Welcome to Annabel Kaye from Koffee Klatch who works producing legal templates for freelancers to purchase.
CW: Annabel, how many VAs do you work with now?
AK: Around 60.
CW: So she’s been speaking to a wide variety of VAs who have all different kinds of businesses. Annabel has kindly agreed to share her list of all the places those VAs store data… which is extensive, and contains things even I hadn’t thought of…
GDPR and the VA
1) “Hey, but I don’t deal with data” – Yes, you now do according to this latest legislation.
2) “As it’s my clients data, they are liable if anything goes wrong” – Nope, you are too!
3) “Er, do I need to do anything…??” – Super important: YES! But we’ll guide you through it!
CW: Annabel – can you explain what personal data is and why all VAs (regardless of what service they offer) will be dealing in it?
AK: I can’t imagine running a business without personal data – even something as simple as sending an invoice to your client will have their name, address, email address. That’s personal data because you can identify the person involved from it. So all businesses are processing personal data.
CW: That’s one of the reasons SVA took the decision to include Data Protection Registration as a condition of the Approved VA status last year – all VAs are handling data, they should know what they are doing and the risks involved.
Major Changes for VAs
Data processors (i.e. the VA!) is now liable if data has not been properly sourced.
Can no longer have “implied consent” to send marketing – no preticked boxes, no adding people into a list because they previously bought from you or euphemisms such as “newsletter” if it’s a sales pitch. People have to know exactly what they are signing up to, who is holding the data and must be able to unsubscribe. You may be asked to produce proof of where you got information.
CW: Annabel – does that mean you have to resubscribe your whole newsletter list?
AK: Well that depends what they signed up for – what was the wording when they signed up? Most email programmes have unsubscribe options on the email that’s being sent – some don’t, but you should now make sure that any email you send has this.
CW: What about what information you should be including on your sign up page?
AK: If you included all the information on who is holding the data, what it’s for etc. you’d have a massive sign up box and people (especially on smartphones) wouldn’t be able to see where to sign up! My suggestion is that you use a double opt in email – I’m a big fan of double opt in – and then put that data on your confirmation email.
CW: For those of you who don’t know what “double opt in” is, Annabel’s talking about email systems like Constant Contact, Aweber, Insightly, InfusionSoft who all manage email subscriptions – so when someone enters their name and email into your website, it sends them an email asking them to click a link and confirm that they want to receive further information from you. Mailchimp has recently opted out of this – you might want to check your list settings, if you are using Mailchimp.
CW: And we come onto our first question from the VAs: let’s say you have a florist who is adding people who buy flowers onto their newsletter list… Is that allowed?
AK: As long as there’s a method to unsubscribe… but best practice is to get them to actively ask for the information to be sent.
CW: Or what about a business card which you get given at a networking event and the person asks you to contact them?
AK: There’s going to be lots of these where someone asks you to subscribe – another example would be someone signing a newsletter sign up at a trade fair.
CW: You might want to make a note on your email newsletter about where that person’s details came from to act as your proof – I know a couple of people who use tags for this and then use that to track marketing too.
Another big change – cannot process children under 13s data without parental consent – we had a VA who is processing mother and baby details for one of her clients…
CW: Given that the mothers are giving parental consent – that’s fine. You would not be able to have a pre-teen signing up to a forum or a computer game though, it would need their parents’ permission.
Storage of data outside of EU – BIG GREY AREA, SVA have had confirmation from Tim Morgan, Lead Policy Officer at ICO about storing data offshore…The VA has to make a suitable risk assessment, and again may be asked for proof of this in the event of an investigation
CW: Annabel – what would you say is suitable risk assessment and how would you keep a record of it?
AK: So firstly you have to check what data is being stored and where…
CW: That’s where your list comes in… Annabel has kindly agreed to share her list of all the places VAs store data as a checklist for you…
AK: 80% of the storage which UK VAs hold is US based… Therefore it’s governed by a longstanding international agreement which has less rigorous privacy than GDPR. However there is a voluntary scheme called “Data Privacy Shield” which a lot of companies subscribe to which should provide the level of protection you require. We’re working on generating a list of companies VAs use that comply…
CW: And we spoke to Tim who said that ISO27001 would be sufficient too, but that there is no specific requirement under the GDPR to comply with certain schemes, only that the data handler is satisfied that the data will be secure. We suggest keeping records of the checks you undertake.
AK: It’s important to note that they can change them though – data protection is something you are doing, rather than something you do as a one off.
Storing old data
CW: Annabel – how long would you say it’s okay to store data?
AK: Well if you look at VAT that can go back 7 years can’t it? Or your professional indemnity might require you to keep records for a certain amount of time so that if a client raises a claim, you have the information… You need to assess what is and isn’t relevant. We’re working on a Data Retention Policy document for clients to sign regarding how you handle their data. It’s a work in progress, it might change…
CW: One of our VAs queried how she should handle medical data…
AK: I can’t imagine a situation where a VA would be handling that…
CW: So for example, a doctor or a therapist might be getting the VA to type up client notes or letters… They’d use YouSendIt or SendThisFile to send the document.
AK: Well firstly, I’d suggest encryption if you are sending via email and a password on the file itself. Microsoft and Apple have options to do this, but you need to switch it on.
CW: And we know of a couple of solutions which are about £35 to install, so it’s not a massive burden.
Reporting Data Breaches
My best friend got caught out on this… she had a Gmail address which she was working from, a hacker got in and changed her password on the account. Then they sent out an email from her saying she was stuck somewhere and needed money wired to a Western Union account – critically they set the reply email to go to another email address which they’d set up in her name, so any replies got sent to the new address. Deleted all the contacts in her mail which meant she couldn’t tell anyone what had happened.
