General Data Protection Regulation – What you need to know as a virtual assistant for the new GDPR

GDPR data protectionNew EU regulations come into force 25 May 2018 – General Data Protection Regulations (GDPR)

  • You must tell people who is responsible for the data you hold and process – this person must be registered with ICO
  • Data processors now also have direct obligations to process data correctly – as a virtual assistant processing any sort of data from clients, that means you!
  • Data breaches of the General Data Protection Regulations (GDPR) must be informed within 72 hours
  • New “fair processing rules”
  • Explicit consent to marketing communications and easy unsubscribe options.

What does General Data Protection Regulations (GDPR) mean for virtual assistants?

New EU regulations surrounding General Data Protection Regulations (GDPR) come into force 25 May 2018 – yes, even with Brexit, we still need to comply!  The big change is that virtual assistants will now be responsible for the data they process, not the client.  So it’s important you know the provenance of any data you are working on, and how your service providers are storing it on your behalf.

However, it’s worth pointing out that those VAs who do have good data protection in place already will see very few changes.  And there are opportunities within the GDPR for virtual assistants in cleaning up client lists, putting necessary information online for clients, or even acting as an external Data Protection Officer for their company.

We all benefit from less spam and more control over how our information is stored.

What is personal data?

A lot of VAs will say they don’t process personal data – but your client list contains contacts, addresses, telephone numbers and emails – that’s personal data as you can identify people associated with it.  VAs who manage social media accounts or email newsletter lists for their clients will be particularly vulnerable to these changes – and should make their clients aware of what they need to do in order to comply ASAP.

READ  Society of Virtual Assistants News: January 2014

What steps should you take before General Data Protection Regulations (GDPR) comes into force?

ROLES

You must have a Data Protection Officer/Data Controller who is responsible for making sure you comply with these rules.  We suggest you may want to name this person on your T&Cs on your website, and they should be listed on any marketing communication you send out.  SVA already recommends that you register for data protection as part of the SVA Approved scheme.

REVIEW

You need to review the data that you hold, make sure it’s still relevant and complies.  For example, are you still storing old client documents from 5+ years ago?  Has everyone on your mailing list actively opted in rather than being added, simply because they are a client?  Where else is your data stored – accounts programmes? online workspaces? on a flash drive? on an automated backup? a mobile/ laptop/your old computer?

HOW DID PEOPLE OPT IN?

Data processors now also have direct obligations to process data correctly – that’s a biggie for Virtual Assistants, as you could be held liable for a client not collecting their data properly.  So for example, a client may ask you to send out a marketing email on their behalf…  Even if they’ve mined the data from Google or LinkedIn and you know nothing about it, you as the processor are still liable for prosecution if you send out that email and someone complains.  So you need to be asking clients questions about where they got their data, and how people opted into the list.

READ  The Approved Virtual Assistant Scheme - VA Standards

DATA BREACH OBLIGATIONS

You must inform clients or others affected by data breaches without undue delay (preferably within 72 hours).

Let’s think about that:

Anyone have a LastPass or Dropbox account?  Both have been affected by serious data breaches in the last few years, and you would have to inform all clients and all data affected within 72 hours.  One of your processes should now be thinking about where you are storing data and how you contact everyone affected if there is a data breach.  How you do that if the original data is deleted?  Or you no longer have access to it as a result of the data breach?

“FAIR PROCESSING”

New “fair processing rules” deem that you must honour unsubscribe requests quickly and explain how the data is held to subscribers.  You might want to update your website privacy policy, for example.  It also contains specific information about processing any data on children.  Under 13s need an adult with parental responsibility’s permission in order to be included in the data.

There must be explicit consent given to marketing communications – you can’t have pre-ticked boxes or assumed consent.  People have to know who will have access to that data, and what they are signing up for.   You can’t just say “Our newsletter” – you have to include if that’s going to also include marketing communications.  Review all your marketing materials and website… Good practice has always been that you include Opt Out requests on all email communications and a double Opt In system.  But now you have a legal obligation to comply with these requests.

