? When we start talking about the subject rights, this is where we can actually exercise those rights. And Max Schrems is a good example. ...somebody who's challenged the GDPR and challenged people and their compliance with the GDPR. based on these specific rights? Do we actually have the right to take our social media data from one Platform, another and port that data. Do we have a right to be erased from those datasets as well? All right, so that can sound dry. and it probably is right I can And I can say that I'm fully fascinated by all this stuff and hopefully it wasn't it wasn't a board for you guys but it's important to say that all the things here actually matter tremendously to what you should be expecting. about Video, good example would be that um when we get into talking about video specifically, well, we'll have specific pieces of... Personal, data that will be processed around again. Somebody adding a comment or a question in a Webinars,. That Personal, data, so... So it also means that there are ways of processing that and there are rights associated with that. And it's important to sort of have a baseline understanding of that. The GDPR also assigns specific roles to people and this is where we start navigating from, just the legislation part. And gets us a bit further into both sort of like how do we act within this. this later station. These two are ones that you'll have most probably heard of before. There are data controllers and data processors. And once you get really good at the lingo of this, you can throw them around and say, I'm both a data-- A data controller and a data processor and this is the case where I'm one. But for the purposes of this, it's important to say that A data controller is somebody who actually has the data, right? This is a... And if you're hosting a Webinars,, like we are here, we're the data controller of the that engagement data. We know who participated in the Webinars,, who signed up for it, who didn't participate. We know who asks which questions. We also know What people asked, which things in the chat and so on. That Personal, data. We must treat it under the GDPR. And we do so because we're the data controller. So we as a company... I must ensure that collecting personal data lives up to all these rights and requirements. that I spoke about before. It also replies to data about employees and customers' website visits. Webinars, audiences and beyond. So we're sort of all data controllers as we start collecting data. So this is a... a crucial right. then that data processes. Data processes. Well, they span pretty widely, but for the purposes of what we're talking about here, They are the services, kind of think all the SaaS products that you're using to to process your customer data. They are the services that are kind of running the databases, running the... encryption that makes sure that you can live up to to those rights and requirements under the GDPR. And it's crucial to say that a data processor Well, that's a service that must assist. some of the data controllers and ultimately living up to that data. And I think when we get into Video, space, this is where sort of There's plenty of things that are about video and Webinars,, but it's also about seeing you want to make sure that you have a data controller that has the true base in place for all this kind of stuff. Usually between the data controllers and the data processors, there's a data processing agreement. So that's a legal document where the former, the data controller, will instruct the service handling personal data on their behalf. And that is basically a way of sort of enforcing a lot of the of the responsibilities and that sort of those safeguards and accountability. on the data processor. So it's usually a... fairly simple, fairly standardized at this point. document that sort of prescribes all the different ways in which the data controller expects the data processor. to be acting on that behalf. And they'll usually kind of have a way of saying, Well, this is the subject matter. This is how long the processing is going to happen. This is the nature and the purpose of the processing. And then importantly, it'll also be the types Personal, data and the categories of data subjects. that are part of this stuff. And then, obviously, it's enforcing specific obligations on the data processor on behalf half of the controller for example sort of ensuring confidentiality implementing security measures and some of the tooling to end up ultimately supporting the the data rights of subjects. are some of the mechanisms that are actually prescribed by the GDPR that didn't get invented just for the purposes of, as kind of an afterthought after the GDPR that actually prescribed. in there. But something that we are very used to and we'll dig into that in 2nd when we start. Talking about these processes. Okay. Finally, enforcement is part of it. Again, It's sort of fascinating to go through the actual legislation to see what the enforcement are. The enforcement in the EU is handled ultimately by data processing. or data protection, I should say, agencies in... individual countries. So I'm in Denmark, which means that that it's going to be the Danish data protection agency called Datatiltun that's responsible for enforcing how TwentyThree, is living up to the GPR and depending on where you guys are. you'll have different data protection agencies that are ultimately responsible. for making sure that companies and other actors in the space actually live up to these to these requirements. There are massive fines in Uliberhut. some of the stories about sort of the fines that are being imposed on. on Facebook and their friends, you'll have heard other. cases where people are sort of like trying to negotiate. this idea of what are we expected to to be doing, but enforcement is obviously part of this and it all goes back. So, so like that. short list I had of the purposes of the GDPR. Yes, it's about setting the