Under GDPR she would have to tell everyone within 72 hours… Now because she had a business account and was paying for email storage, Google managed to get her emails and contacts back… But it took 3-4 days to do.
CW: So you need a back up if you don’t have access to your usual contacts in order to contact people – let’s say your computer gets stolen whilst out and about. What do you do?
AK: Well firstly you’d hope that unlike that laptop which got left on a train with all the NE benefits claimants’ details, there’d be a password on it… So USB sticks, laptops, mobile phones. And it’s not just hardware too – you need to be aware of Wifi networks being secure…
CW: Yeah there was a big article a week or so ago about insecure wifi.
AK: And also be aware of your physical situation – who can see your screen?
CW: Or overhear your phone conversation – I’m always quite shocked by the number of people yelling credit card numbers or passwords down their mobile phone on the train!
CW: What about a big hack like if Dropbox or LinkedIn were hacked?
AK: I’d always advise to have your contacts backed up elsewhere – I have thousands of contacts, it would take me five years to manually retrieve them all, I wouldn’t be able to comply with the 72 hour rule.
CW: And you need to keep an eye on what those companies are doing with your data – they do change their policies regularly.
SVA asked some time ago for guidance on GDPR – in fact when Annabel and I planned this session in early 2017, we’d been told the guidance would be published in mid-September so we thought 30 October would give us plenty of time to review the material. However the ICO are still publishing information and only started their consultation with businesses in September, so it’s still very much a work in progress.
To be fair to them, the ICO didn’t write this legislation, the EU government in Brussels did, but ICO are going to have to enforce it. It’s not a clear piece of legislation and several parts can be read with different interpretations. However, being UK based, we’re sticking with what the ICO says…
Additionally when the UK leaves the UK all the European legislation will be converted into UK law – the GDPR will become the UK Data Protection Bill, and this is still being debated in Parliament as to what it will demand. Currently the GDPR asks for companies of over 250 employees to have a Data Protection Controller to oversee enforcement of GDPR with a registered Data Controller doing the processing… It’s been drafted that any company processing more than 5,000 data articles a year (AKA bits of personal data) would have to have 2 people involved… A massive impact of VAs who handle email lists.
We are very aware that this is just an hour long so what we’ve tried to do is ask the most frequent questions and then leave a chunk of time at the end to get through all the questions you asked…
Q: Associates – do they register themselves or do they come under the control of my business?
CW: Both – as the VA doing the processing, they should be registered. As the lead VA, you are also responsible for the data, as is the end client. You would all be responsible for the data being processed.
Q: Marketing and preventing contacting people who have asked not to be contacted?
CW: We spoke to Marketingfile on this because buying in lists could be majorly affected by this… They said their purchased lists would comply because people have opted in to receive data from other businesses when they verify their information. They did say B2C (Business to Consumer) lists would probably be affected since they don’t opt in to receive information in the same way. As always, you should be including an unsubscribe option/your contact details on any mailout, TPS and MPS checking each contacts (which you can do as part of the data purchase).
Q: How it impacts us as VAs if we are using client systems and clients do not follow guidelines e.g. we advise the client not to add cold contacts to their database, they do so against my advice?
CW: I think we’ve all had clients data dredging from LinkedIn or the web… If you’ve asked them where they got the data from, and it’s not compliant you can’t use it or you risk your Data Controller registration… To me, I’m not risking that for any client. I’m probably a bit grumpy about it…
AK: Not grumpy, but you’ve had experience and can say no Caroline… It’s hard for new VAs who are starting out when they are working with an experienced client who should know better.
Q: How this affects VAs who only access and amend information but don’t hold any information on systems or on file.
AK: You would need to ensure you had taken steps to ensure the information you were inputting was accurate.
Q: I’m based in India but all my clients are in the UK – is there any further implications for overseas VAs servicing UK clients?
AK: The data is being held on UK clients so they need to check your processes are compliant with UK law.
Q: What processes do I need to ensure my suppliers have in place? i.e. I apply for visas (for countries outside the EU) and use a travel agent in London. Is there anything in particular I should check on their terms?
CW: So the London travel agent would have their own GDPR compliance to deal with. Foreign embassies being passed data?
AK: Would be down to the VA to ensure they had made suitable checks… I wouldn’t send my passport anywhere unencrypted, from speaking to a number of people on the front line of these organisations it’s surprising how many don’t know what their security policy is – that suggests it’s not in place.
Q: I’m using LastPass to store credit cards and client passwords. Is this okay? How do I find out where their servers are? Can we do this as a group so we are not all contacting the same companies repeatedly?
CW: Annabel and I had a chat about credit cards a while back – I don’t know any UK bank who will pay out on fraudulent transactions if they find out a VA had your credit card details – it unfairly points the finger of blame at the VA and your professional indemnity insurance often won’t cover you.
AK: You need to check compliance… data protection isn’t something you do and then it’s done. It’s an ongoing job, because they do change policies.
CW: In terms of checking compliance as a group – we did look into this and it will massively depend on your security issues as to whether or not an individual company complies… However for most VAs, the US Data Privacy Shield will suffice and you can check that here: https://www.privacyshield.gov/list
ICO Preparing for GDPR 12 Steps: https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf
ICO Phone Helpline: 0303 123 1113 and select option 4
Koffee Latch poll of the most popular platforms used by VAs: https://doodle.com/poll/sfftqdxuqd4z2mz3
More info on Annabel: https://koffeeklatch.co.uk
US Data Privacy Shield info – check if your suppliers are registered: https://www.privacyshield.gov/list
See attached for Annabel’s list of frequently used VA services!