fbpx Skip to content

General Data Protection Regulation – What you need to know as a virtual assistant for the new GDPR

GDPR data protectionNew EU regulations come into force 25 May 2018 – General Data Protection Regulations (GDPR)

  • You must tell people who is responsible for the data you hold and process – this person must be registered with ICO
  • Data processors now also have direct obligations to process data correctly – as a virtual assistant processing any sort of data from clients, that means you!
  • Data breaches of the General Data Protection Regulations (GDPR) must be informed within 72 hours
  • New “fair processing rules”
  • Explicit consent to marketing communications and easy unsubscribe options.

What does General Data Protection Regulations (GDPR) mean for virtual assistants?

New EU regulations surrounding General Data Protection Regulations (GDPR) come into force 25 May 2018 – yes, even with Brexit, we still need to comply!  The big change is that virtual assistants will now be responsible for the data they process, not the client.  So it’s important you know the provenance of any data you are working on, and how your service providers are storing it on your behalf.

However, it’s worth pointing out that those VAs who do have good data protection in place already will see very few changes.  And there are opportunities within the GDPR for virtual assistants in cleaning up client lists, putting necessary information online for clients, or even acting as an external Data Protection Officer for their company.

We all benefit from less spam and more control over how our information is stored.

What is personal data?

A lot of VAs will say they don’t process personal data – but your client list contains contacts, addresses, telephone numbers and emails – that’s personal data as you can identify people associated with it.  If you type a letter for a client with the recipients name/address on it, that’s personal data.  As is arranging appointments for clients where they’ve given you someone’s phone number to arrange a meeting.  VAs who manage social media accounts or email newsletter lists for their clients will be particularly vulnerable to these changes – and should make their clients aware of what they need to do in order to comply ASAP.

You should be getting a “Data Processing Agreement” in writing before doing anything with that personal data.  This outlines exactly what you will do with the data.

See also  Virtual Assistant Industry Leaders: Helen Stothard

What steps should you take before General Data Protection Regulations (GDPR) comes into force?


You must have a Data Protection Officer/Data Controller who is responsible for making sure you comply with these rules.  We suggest you may want to name this person on your T&Cs on your website, and they should be listed on any marketing communication you send out.  SVA already recommends that you register for data protection as part of the SVA Approved scheme.

The latest advice is that Data Protection Registration will be replaced by a GDPR compliant list for businesses processing personal data on behalf of other people (i.e. our client’s work if it contains personal information of their clients) and it will cost most small businesses around £40 to register.  This is still not confirmed, our advice remains to make sure you are registered under the existing scheme.


You need to review the data that you hold, make sure it’s still relevant and complies.  For example, are you still storing old client documents from 7+ years ago?  Has everyone on your mailing list actively opted in rather than being added, simply because they are a client?  Where else is your data stored – accounts programmes? online workspaces? on a flash drive? on an automated backup? a mobile/ laptop/your old computer?

You may well have a good reason for holding this data (e.g. some insurance policies want you to hold client data historically or for tax purposes).  But anything which is not needed, should be deleted.

You might also consider where this data is being held – what happens if your phone gets stolen? Or your laptop?  Sending sensitive information via the post and it gets lost?  The legislation is asking you to think about the risk of the information you hold and how you process it within your business.


Data processors now also have direct obligations to process data correctly – that’s a biggie for Virtual Assistants, as you could be held liable for a client not collecting their data properly.  So for example, a client may ask you to send out a marketing email on their behalf…  Even if they’ve mined the data from Google or LinkedIn and you know nothing about it, you (as the processor) are still liable for prosecution if you send out that email and someone complains.  So you need to be asking clients questions about where they got their data, and how people opted into the list.

See also  Get Virtual Assistant Clients Now!


You must inform clients or others affected by data breaches without undue delay (preferably within 72 hours).

