What Virtual Assistants need to know about GDPR

What Virtual Assistants need to know about data protection

Unless you live on the moon, I’m sure you’ve heard of the European Union’s General Data Protection Regulation. Commonly known as the GDPR, these regulations affect every business whether it is based in the EU or not – so you AND your clients need to comply with it. Here’s what you need to know about global data protection and how to stay compliant.

What is GDPR?

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of the personal information of individuals in the European Union (EU).

These guidelines were created to enable the EU to provide their citizens with more control over how their personal data was used as the old legislation was enacted before the Internet and cloud technology created new ways of exploiting data.

GDPR (which I’ll refer to as EU GDPR from now on to make this post a little less confusing!) concerns the collection, storage and handling of personal data flowing from the EU.

So if a product or service is offered to the EU, then the business offering it has to comply with GDPR.

What is personal data?

The European Commission website defines personal data as: “any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together, can lead to the identification of a particular person, also constitute personal data.

Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.”

Personal data can include:

  • Names and surnames
  • Home addresses
  • Dates of birth
  • Email addresses (although name.surname@company.com is considered personal data while info@company.com is not)
  • Telephone numbers
  • Number plates
  • IP addresses and website cookie identifiers
  • Location data, for example, the location data function on a mobile phone
  • Identification numbers such as passports, National Insurance Nos, social security Nos etc.

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’ and must make sure the data is:

– Used fairly, lawfully and transparently.
– Used for specified, explicit purposes.
– Used in a way that is adequate, relevant and limited to only what is necessary.
– Accurate and, where necessary, kept up to date.
– Kept for no longer than is necessary.
– Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

To be honest, the definition of personal data is non-exhaustive and also includes really random things such as physical appearance and beliefs. It also depends on other factors such as how the info is presented and whether it’s used in combination with other data.

Because we’re supposed to comply with regulations with, quite frankly, sketchy criteria, I  just ensure that:

  1. All the personal data I obtain is gathered with the explicit permission of the individual involved.
  2. I am transparent about what data I hold.
  3. I keep personal data only as long as it meets its purpose.
  4. I store the data as securely as possible.

Think you don’t control or process EU data?

Sorry doll, you probably do.

  • Do you or your clients have a website?
  • Do you or your clients have a mailing list?
  • Do you have contacts on your phone?
  • Do you or your clients use a CRM system?
  • Do you or your clients have an email address book?

Then you control and/or process personal data and some of that is likely to belong to a person in the EU. As data cannot be transferred to non-EU countries unless they can offer the same level of data protection, you need to comply with EU GDPR.

Data Controllers, Data Processors and Data Sub-Processors

When reading about the handling of personal data you will come across the terms Data Processors and Data Controllers.

As a Virtual Assistant, you are a Data Controller AND a Data Processor.

Controller: You’re the Controller of any personal data you have collected from your clients and prospects. This is info from your website in the form of IP addresses, cookie identifiers and your contact form. It is also direct info you gather in the form of names, email addresses, addresses and phone numbers of clients, contacts or prospects.

As a Controller, you are required to collect and store personal data in a compliant manner and be able to explain how you are doing this if asked by your clients.

Processor: You’re the Processor when you handle personal data held by your clients. You need to ensure the client has collected and is storing this data in a compliant manner because, as the Processor, you may be liable if they haven’t.

This is why you need a contract, a Data Processing Agreement (DPA) and insurance.

Basically, you need to know the source of any personal data you have collected or are processing and how any data service providers (CRM and email marketing platforms etc) you use are storing it on your behalf.

Data Sub-Processors

If you work as an Associate VA (this is when another VA outsources their client’s work to you) then you are also a Data Sub-Processor.

If you are a Lead VA you will need to make sure your client signs your DPA and your Associate signs your Associate Sub-Processing DPA.

This is because the Associate DPA confirms that the Data Sub-Processor (your Associate) is handling all personal data with the right permission and is storing that data securely and it also serves as proof that you are living up to your own DPA requirements with your client (the Controller).

UK GDPR (new as of 2021)

As data cannot be transferred to another country outside the EU unless the receiving company guarantees the same degree of protection as the EU requires, post-Brexit, the provisions of EU GDPR have now been incorporated directly into UK law as “UK GDPR”.

In practice, there is little change to the core data protection principles, rights and obligations. They follow the same guidelines as EU GDPR but just go by a different name.

The only change that applies to you is that, depending on the location of you and your clients as well as the location of any personal data your client is asking you to process, you will need to reference UK GDPR and the Data Protection Act 2018 and/or EU GDPR in your Freelancer Agreement, Associate Contract, Data Processing Agreement (DPA) and website Privacy Policy.

However, if you buy my legal contracts or policies, all the hard work has been done for you.

