It almost always starts the same way. One podcast catches on, and before you know it they're popping up everywhere: comms launches a brand show on Spotify, HR puts an onboarding series on a free service, and a department head “quickly” shares a hidden link. Each one well-intentioned. Together, a compliance problem.
Every new channel brings its own storage, access rights and risks. IT and Security rarely have a single dashboard covering all podcast activity, and that's exactly where the gaps appear. In government, banking, insurance or healthcare, that isn't a theoretical risk but an audit finding waiting to happen.
First this: your internal podcast falls under GDPR too
A persistent myth is that GDPR is mostly about cookies. It applies to all personal data, and a podcast is full of it. A download links an IP address to listening behaviour, and the episode itself contains voices and names. A voice is personal data. An internal “watercooler” chat can reveal confidential matters.
Two consequences: get explicit consent from everyone featured (guests and employees), and accept that even a purely internal podcast falls under GDPR. Either way, your organisation stays responsible, not your vendor.
The 7 requirements
1. EU data residency: where does your data physically sit?
Since Schrems II, transfer to the US is legally precarious: US law can grant access to data held by US providers, even in Europe.
2. ISO 27001:2022: independent proof
An information-security standard audited by an external party, not a self-declaration, but a certificate with a scope and an expiry date.
3. A watertight data processing agreement (DPA)
Article 28 GDPR requires a DPA with every processor. Without one, you are in breach. Also confirm secure deletion of old content.
4. Bot-free, IAB-compliant statistics
A large share of raw download traffic is bots. Unfiltered, you report inflated figures, no small matter to a board.
5. SSO, role management and audit logs
Without SSO and roles you can't track who has access, and a leaver keeps their login. Audit logs help trace the source of incidents.
6. Genuine private-content control
The biggest misconception: a hidden link is secure. It isn't, a link can be forwarded, indexed by search engines or guessed. Real control needs authentication, ideally a branded app that doesn't surface in directories.
7. Future-proof: NIS2, DORA and the AI Act
GDPR isn't the finish line. NIS2 tightens security requirements, DORA hits the financial sector, and the AI Act touches every tool with AI features (transcription, content generation). For a detailed breakdown of what NIS2, DORA and the AI Act mean for your stack, we cover the practical implications for podcast infrastructure in a separate guide.
Technology alone isn't enough: who's responsible?
The best platform solves nothing without ownership. Three steps:
- Assign an ownerLegal, IT or Communications. One owner.
- Run a tool auditmap every channel, retire insecure options.
- Train creators before they publishmost incidents come from unawareness.
📋 The checklist (worth saving)
- EU data residency, data in the EU, sub-processor list available
- ISO 27001:2022, valid certificate, correct scope
- Data processing agreement, standard DPA + secure deletion
- Bot-free statistics, IAB-compliant measurement
- SSO + role management + audit logs
- Private content, SSO-gated, not via open RSS
- Future-proof, stance on NIS2/DORA/AI Act, EU entity
Frequently asked questions
Compliance becomes a catalyst, not a brake.
Compliance as an edge, not a brake
Get security, privacy and access right from the start and you can scale with peace of mind. Compliance becomes a catalyst, not a brake: launch new podcasts without anyone lying awake over a data breach. For the internal-communications use case specifically, the guide on podcasts for internal communication covers the governance decisions that follow once the platform is compliant. And if you are managing multiple shows for different audiences, see how private podcasts for business handle access control in practice. Start with a platform built for this on Springcast EU compliance.