guardrails, but it's actually also about... having meaningful consequences if people escape those particular God rails. All right, so that's us having spoken about some of the moral rights, kind of the data, like people are not... Data points is maybe you can give that in your feedback later. I was talking for way too long about... different articles and different parts of the illustration. where most of us act. This is where... I'll interact with our customers and and you guys as probably marketing system buyers or Webinars, professionals and everything in between. that you'll be acting with the different services that that you're buying on behalf of your company and making sure that there's this kind of firm. contract in place in terms of making sure that while the data controllers and data processors actually live up to their responsibilities. And that's when we get into this. practice and process. What's really important here is that this space has moved massively. Massively, massively in the span of the last... well I guess eight years since the GDPR came into came into enforcement. When we all started out in 2018, I think we were all stressing a bit to sort of figure out What does this actually mean? How do we, well, write a data processing agreement? What should we expect from the people that... that we're working with. How do we enforce this? What does security mean? well, what is a data subject? What are the different kinds of data that we're processing? They... different evolutions here, particularly first wave of figuring out how do we find a common language for the GDPR and how it's being. implemented in different companies. that happened in the first three four years of the GDPR Post that, there were a few I mean, basically earthquakes in the enforcement with the... with judgments coming down. particularly again driven by some of the work that the data processing activists with Fagerström first and foremost amongst them. sort of drove in terms of like what does data export do? How do we actually have people be able to enforce their rights? So that sort of shifted again the landscape. And I'll say that it's not that we all know exactly how to how to have every conversation by 2025 or 2026. but there is a maturization of the space where we sort of know what are the different documents that we're using. What are the processes in terms of implementation? and if you've been in the space for a long time You'll probably have a lot of that same was sense, right? all the things that you need to do in order to tick the boxes and make sure that enforcement happens or the audit regimes and all that kind of stuff. At least we have shorthand and vocabulary for it. So there's a mature cessation of that one. in a different way, right? first of all there's the choreography between between data processors and data controllers. A lot of that is the DPA and actually the DPA is being much more standardized by now. It's not that every company will have The same DPA that wouldn't really be meaningful. But there's a lot of expectation of what goes into that instruction set, right? As I said before, it's a lot about making sure that you reference the DDPR in the right way, is that the data transfer happens on the standard contractual. clauses and sort of all the different bits and pieces that I did mention before. But essentially the main point is here that on the process part it's important to say that in order for you to meaningfully under the GDPR, you need to make sure that instruction is in place for your data processor and specifically for... what we're talking about here for the people that are managing Video, right that you don't just well let's pick this free service and upload this thing and make sure that Well, that will expose a lot of Personal, data on Video,, well, the people in Video,, but also the people watching Video, and all the comments, all that kind of stuff. and without having clearly specified guardrails. in the form of a data processing agreement and a data processing agreement that lifts up to the GDPR. into your company's expectations well then you are finding yourselves in a world of at least complexity, potential hurt. when it comes to the GDPR. we're gaining a common language of what a a sub-processor means. So sub-processors are not just the data processors, but rather the people that are helping deliver the services to the data processors. This used to be a bit of murky country again because we didn't have a meaningful shorthand. for what we expected from those data processes. there's still a ways to go in terms of making sure that this works for everyone when you read through a... a data processing agreement, but sub-processors. It's really about figuring out how can we in a complex world of cloud computing and all those different things, how can we actually make sure that not just the people that are hosting Video, your behalf or the people that are running Webinars, on your behalf. are living up to the GDPR, but also the people that they're using. That the data that's being processed as a part of delivering a Webinars, like this one. It's actually meeting the same requirements on encryption, the same requirements on... and all the different things that tie into them. process here is more about making sure you can vet and that's a process for knowing what shop process I used, but also probably for appointing new ones or decommissioning. Then a major part of the negotiation on the process The rollout for the last few years has been about data export in third countries. This idea that, well, we don't just live in Europe, but rather that there are... international data transfers that are part of the mixture. Specifically, making sure that the GDPR actually protects individuals whenever the data travels that that when data leaves the EU, specifically when running an American-hosted... then video service doesn't really mean that the People that are being processed on Video, service. aren't EU