The options have been included in the template and you just keep the one/s you need and delete any that do not apply.

All of these documents have been written by an international contracts lawyer called Janet Alexandersson and are updated and resent to buyers free of charge any time the law changes. Janet is also in the VA Handbookers Facebook group to answer your legal questions.

Okay, let’s check out the data protection requirements you need to mention and adhere to depending on where you and your clients do business.

I’m a UK VA and/or I have UK clients

If you operate inside the UK or are ONLY processing UK data, you need to comply with and reference UK GDPR (which currently mirrors EU GDPR in all the ways that matter) and the Data Protection Act 2018 in your contract.

If your client is asking you to process data that may contain data from people living in the EU (which is highly likely) then you will also need to reference EU GDPR in your contract.

I’m an EU VA and/or I have EU clients

If you operate inside the EU or are processing EU data (which as mentioned, you probably are), you need to comply with and reference EU GDPR.

I’m not in the EU and nor are my clients

Because EU data protection laws extend to all foreign companies processing the data of EU residents, GDPR will affect you even if you don’t live in the EU.

So even if you’re in a non-EU country and none of your clients is in the EU, you still need to be aware of and comply with GDPR because:

  • Your client could physically move to the EU or move the registration of their company to the EU.
  • You might take on an EU client.
  • Your client may take on an EU client or customer and you may process their personal data.
  • Someone in the EU might sign up for your newsletter.
  • Someone in the EU might sign up for a client’s newsletter and you may process their personal data.
  • Someone in the EU might join a client’s membership group that you help manage.
  • Someone in the EU might visit your website or your client’s website.

Because IP addresses count as personal data, GDPR applies regardless of where the website is based and must be heeded by all sites that attract European visitors even if they don’t specifically market goods or services to EU residents.

So, unless you or your clients are going to restrict the access of every IP address in the EU, you need to comply with EU GDPR.

How data protection affects your role as a VA

Data protection affects Virtual Assistants in a number of ways because they undertake many tasks for many people and they process data obtained from many locations.

Here are some of the key areas to be aware of:

Data collection and storage

GDPR requires businesses to have a defined purpose for collecting data which should always be supported by a “legal basis”. The legal basis can be a contractual obligation, legitimate interest for storing and using data, or that explicit consent has been given.

As a business owner, you must collect and store personal data in a compliant manner.

Collection – basically, the personal data must have been given consensually or for the purpose of doing business together and the owner of the data should be able to obtain, correct, erase and object to the processing of this data.

Storage – if you use a professional platform to store data (such as a CRM, Gmail, Outlook, MailChimp etc) then it should already support the collection, management and processing of personal data in a secure way.

When it comes to data that you are holding on your own devices (computer, tablet, phone) you need to ensure that it is held as securely as possible.

It’s a good idea to encrypt, pseudonymize, or anonymize personal data wherever possible.

Personal data collected by your website

To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:

– Receive users’ consent before you use any cookies except strictly necessary cookies.
– Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
– Document and store consent received from users.
– Allow users to access your service even if they refuse to allow the use of certain cookies
– Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

So in order to meet the “legal basis” criteria mentioned above, you should add one of those (really annoying tbh) cookie consent notifications to your site. A WordPress plugin such as Cookiebot should do the job.

You also need to reference the website user’s data protection rights in your website Privacy Policy and tell them what personal data you are collecting, your reason for collecting it and how long it is being stored.

All of this info is in the Website Policies Bundle that I sell.

Your Virtual Assistant freelancer contract

Depending on your location, the location of your clients and the location of the people whose data you are processing, you need to reference the appropriate data protection laws in your Freelancer Agreement, Data Processing Agreement (DPA), Associate Agreement, Associate DPA, and Website Policies.

As mentioned, if you buy my legal contracts or policies, all the hard work has been done for you. The options have been included in the contract templates and you just keep the one/s you need and delete any that do not apply.

Email marketing activities

One of the biggest areas of data protection is around email marketing because subscribers have to actively give their consent to be added to a mailing list and they must be able to easily unsubscribe.

This is important to know because if you send out emails for a client and they had added someone to their mailing list without permission, as the Data Processor it’s you and not your client who will be prosecuted if someone complains.

This is why your clients should sign your Data Processing Agreement (DPA). 

A DPA is required for GDPR compliance and basically confirms that the Data Controller (your client) has obtained permission to collect personal data and is storing that data securely.

It also indemnifies the Data Processor (you) of all claims and actions by anyone who has not consented for their data to be used or any repercussions if your client has not obtained, stored or is using that personal data in a GDPR-compliant way.

If you’re not sure if your client has gathered emails for their mailing list in compliance with GDPR  then ask them how they obtained them.

