What Virtual Assistants need to know about GDPR

What every VA needs to know about data protection

Unless you live on the moon, I’m sure you’ve heard of the changes to the new EU data protection laws, commonly known as the GDPR. These changes come into force on 25th May 2018 and will affect every business whether it’s in the EU or not – so that means you AND your clients. Here’s what you need to know and how to comply.

What’s GDPR?

The General Data Protection Regulations (GDPR) are laws that the European Parliament, the Council of the European Union and the European Commission will use to strengthen and unify data protection for all individuals within the European Union as well as the export of personal data outside the European Union (The EU).

The GDPR are there to give citizens and residents control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The regulation was adopted in April 2016 and becomes enforceable from 25 May 2018 and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable. *

* Taken from Wikipedia

In the UK it’s currently called the Data Protection Act but it will become the GDPR in May. And no, Brexit doesn’t affect any of what you’re about to read!

Why are these changes happening?

The EU wants to give people more control over how their personal data is used because the current legislation was enacted before the Internet and cloud technology created new ways of exploiting data.

They also want to give businesses a clearer legal environment in which to operate and make data protection law identical throughout the single market.

Data protection is ongoing. It isn’t something you set and forget so you always need to be aware of what the current laws are. 

What does this mean for you?

You not only need to comply with GDPR when processing personal data for your own business, you’ll need to explain to your clients how you’re doing this, and you need to be compliant when doing work for them.

This is important because these new changes mean that it’s now YOU who’s responsible for the data you process and not your client. So you’ll need to know the source of personal data you’re working with and how any data service providers are storing it on your behalf.

What counts as personal data?

Personal data is any information that makes a person identifiable such as their name along with either their email, telephone number, address or any other contact details.

Basically any info that means you can identify who that person is.

But I don’t process any personal data!

Yes you do.

  • Do people from the EU visit your website? (Yup, IP addresses also count!)
  • Do you or your clients have a mailing list that EU citizens can sign up to?
  • Do you have personal data stored on a USB stick, an external hard drive, in an automated backup system or on an old computer?
  • Do you have contacts on your phone?
  • Do you or your clients use a CRM system?
  • Do you or your clients have an email address book?
  • Do you or any of your clients obtain and use other people’s names and contact details?

Then you need to comply with the new data protection regulations.

But I’m not in the EU nor are my clients

Because EU data protection law extends to all foreign companies processing the data of EU residents, GDPR will affect you even if you don’t live in the EU. So even if you’re based in a non-EU country and none of your clients are from the EU, you will still have to comply with EU law.

For example:

  • What if your client moves?
  • What if your client lives in the US but their company is registered in the EU?
  • What if you take on a new client who is based in the EU?
  • What if someone from the EU signs up for your newsletter?
  • What if someone in the EU signs up to your client’s newsletter and you manage it?

What does this mean for your clients and the way you help them?

Data protection effects Virtual Assistants in so many ways because they do many different tasks for many different people.

Example 1

If you send out marketing emails for a client and they took the contact data from LinkedIn or the Internet (for example) without the person’s permission, you’re the Data Processor so it’s YOU who’ll be prosecuted if someone complains.

So you need to know how people got on their email list.

One of the biggest areas of data protection is around email marketing because the subscriber needs to have actively given consent to be added to a mailing list.

Double opt-ins and consent checkboxes go some of the way but in November 2017 Mailchimp automatically rolled out single opt-in to most MailChimp lists. If your primary contact address is in the EU, your lists will have stayed double opt-in after the change, but if not, then you’ll have to manually turn it on in the settings.

Example 2

You can’t store an EU citizen’s ‘special category data’ outside of the EU. Special Category data includes info pertaining to health, political or religious beliefs, so if you work with medical or health practitioners then you can’t store this data in Dropbox.

You’re gunna need to know stuff like this.

The good news is that not only will your own data be more secure, the more you know about the new regulations, the more info you’ll be able to give your clients and you’ll also be saving them a headache (and possibly a fine) in the long run.

You can also score brownie points and get more work by suggesting that you clean up their data lists or even act as an external Data Protection Officer for their company.

GDPR interview with Annabel Kaye from KoffeeKlatch

Although this video is an hour and a half long (get comfy folks!), it contains everything you need to know.

The video covers:

  • What VAs need to know about data protection
  • How the new GDPR regulations affect the VA industry
  • How they will affect non-EU VAs
  • The difference between the Data Controller and the Data Processor (you’re both btw)
  • The types of VA tasks that will be effected
  • How a VA can ensure their client is compliant and how to approach this sensitively
  • What to do if your client is not compliant and how to turn this to your advantage
  • How to ensure your data storage systems (such as Dropbox/Drive/phone/computer are compliant
  • Data protection clauses in contracts
  • How to get the right procedures and habits in place when starting out
  • Email marketing – adding people to lists, free opt-ins and existing subscribers
  • Personal data held on CRM systems
  • Where to store ‘sensitive/special category’ data
  • Ensuring your Associates are compliant
  • Prospecting via LinkedIn
  • Encrypting your mobile phone and email contacts
  • Website policies and cookies
  • Registering with the ICO
  • GDPR in relation to HR and bookkeeping practices
  • What you can do now and what will happen if you don’t do anything

* Note that I make reference to legal documents that you can buy via Annabel’s company in the video but I have since had my own VA-centric legal contracts created.

Interview takeaways

  • Don’t wait – anything you can do now will be of benefit and will be one less thing you’ll have to do later.
  • Make the changes to your own business before you attempt to apply them to your client’s business.
  • They still haven’t finalised the details so make sure you stay on top of changes. Data protection laws will always change as technology advances so you can’t ignore them.
  • It will help to think of HOW you’re using the data instead of WHERE you’re storing it.
  • Think of an email address as if it’s £1000 in cash.
  • Your mobile phone is full of personal data. Your phone is valuable – that’s why people steal them!
  • Don’t share login details with clients or Associates.
  • Encrypt your phone and laptop hard drive. Annabel said she would never employ a VA who didn’t encrypt their systems.
  • Register with the ICO if you’re in the UK and check your own country’s equivalent if you are not.
  • Know what you’re talking about and have a plan.

Data protection is a huge deal and will effect all businesses who obtain personal data from EU citizens – which is pretty much every business on the planet.

But data and privacy is actually a good thing because that also means YOUR data is being protected.

We kind of think of personal data as being information we store in Excel spreadsheets or in CRMs, but personal data actually includes your email contact list and the numbers in your phone. So we really need to change the way we look at personal data and how we keep it safe – and that can only be a good thing in the long run.

Further reading and resources

8 Comments

Joanne Munro

You definitely need to adhere to the GDPR and I would check in your own country what other legalities you need to adhere to. I’m only familiar with UK ones but there are many American members in my VA Handbookers Facebook group and they will definitely know the answer x

Reply
Mariya

Thanks for sharing.Am planning to outsource some of my works to my virtual personal assistant.Is it safe to give my personal data to my virtual pa?

Reply
Joanne Munro

It is safe to give your data to your VA as long as they can tell you where they are storing it and proving that the location is secure and GDPR compliant. I’m just about to post the video interview which should provide further information for you.

Reply
Helen G

I’m watching this for the second time – and on a Friday night too! Rock n roll! I’ve picked out new bits of info that I missed the first time I watched it – thanks Jo and Annabel

Reply
Emma

Hi Jo,

Thanks for this, it’s helped me get a very good overview of what’s what! Most informative.

I notice that your link to the policies for your website is Canadian. https://www.websitepolicies.com/ Should we not be using a UK one for this?

Many thanks

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.