citizens, so the protections must travel with it. and also making sure that the same sort of equivalent perceptions meet up even in cases where the hosting providers not in the EU but rather anywhere else in the world. Certainly, we have heard this idea of third countries. And if you are well-versed in the space, you'll know that this is when we start talking about about the uh whatever we start talking about the american courts and and how they get access to the data. I won't dig too deeply into that. There's plenty of things to sort of be... reading around that, but it's mainly making sure that there are equivalent protections for data when it leaves the EU. and appropriate safeguard. That means that including the standard contractual clauses. So those are essentially... Pre-recruits contractual clauses run by or approved by the European Commission. that bind anyone's importing. GDPR type beta to also live up to the GDPR protections. It was updated in 2021 to reflect Streams 2. Again, we're talking a lot about the Streams Guide without talking a lot about... but in practice for the for the processing part, also for the process part of things. It's mainly about making sure that whenever you have a sense that your data will be leaving the EU as a part either of you controlling it or having a data processor access it. Well, it's not enough to just have a data processing agreement in place. You probably want to make sure that you to read through and approve a transfer impact assessment. and ensure that includes supplementary measures. in the cases where risk is identified as a part of that TIA. And it's also... So important to see that the standard contractual clauses are sort of a nice base level and probably sufficient if they're implemented well. for the GPI protections, but it's also important to say that that they don't overwrite local laws, we also need to make sure that they're implemented. In meaningful ways, this is when we start talking about the... data privacy acts between the EU and the US and all this. Again, we're maturing our space here to get to a point where we have a lot of the shorthands and the meaningful documentation. in order to be able to see the data processing. is done in nice and meaningful ways. All right. And finally, what has happened in the last few years is auditing and transparency. So we started implementing a lot of these things and I want to say we is also as an industry but also not just having the documentations and the checkmarks. but also showing compliance is really important as a part of illustration. and certainly important as a part of the GDPR to say that there are actually not just people that sign a document. but also people that audit the practices around that and make sure there's transparency around. that I showed you sort of our annual report before. I would say that you should probably expect a similar document from any hosting provider you're using. in the GDPR space, anything that's processing data. on people, whether that's for Video, not for people. or not Video,. or not Video,. All right, we got really far. Right, we spoke about the GDPR and the moral rights and all the human sides of them. of digital I want to talk though specifically about videos and what makes videos special in this particular case and as i highlighted before well Video, just one category alongside all of these different things. But there are things that sort of make... Video,. Not a special category because that's... That's not really what it is in the context of the GPR. But there are kinds of data that is being processed around videos, around... live attendance Video, that are slightly different from the rest of them. of the space. It's not just a name and an email address. It's actually fundamentally more. and as we're getting more and more used to having more expectations on the data around video. It's also important to say that this is also where you should start having key requirements for the people and the services. that are acting in Video, space with you. All right. Personal, data Video, Platform,. This will apply TwentyThree,, yes, but it actually will apply for literally every Platform, using out there. So if you're using YouTube to host Video, and you're hosting Webinars, on YouTube or Webinars, on LinkedIn, kind of in all of those different cases. you're basically subject to using this exact Personal, data. on those particular Platform,. And you want to make sure that... that the same guardrails are in place for them. Personal, data Video, Platform,. Well, basically Video, themselves, right? Right now, I'm standing in front of OnCamera,. The camera will record me and... And yes, hopefully the picture is sharp and clear enough that you can identify. So even in cases where you're saying, well, we don't track people, right? We don't have the IP address. ...addresses. We don't have people sign up. We discard all the data from the server logs. We are literally only playing Video, on our web. page and nothing else. Even in that case, you're still subject to the GDPR because Video, recordings themselves and even the voices on Video, recordings. Personal, data. So in every case where you have Video, file with Personal, on it... you are holding a piece Personal, data. and you must make sure that piece Personal, data is actually processed in... in ways that matter for the GDPR. So I've heard a lot of times that people are saying, well, We're sort of skirting this because we don't do A, X, Y, and Z. See, but honestly, if you are using videos with a live or on demand, whether. Kind of a standard video uploaded to a web page in an app. or running Webinars, or live streams, well, you are subject because there is data. personal data tied into Video,. then there'll be user-generated content as a part of Platform, as well. Sorry, TwentyThree, we'll call that open upload. but it can be Video, that's being uploaded by not by the company itself, but somebody that's coming from the outside and