Here are some practical examples of compliant and non-compliant mailing lists from Mailchimpbut basically, someone needs to have actively given their permission to be added to the list. This is why double-opt-ins are recommended.

If you’re thinking of adding newsletter creation and/or management to your services, my newsletter course covers GDPR and compliance so you don’t fall foul of the law.

The Information Commissioners Office (ICO)

The ICO is the UK’s independent body set up to uphold information rights and they have a lot of in-depth GDPR information and resources on their website.

Unless exempt, every UK organisation or sole trader who processes personal data has to pay an annual data protection fee to the ICO.

This fee was £40 for VAs as of June 2023.

If you’re a UK VA, the ICO should be your main source of information and I highly recommend subscribing to their newsletter for updates so you don’t miss any changes.

You can use the ICO’s free online checklist to improve your understanding of data protection and to find out what you need to do to make sure you’re keeping personal data secure. A short report with suggested actions is provided at the end.

What happens if you or your client experiences a data breach?

In this 15-minute interview with international contracts lawyer Janet Alexandersson, I ask what a data breach is, how it might happen and what you should do if you experience one.

Although it could be you who experiences the data breach, a client might also ask you to take care of the admin side of things if they experience one themselves.

So it pays to be prepared and know what to do.

The video covers

  • What is (and isn’t) a data breach
  • Why a data breach isn’t just about being hacked
  • Which data breaches need to be reported – and which ones don’t
  • What to do if your password managing platform is hacked
  • What you need to report and how much time you have to report it
  • Why you could be in trouble if you don’t report a data breach
  • Why someone’s email address is worth thousands of pounds
  • How to prevent a data breach

This is how to report a breach to the ICO. You can find an editable Data Breach Notification template on the legal docs sales page that I link to below.


I won’t lie, GDPR is a royal pain in the backside, but it has to be understood and adhered to if you’re going to run a business.

The good news is that not only will your own data be more secure, but the more you know about the regulations, the more info you’ll be able to give your clients.

Here is a handy GDPR checklist for Data Controllers. I would run your own business through it first and then show it to your clients to help ensure they are also in compliance.

These handy data protection training videos from the ICO (Information Commissioners Office) are another great resource. I also advise you to sign up for their newsletter to stay abreast of your legal obligations.

You will save them a headache (and possibly a fine) in the long run and create more work for yourself (such as helping them update their website and clean their data lists) in the process.

* This post was last updated in June 2023.

Got your legal documents sorted?

Whether it’s a Freelancer Agreement, a DPA, an Associate contract or website policies, you need the legal stuff so you don’t get sued or screwed.

GDPR compliant and written by an international contracts lawyer specifically for VAs, all of the docs are updated and resent to buyers free of charge any time the law changes.



Maike Boysen

Hi, I’m wondering if I will need to register with ICO and have a contract with DPA/GDPR. I’m a bit overwhelmed with all the above. I just started my business as creative VA and will be doing basic data entry, proofreading, email/calendar management, sending out thank you cards, travel booking, card design, product photography and editing. Could you please let me know if either are needed? TIA

Joanne Munro

Hi Maike, yes you will need to register with the ICO and get a DPA. You will be both a data Controller for your own business and the Processor for your client (you will be accessing personal information such as email addresses) so it is better to be covered in all aspects.


Hi Joanne!
Thank you for sharing the valuable work you did for the VA community. I am a hearing-impaired woman, I would like to understand what you are saying in the videos but my hearing is not that good enough, does it exist another article summing up the VA data protection important-points-to-remember in your website?
Thank you for reading to me x

Joanne Munro

Hi Dray, there isn’t another version I’m afraid but the summary is also in the post. I sell a web policy bundle (which Janet created consisting of a cookie policy, a privacy policy and terms of use policy) and they provide everything you need to be compliant with GDPR. Also, should the law ever change, then the document will be updated and sent to you free of charge.


Hi Jo,

Thanks for this, it’s helped me get a very good overview of what’s what! Most informative.

I notice that your link to the policies for your website is Canadian. https://www.websitepolicies.com/ Should we not be using a UK one for this?

Many thanks

Helen G

I’m watching this for the second time – and on a Friday night too! Rock n roll! I’ve picked out new bits of info that I missed the first time I watched it – thanks Jo and Annabel


Thanks for sharing.Am planning to outsource some of my works to my virtual personal assistant.Is it safe to give my personal data to my virtual pa?

Joanne Munro

It is safe to give your data to your VA as long as they can tell you where they are storing it and proving that the location is secure and GDPR compliant. I’m just about to post the video interview which should provide further information for you.

Joanne Munro

You definitely need to adhere to the GDPR and I would check in your own country what other legalities you need to adhere to. I’m only familiar with UK ones but there are many American members in my VA Handbookers Facebook group and they will definitely know the answer x


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.