Let’s think about that:

Anyone have a LastPass or Dropbox account?  Both have been affected by serious data breaches in the last few years, and you would have to inform all clients and all data affected within 72 hours.  One of your processes should now be thinking about where you are storing data and how you contact everyone affected if there is a data breach.  How you do that if the original data is deleted?  Or you no longer have access to it as a result of the data breach?


Websites process data automatically – most will track how many users visit the site, what they click on, how long they spend etc.  Therefore, if you track these details (either via webstats from your hosting company, Google Analytics or just within the WordPress installation) you need to tell people visiting the site that their actions are being monitored with a cookie notice as they enter the site.  This has been in place since the Data Protection Act was updated anyway, so it’s not new to the GDPR laws.  However what is new is the need to identify the data controller within your cookie policy and to have a publicly viewable privacy policy which identifies how to get in touch with the person controlling the data – including a full mailing address.

In other words you now need:

  • Cookie pop up
  • Privacy policy
  • Your name and address on the privacy policy


New “fair processing rules” deem that you must honour unsubscribe requests quickly and explain how the data is held to subscribers.  You might want to update your website privacy policy, for example.  It also contains specific information about processing any data on children.  Under 13s need an adult with parental responsibility’s permission in order to be included in the data.

See also  Copyright - protecting your brand

There must be explicit consent given to marketing communications – you can’t have pre-ticked boxes or assumed consent.  People have to know who will have access to that data, and what they are signing up for.   You can’t just say “Our newsletter” – you have to include if that’s going to also include marketing communications.  Review all your marketing materials and website… Good practice has always been that you include Opt Out requests on all email communications and a double Opt In system.  But now you have a legal obligation to comply with these requests.


Lastly – and there is some debate about how this will be policed! – the GDPR restricts transfer of data outside the EU unless an international organisation has “an adequate level of protection”.  Which could have a wide impact on all sorts of VA software and services.

Services which might be affected:

  • Online workspaces like Google Docs or Smartsheet
  • Online back ups like OneDrive, iDrive
  • Accounting software like Xero or Kashflow
  • Your webhosts or mailservers
  • CRM systems or email newsletter software

We recommend asking your providers for the physical location of their servers and their security management systems accreditation – for example ISO 27001 or US Data Privacy ShieldIf there is a breach, you will be asked to demonstrate the risk assessment you undertook, so keep a note of the answers!

Tim Morgan, Lead Policy Officer at ICO says:

“Where an organisation is transferring personal data overseas, they must be satisfied that the data will be handled appropriately.  Our data protection reform microsite covering international transfers has more information on safeguards. The GDPR is principles-based legislation, as is the DPA.”


  1. Rachel on 4 September, 2017 at 9:56 am

    Thank you Caroline…. A lot to take on board, and although we probably do a lot already, there are still some areas that might be difficult to “police/control”. Especially online services we use to support our clients…

    • Caroline on 4 September, 2017 at 10:07 am

      Getting info out of hosts about where actual data is stored… Oh the joys!!! But mostly you wouldn’t even think to ask, you’d assume it’s okay – and that’s what now has to change.

    • Zeina on 11 March, 2018 at 9:37 am

      I guess the direct impact on VA would be when dealing with e-marketing campaigns, and making sure clients lists comply – the good news systems like AWeber already have a privacy shield in place. Thank you Caroline, very useful blog.

      • Caroline on 12 March, 2018 at 9:19 am

        The major impact is that VAs will be liable for data breaches – yes that means we have to question clients really carefully about where data has come from when doing outgoing marketing, but it also means our own data service providers need to be questioned carefully about where we store/how we store data. Relevant to ALL VAs, whether or not they do email marketing – I think sometimes VAs assume it’s only if they handle lists that it’s relevant… But your own prospects or even client list is relevant, as is where you store your work.

  2. Carole Meyrick on 4 September, 2017 at 10:47 am

    Thank you so much for all your hard work in putting this together, Caroline. It does put us further forward on the foggy path of compliance with the new GDPR.

