Skip to content
BlurFirst

GDPR and Screen Sharing: Keeping Personal Data Off the Screen

7 min read

Screen sharing a CRM, dashboard or inbox can put personal data — names, emails, IDs, IP addresses and location — in front of people who don't need it, and into retained recordings. Here's how data minimisation applies and how to keep personal data off the screen. Not legal advice.

Personal data under GDPR — a customer's name, email, IP address, order or account ID — routinely sits in the CRM, dashboard or inbox you're about to present. The practical way to stay on the right side of data minimisation is to keep that data off the screen: share a single window, blur the personal data you don't need to show, and control whether the session is recorded and how long any recording is kept. An unnecessary on-screen disclosure — especially to people in another organisation on the call — is exactly the kind of processing the principles are meant to curb.

What counts as personal data on your screen

GDPR defines personal data broadly: anything relating to an identified or identifiable person. In Salesforce, HubSpot, a support inbox, an analytics dashboard or a spreadsheet of users, that includes:

  • Direct identifiers — names, email addresses, phone numbers and postal addresses.
  • Account and reference IDs — customer, order, ticket and user IDs that map back to a person.
  • Online identifiers — IP addresses, device IDs and cookie identifiers, e.g. in an analytics or logs view.
  • Location and behaviour — city or region columns, session recordings, purchase history and other profile data.
  • Special-category data — health, religion, ethnicity or similar, which carries stricter handling and should almost never be casually on screen.
  • Other people's data in the margins — a contact list, an inbox preview or a notification naming customers unrelated to what you're demoing.

Which GDPR principles apply to a live share

Three principles do most of the work here. Data minimisation says process only the personal data you actually need — showing a whole customer table when you're demoing one workflow is more than necessary. Purpose limitation means data collected for one purpose (say, fulfilling orders) shouldn't be casually repurposed as demo material for an audience with no need to see it. And for recordings, storage limitation matters: a screen recording full of personal data is itself a new record that must be kept only as long as needed, then deleted. Keeping data off the screen in the first place is the cleanest way to honour all three.

Common risks and how to reduce them

RiskPractical mitigation
Whole screen shared, exposing other apps and tabsShare a single window only; close or blur background tabs holding customer data.
A CRM list or table showing many customers at onceBlur the columns and rows you're not discussing; reveal only the one record in scope.
Inbox, chat or notification previews naming customersTurn on Do Not Disturb; box-blur the message pane; keep a panic blur ready.
Analytics or logs showing emails, user IDs or IP addressesBlur the identifier columns; present aggregates rather than row-level personal data where possible.
Cross-org demo to people with no need to see real dataUse a demo or sandbox account with fake data, or blur real personal data before presenting.
A retained recording containing personal dataDecide up front whether to record; if you do, limit retention and delete when no longer needed.
Where personal data leaks in a screen share, and a practical mitigation for each.
  1. 1

    Share one window

    Present only the app you're demoing so your inbox, chat and other tabs with personal data stay out of frame.

  2. 2

    Blur personal data in the page

    With BlurFirst, box-blur list views and identifier columns, then element-blur individual names, emails or IDs. The blur is rendered into the page as real pixels, so it survives Zoom, Google Meet, Microsoft Teams, Loom and any recording.

  3. 3

    Scan for common identifiers

    Click Scan to auto-detect and blur emails, phone numbers and card numbers locally in one pass — a quick data-minimisation sweep before you present. It matches patterns, not free-text names, so check the ones it can't detect.

  4. 4

    Reveal only what's needed

    Leave visible just the record or metric relevant to the call; keep everything else frosted. Start blurring with Ctrl/⌘ ⇧ Y and panic-blur with Ctrl/⌘ ⇧ H.

  5. 5

    Control the recording

    Decide whether to record at all; if you do, review it for stray personal data and keep it only as long as you need it.

A checklist before you share your screen

  1. Prefer a demo or sandbox account with synthetic data for anything customer-facing.
  2. Share a single window, not the whole screen.
  3. Turn on Do Not Disturb so notifications naming customers don't appear.
  4. Blur identifier columns, lists and previews, and run Scan for emails, phones and card numbers.
  5. Reveal only the record or metric in scope — data minimisation in practice.
  6. Decide whether to record; if you do, review it, set a retention limit, then delete when done.

Frequently asked questions

Does GDPR ban screen sharing personal data?

No. GDPR doesn't prohibit screen sharing; it asks you to process only the personal data you need (data minimisation) and to keep it secure. Sharing a single window, blurring data you're not discussing and limiting recordings are practical ways to align with that. This is general guidance, not legal advice.

Is showing a customer's name on a call a data breach?

Not automatically, but an unnecessary disclosure of personal data — especially to people with no need to see it, or in a retained recording — can be a personal-data breach depending on the circumstances. Minimising what's on screen reduces that risk; assess specific incidents with your DPO or legal advisor.

Do screen recordings fall under GDPR?

If a recording contains personal data, it's a new record subject to GDPR, including storage-limitation and security obligations. Decide whether recording is necessary, limit who can access it, and delete it when it's no longer needed.

Is blurring personal data enough for GDPR?

No single measure makes you compliant. Blurring supports data minimisation during a screen share, as one control alongside demo accounts, access controls, retention policies, staff training and a lawful basis for the underlying processing.

Can I blur personal data in a desktop application?

A browser extension only covers content inside a browser tab, which includes web-based CRMs, dashboards and webmail. A native desktop app, a second monitor or the OS itself is out of scope; a desktop app is in development.

Blur it before you share it.

Hide any field, region or message on a page before your next call. Nothing you blur leaves your browser.

Add to Chrome