certainly there. where there's both the actual videos being uploaded that's being processed. but also potentially information about Personal, that uploaded that. A piece of user-generated content. Webinars, participation data, I've already used as an example. a whole bunch of times that could be your chat messages it can be your your Q&A, it can be if you answer a poll. in the context TwentyThree,, we'll know whether you download a handout, we'll know whether you open an email. All of those different things certainly massively applies. as a part of running video. in a broad sense and having personal data tied to that. There will be account data. them. It could be your name, your email addresses, your job titles. They can be for people logging into systems. That's sort of a special category. Personal, data there as well. but it's also going to be about the people that sign up for a Webinars, or or fill in a form in order to watch Video, or even cases where you're tracking knowledge of who is watching Video, through Marketing automation system. So again, Personal, data is sort of all the way around making meaningful value out Video, and out of Webinars,. Then behind the scenes, obviously a lot of usage and analytics data. So... Here we're sort of on the easy parts of things. It's like you can find plenty of cases where the IP address is not something that can allow you to go back to a single Personal, but as you narrow this down ip addresses and actual locations will ultimately also make up the end. personal data and then all the viewing behavior around that. The timestamps of what people watch the... duration that you participated in a Webinars, or the viewing behavior. That ties back to a known person. All of that is obviously personal data as well. along with a lot of derived personal data that comes from from videos and Webinars, as well. I don't know if you turned on the live transcription or... are watching me with german subtitles as we talk now feel free to do so it's really cool but it also means that there are all these derived pieces Personal, data around video. There are transcripts, there are captions, there are translations and everything tied to it. So I really want to emphasize here, and this is, I mean, You can say, well, you're running a GDPR compliant video Platform, are interested in saying that all the other services out there are not GDPR compliant and yes I'm probably saying that but it's not the main purpose The main purpose is making sure that all the mechanisms that we prescribed before, this idea of knowing what data you're processing. What is the purpose they're processing it for? Are there ways of being transparent and restrictive around it? All of those things you must be able to honor in order to to Video, meaningfully in digital services. And it kind of. I mean, at this point, it's not the elephant in the room. It's sort of the elephant, right? It's this idea of... what is the trust that we're putting in in the services that we surround ourselves with. and what is the data that they're tracking around us. It's not putting too fine a point on it. But it's making sure that whenever you Personal, data on whatever, say Instagram. that you're making sure that lives up to it. Did you sign that waiver in order to make sure that Personal, on Video, actually gets to be online, well, you actually are responsible for doing so. So all the way back to knowing that, well, those services will actually know. who watched Video, that you put up there. and we'll be able to use that data in a Well. either very cool ways or maybe not as cool ways. And again, you're responsible for those particular. particular parts. Video,, as I said, a lot of different kinds of... Well data subjects, kinds of data. But Video, also kind of different from a lot of other digital services. in that you want to make sure that videos delivered globally as well. So, part of delivering any kind Video, online Well, you could just host an mp4 file on a FTP server somewhere. Probably not on FTP server, but anyways, you can just deliver Video, file. But most cases where you want to have a... meaningful interaction to allow people to actually not have buffering to view the best possible. You want to have delivery through edge locations that are near customers. and that sort of travels outside of the EU pretty quickly. So global distribution is... is really a core part of it. You want to make sure there's security in processing. Video, as well. So. Let's see if I can click the right amount of buttons here to not have one thing appear after the other. after another. Essentially the GDPR prescribed specific kind of appropriate technical measures, appropriate organizational measures. So that's... I mean, on the technical part, encryption, making sure that you know exactly where data is. In some cases, you want to make sure. Probably that your Video, hosted within the EU and only delivered from the EU and data never leaves the EU. That's one part of it. But you also want to make sure that the people that... Our hosting on your behalf actually have implemented meaningful organizational measures to make sure that That data doesn't live in ways that you're not... control of you want to make sure that there are access controls for the content you make sure that there are oil trails and then probably you want to make sure that like deletions work securely and the sharing works and works securely as well. So these are Probably a list or this is a list that you will probably find for other pieces of content. But you can again see Video, is a different beast here. appropriate technical measures is slightly different when it gets to to these large-scale videos and all the derived personal data that you can get around video. So encryption might be different because streaming is different when you get to... to having encryption at rest. There are more things that you're doing as an organization around video meaning that audit trails are more