  3. Heather Greig on 4 September, 2017 at 11:19 am

    Thanks Caroline, I will need to set some time aside to review my policies and procedures and see where I might need to tighten things up a bit.

    I am also going to share this article with the VA Connect Northern Ireland group – let’s spread the word.

    • Caroline on 4 September, 2017 at 12:03 pm

      Please do! Everyone who is working as a VA really needs to think about this!

  4. Jacquie Steel on 4 September, 2017 at 3:54 pm

    Thanks for this Caroline, much appreciated.

    For any business ladies, VAs or otherwise who may be local to the Dundee area, our local networking group, Women Ahead, is running a GDPR Breakfast in Dundee on Thursday 28th September commencing at 08:30. £10 for non members (£5 for members) – all are welcome to attend.

    This is being delivered by Thorntons’ Solicitors at their offices in Yeaman Shore. For further information and to book a place, please visit the website on http://www.womenahead.co.uk/

  5. Janet Walker on 4 September, 2017 at 6:17 pm

    Thanks Caroline – this is very useful and much appreciated. GDPR is going to impact heavily the school where I am p/t employed, as they’ve been discussing already. I have previously not proceeded with registering as every time I took the online test on the ICO website, it showed I didn’t need to be a registered Data Controller for the work I did, but this looks so serious it looks as though I shall have to do so now and also look at the client documents and contacts I kept in case they were needed again…

  6. Denise Williams on 4 September, 2017 at 10:46 pm

    Thank you so much for taking the time and trouble not only to put this together in a way that we can all follow it, complicated as it is, but also for sharing it, much appreciated.

  7. Delia Wallace on 7 September, 2017 at 9:25 am

    Interesting article, thanks so much.
    I’m curious as a VA who lives within the EU (outside of the UK) but with UK clients how this will work – it is an EU regulation, but where does one need to be registered? The country where you are based, or the country of your clients or both (I’m thinking it will be the country where I am based but one never quite knows).

    • Caroline on 7 September, 2017 at 9:40 am

      That’s one of the grey areas – I would check directly with the ICO. I’d imagine it is the country where you are based as that is where the data is being processed.

  8. David on 20 January, 2018 at 2:26 pm

    Thank you for the post.

    My usual work is for UK businesses working with UK businesses’ data – so B2B but the contact data (ie email, name and IP) meaning personally identifiable data.

    If I were to remote into a client’s systems to do this processing from a country outside of the EEA and noted countries of similar data protection regulation would I be deemed internationally transferring?

    • Caroline on 22 January, 2018 at 10:03 am

      Technically yes because it’s going physically outside of the UK onto non-EU servers/IPs.

      However having chatted to the ICO, we’ve tried to pin them down on what the “appropriate checks” would be to comply with GDPR, and they basically have said it’s down to the data controller to decide that and to be able to demonstrate that they took appropriate risk assessments about the security of the data. We’ve verified that the US’s https://www.privacyshield.gov/list and ISO 27001 would be considered appropriate demonstration of data security, but (as with all things data) you need to make your own risk assessment based upon what you are handling.

      Hope that helps!

  9. Naomi on 24 January, 2018 at 1:00 pm

    Thank you for putting this together it’s a really helpful post. I’m working on GDPR training for a company I work for and sharing information like this helps me to get my head around it. I’m also looking to set up my VA business this year – I’ll be spreading the word to all my VA friends! Thanks again.

  10. Teresa Bond on 15 February, 2018 at 1:56 pm

    Thank you for the useful article. I am beginning to put serious thought into GDPR compliance both for myself and on behalf of some of my clients. There are still more questions than answers but your article was really useful. I have also joined the FSB who have lots of useful guidelines, policy documents etc to refer to as well as a Helpline which I’m sure I’ll be using.

  11. Sharon Lashley on 9 March, 2022 at 10:36 am

    Thank you for this information. As someone in the early stages of setting up as a VA this is very helpful

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.