READ  New email scam - or why freebie emails just aren't good enough for business!

RISK ASSESSMENT

Lastly – and there is some debate about how this will be policed! – the GDPR restricts transfer of data outside the EU unless an international organisation has “an adequate level of protection”.  Which could have a wide impact on all sorts of VA software and services.

Services which might be affected:

  • Online workspaces like Google Docs or Smartsheet
  • Online back ups like OneDrive, iDrive
  • Accounting software like Xero or Kashflow
  • Your webhosts or mailservers
  • CRM systems or email newsletter software

We recommend asking your providers for the physical location of their servers and their security management systems accreditation – for example ISO 27001If there is a breach, you will be asked to demonstrate the risk assessment you undertook, so keep a note of the answers!

Tim Morgan, Lead Policy Officer at ICO says:

“Where an organisation is transferring personal data overseas, they must be satisfied that the data will be handled appropriately.  Our data protection reform microsite covering international transfers has more information on safeguards. The GDPR is principles-based legislation, as is the DPA.”

  1. Rachel on 4 September, 2017 at 9:56 am

    Thank you Caroline…. A lot to take on board, and although we probably do a lot already, there are still some areas that might be difficult to “police/control”. Especially online services we use to support our clients…

    • Caroline on 4 September, 2017 at 10:07 am

      Getting info out of hosts about where actual data is stored… Oh the joys!!! But mostly you wouldn’t even think to ask, you’d assume it’s okay – and that’s what now has to change.

  2. Carole Meyrick on 4 September, 2017 at 10:47 am

    Thank you so much for all your hard work in putting this together, Caroline. It does put us further forward on the foggy path of compliance with the new GDPR.

  3. Heather Greig on 4 September, 2017 at 11:19 am

    Thanks Caroline, I will need to set some time aside to review my policies and procedures and see where I might need to tighten things up a bit.

    I am also going to share this article with the VA Connect Northern Ireland group – let’s spread the word.

    • Caroline on 4 September, 2017 at 12:03 pm

      Please do! Everyone who is working as a VA really needs to think about this!

  4. Jacquie Steel on 4 September, 2017 at 3:54 pm

    Thanks for this Caroline, much appreciated.

    For any business ladies, VAs or otherwise who may be local to the Dundee area, our local networking group, Women Ahead, is running a GDPR Breakfast in Dundee on Thursday 28th September commencing at 08:30. £10 for non members (£5 for members) – all are welcome to attend.

    This is being delivered by Thorntons’ Solicitors at their offices in Yeaman Shore. For further information and to book a place, please visit the website on http://www.womenahead.co.uk/

  5. Janet Walker on 4 September, 2017 at 6:17 pm

    Thanks Caroline – this is very useful and much appreciated. GDPR is going to impact heavily the school where I am p/t employed, as they’ve been discussing already. I have previously not proceeded with registering as every time I took the online test on the ICO website, it showed I didn’t need to be a registered Data Controller for the work I did, but this looks so serious it looks as though I shall have to do so now and also look at the client documents and contacts I kept in case they were needed again…

  6. Denise Williams on 4 September, 2017 at 10:46 pm

    Thank you so much for taking the time and trouble not only to put this together in a way that we can all follow it, complicated as it is, but also for sharing it, much appreciated.

  7. Delia Wallace on 7 September, 2017 at 9:25 am

    Interesting article, thanks so much.
    I’m curious as a VA who lives within the EU (outside of the UK) but with UK clients how this will work – it is an EU regulation, but where does one need to be registered? The country where you are based, or the country of your clients or both (I’m thinking it will be the country where I am based but one never quite knows).

    • Caroline on 7 September, 2017 at 9:40 am

      That’s one of the grey areas – I would check directly with the ICO. I’d imagine it is the country where you are based as that is where the data is being processed.

Leave a Comment