important. So again, you want to make sure that whatever you're doing on Video, side, Yet you can mentally check a lot of these particular parts as well. And then I want to say that there's a compliance landscape that's sort of around the EU, but also around sort Video, in the GDP. DPR in specific ways as well. that also does affect video. again we Well, we probably will at some point. We'll start talking about how, what, how does DORA impact the GDPR and what does that mean for Video, just want to say that or just starting to look at the compliance landscape. I want to say that yes, the GDPR is first and foremost among them. but there are other pieces of legislation that you want to be aware of. as you're rolling Video, services. And I'll make the pitch for myself again here. say that you want to make sure that you work with somebody. that is aware of this stuff and make sure that you can reasonably deploy in ways that are compliant. but also that gives you the tool to kind of keep being competitive. So that's going to be the European Accessibility Act that came into enforcement last year. It's the DORA, the Digital Something Resilience Act for financial institutions. and the ePrivacy Act, which is basically the... what we would usually call the cochlear oscillation. All of those things also matter for how you're setting up all these different All right, so a lot of GDPR and then hopefully a really good primer in... how all of those different bits and pieces those article 5s and 9s and whatever 12 through TwentyThree, whatever it was how that matters specifically Video, and the specific kinds Video, and some of the limitations that you want to meet. make sure that you're aware of as you roll out Video,. So, I'll give you a quick primer in terms of how do we... deal with this at WebinarTray,. this should probably be more a way of saying kind of Can I find the equivalent pieces of documentation? in the ways that I'm hosting Video, Webinars, for myself at the moment. And when I flip through all this, we'll take a few questions. So again, if you have a question, make sure to post them. and we'll get there as well. So, a quick guide to getting ready TwentyThree,. First of all, I showed the slide before this idea that we actually are owned in Europe right now. The team and I, we're spending a lot of time finding new vendors that will allow us to have meaningfully hosted everything within the EU is something that we're committed to doing in the next few months, having audited compliance and so on. So, it's about... ...kind of being this mindset and actually believing in GDPR. So that's... a kind of a baseline. We have a data processing agreement that you can find on our webpage that that will allow you to do all the things that you are. Kind of expecting here is then a contractual clauses implementing technical and organizational measures. data breach management processes. and annual external audits. with transparent mechanisms around both that. and also how our sub-processors work. Sub-ProcessorList actually published available on our web page, ways of getting updates for that. with meaningful information. That isn't just, hey, we list them for the sake of needing to. to listen but an actual way of knowing how data is being processed both by us and by our sub-processors. We published our change for impact assessment as well. This is a documented risk evaluation. that is done by an external well, vendor, and it goes through all the cases where Data might be exported as a part of delivering TwentyThree, service. and what the mechanisms that we've put in place in order to ensure that all that works. works well. And then I spoke about the GDPR audits, again, something that we publish every year to make sure that you can also see in transparent ...pain in ways how we're living up to our promises. In the product, we have privacy controls that allow you to not only just say, well, I signed up. between three they're doing all these different things but you actually have tight controls, what cookies are being set, what am I tracking for particular things, what are the forms that are being used, how do I have opt-in when people are... are filling in forms and again a lot of controls around how those forms are working. both within videos and within Webinars,. We have specific controls again around how data integration is done. So again, just making sure that this tick list of things, like we have forms here, we have... We have this data, we have this data that's being collected, we have integrated data into other Platform,. You really want to make sure that all the data that travels with you as a data controller and on your behalf. into different services that all of that lives up to the the specific requirements that I set forth here. So, good examples of how doing it TwentyThree,. and hopefully you kind of got a really cool sense of sort of like some of the things that you want to make sure, again, whether you're TwentyThree, customer. or whether you're using something else to run your Video,... hosting your Webinars,. Again, cool. I spoke for 55 minutes. I was... I was... proud about going through a lot of different things and hopefully you got this sense that that there's Summit, talk a lot more about. You can download all the slides, all that kind of stuff. But what I really want to do now... is I want to open up some of the questions. That are in the... That's a lot of questions. Let's see what we can do in... in five minutes. do So there's a question from Juan. Next one, Cecilien. We can put it on screen and I can also read it. So Juan is asking, was... not enough to be good and safe but you must demonstrate that it's not bad do you agree with The statement, we had that statement. and regarding data. I mean, this is like, I think one is asking this. to be a bit sort of facetious in a way, right? It's like the problem with all the legislation is that you're sort of trying to sort of find the The baseline where being not bad is probably what you want to be demonstrating. But hopefully what I've highlighted here is that It's not hard to live up to the GDPR. arm. Like all of this is sort of knowable and Thanks for watching I get honestly a bit annoyed whenever we have conversations with people that are trying to sort of do the very least or sort of like skirt by, right? It's like this data, this not, whatever, all that kind of stuff. This is actually a key value. for a lot of people. This is actually something that we should be proud of. certainly as Europeans, but probably also as So as we're rolling out digital services. So I think this one resonates quite a lot for me, right? Because there's a way of leaning into this from a... kind of progressive agenda of saying hey we should be doing better and we can be doing better particularly with the with the tooling as well. Alright, then Suleiman is asking: "When it comes Video, uploads by a client controller, to Platform, of the service provider processor. that Video, or may not contain PII. It may or may not... have PII that's already in the public domain. In such a situation, to what extent do DBAs have to govern the uploading of Video,? So to rephrase essentially what's being asked here is: Other cases Video, is Personal, data. Yes, certainly you can find a lot of cases where. sort of like an animated product explainer with no visual. That's a good example of a case where there's no people in Video,, there's no voiceover, there's no actual human. ...being talking in that case, there's certainly... personal data in just Video, file itself. I want to say though that it's It's a pretty good heuristic to say that Video, sort of not Always, always, 100% of the time. But almost all the time are actually... personal data right this is the case where there's somebody in Video, that is identifiable or somebody speaking on Video, that is identifiable through the voice and certainly in the age of AI that is getting a lot easier to make sure that you sort of know who is in there and then someone is also asking whether there are ways of waving that. And obviously, there are ways of kind of where you have a a voice actor that's voicing over Video, or even just an actor in Video, in all those cases there are contractual ways of sort of making sure that you well, own the rights for that particular performance to a point where whatever personal data is involved with that one. no longer applies. They're pretty good tools for managing this stuff. There are people I can see both in the chat room and asking questions that are Selling services like that one, right? So there are ways of managing this, but a pretty good heuristic for all this stuff. is sort of having a sense that... them that Damn. that the data is like the video data Personal, data. And certainly all the data around that I spoke about before is also there. Richard is asking: How does the EU/European Accessibility Act apply and take into account by Platform,. So this is a really good question. As I said, the compliance landscape here is like... The GDPR is not the only thing that applies Video, and the EAA. is something that is hugely important to our digital industries from everything from hardware to software to apps to websites Video, players and so on. We are hosting Webinars, specifically on the EAA and accessibility. But I will answer this one very specifically in the case of... of this one to say that the EAA applies massively Video,, not necessarily in the way that overlaps the GDPR. But it's part of the compliance landscape. If you want to find more about this stuff, yes, come hang out with our Webinars,. You're more than welcome. But you can also check out Twinfree.com's accessibility. Where we have essentially kind of conformance reports, but also a pretty good primer on some of the things that you should expect. Video, Platform, around accessibility as well. So it's sort of in the sphere, but also not necessarily. Then David is asking: Is it a requirement Video, servers to be in Europe? in order to be GDPR compliant. Well, no, but it's a huge... It's a huge benefit. This idea that You want to make sure that the data that you host is hosted natively in Europe. means that it's squarely run and and subject to the GDR in ways that you can maybe prescribe in other cases. This is a case where we have all the data hosted in the EU as a part of the TwentyThree, platform. but we're actually doing more. So we are moving. moving to a point where a lot of the hosting that we're doing is not just physically in Europe. Europe, but also in locations that are owned and operated by European companies. to make sure that we're kind of going that extra mile to not only tick every box, but also really run the... The runner sphere where we act on what we believe TwentyThree,. All right. That took us to the top of the hour. There were quite a lot of questions, which is amazing and really... Really appreciate all of the interaction, all the questions. all of the chat and just the time in hanging out with me today. This is an ongoing conversation. And as you can tell, like an hour of me ranting. This is something that I care deeply about that I'm quite interested in and I'm quite interested not just in sort of how do we talk about it, but also how do we build services around it? How do we build expectations and communication? and transparency about it. So if you want to keep this conversation going, reach out, contact me or contact somebody else from Twin Free. We have a nice specialist team. ...support team if you have questions. We're more than happy to help out if you feel that... that some of the things that we spoke about here on DPAs or TIAs or whatever is something that you need in order to make sure that you're compliant, we are more than happy to help. and then on practical side there will be a recording of this the slides will be available But again, please let's keep the conversation. going and thank you so much for being part of this Webinars,.