Unless you live on the moon, I’m sure you’ve heard of the changes to the new EU data protection laws, commonly known as the GDPR. These changes came into force on 25th May 2018 and affect every business whether it’s in the EU or not – so that means you AND your clients. Here’s what you need to know and how to comply.
The General Data Protection Regulations (GDPR) are laws that the European Parliament, the Council of the European Union and the European Commission will use to strengthen and unify data protection for all individuals within the European Union as well as the export of personal data outside the European Union (The EU).
The GDPR are there to give citizens and residents control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The regulation was adopted in April 2016 and became enforceable on 25 May 2018 and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable. *
* Taken from Wikipedia
In the UK it used to be called the Data Protection Act but it become the GDPR in May 2018. And no, Brexit doesn’t affect any of what you’re about to read!
Why did these changes take place?
The EU want to give people more control over how their personal data is used because the old legislation was enacted before the Internet and cloud technology created new ways of exploiting data.
They also want to give businesses a clearer legal environment in which to operate and make data protection law identical throughout the single market.
Data protection is ongoing. It isn’t something you set and forget so you always need to be aware of what the current laws are.
What does this mean for you?
You need to comply with GDPR when processing personal data for your own business, you’ll need to explain to your clients how you’re doing this, and you need to be compliant when doing work for them.
You also need to comply when processing personal data for your client.
This is important because these new changes mean that it’s now YOU who’s responsible for the data you process and not your client. So you’ll need to know the source of personal data you’re working with and how any data service providers are storing it on your behalf.
What counts as personal data?
Personal data is any information that makes a person identifiable such as their name along with either their email, telephone number, address or any other contact details.
Basically any info that means you can identify who that person is.
But I don’t process any personal data!
Yeah you do.
- Do people from the EU visit your website? (Yup, IP addresses also count!)
- Do you or your clients have a mailing list that EU citizens can sign up to?
- Do you have personal data stored on a USB stick, an external hard drive, in an automated backup system or on an old computer?
- Do you have contacts on your phone?
- Do you or your clients use a CRM system?
- Do you or your clients have an email address book?
- Do you or any of your clients obtain and use other people’s names and contact details?
Then you need to comply with the EU data protection regulations.
But I’m not in the EU nor are my clients
Because EU data protection law extends to all foreign companies processing the data of EU residents, GDPR will affect you even if you don’t live in the EU. So even if you’re based in a non-EU country and none of your clients are from the EU, you will still have to comply with EU law.
- What if your client moves?
- What if your client lives in the US but their company is registered in the EU?
- What if you take on a new client who is based in the EU?
- What if someone from the EU signs up for your newsletter?
- What if someone in the EU signs up to your client’s newsletter and you manage it?
What does this mean for your clients and the way you help them?
Data protection affects Virtual Assistants in so many ways because they do many different tasks for many different people.
If you send out marketing emails for a client and they took the contact data from LinkedIn or the Internet (for example) without the person’s permission, you’re the Data Processor so it’s YOU who’ll be prosecuted if someone complains.
So you need to know how people got on their email list.
One of the biggest areas of data protection is around email marketing because the subscriber needs to have actively given consent to be added to a mailing list.
Double opt-ins and consent checkboxes go some of the way but in November 2017 Mailchimp automatically rolled out single opt-in to most MailChimp lists. If your primary contact address is in the EU, your lists will have stayed double opt-in after the change, but if not, then you’ll have to manually turn it on in the settings.
You can’t store an EU citizen’s ‘special category data’ outside of the EU. Special Category data includes info pertaining to health, political or religious beliefs, so if you work with medical or health practitioners then you can’t store this data in Dropbox.
You need to know stuff like this.
The good news is that not only will your own data be more secure, the more you know about the new regulations, the more info you’ll be able to give your clients and you’ll also be saving them a headache (and possibly a fine) in the long run.
You can also score brownie points and get more work by suggesting that you clean up their data lists or even act as an external Data Protection Officer for their company.
GDPR interview with Annabel Kaye from KoffeeKlatch
Although this video is an hour and a half long (get comfy folks!), it contains everything you need to know.
The video covers:
- What VAs need to know about data protection
- How the new GDPR regulations affect the VA industry
- How they affect non-EU VAs
- The difference between the Data Controller and the Data Processor (you’re both btw)
- The types of VA tasks that will be affected
- How a VA can ensure their client is compliant and how to approach this sensitively
- What to do if your client is not compliant and how to turn this to your advantage
- How to ensure your data storage systems (such as Dropbox/Drive/phone/computer are compliant
- Data protection clauses in contracts
- How to get the right procedures and habits in place when starting out
- Email marketing – adding people to lists, free opt-ins and existing subscribers
- Personal data held on CRM systems
- Where to store ‘sensitive/special category’ data
- Ensuring your Associates are compliant
- Prospecting via LinkedIn
- Encrypting your mobile phone and email contacts
- Website policies and cookies
- Registering with the ICO
- GDPR in relation to HR and bookkeeping practices
- What you can do now and what will happen if you don’t do anything
* Note that I make reference to legal documents that you can buy via Annabel’s company in the video but I have since had my own VA-centric legal contracts created.
- Don’t wait – anything you can do now will be of benefit and will be one less thing you’ll have to do later.
- Make the changes to your own business before you attempt to apply them to your client’s business.
- They still haven’t finalised the details so make sure you stay on top of changes. Data protection laws will always change as technology advances so you can’t ignore them.
- It will help to think of HOW you’re using the data instead of WHERE you’re storing it.
- Think of an email address as if it’s £1000 in cash.
- Your mobile phone is full of personal data. Your phone is valuable – that’s why people steal them!
- Don’t share login details with clients or Associates.
- Encrypt your phone and laptop hard drive. Annabel said she would never employ a VA who didn’t encrypt their systems.
- Register with the ICO if you’re in the UK and check your own country’s equivalent if you are not.
- Know what you’re talking about and have a plan.
Data protection is a huge deal and affects all businesses who obtain personal data from EU citizens – which is pretty much every business on the planet.
But data and privacy is actually a good thing because that also means YOUR data is being protected.
We kind of think of personal data as being information we store in Excel spreadsheets or in CRMs, but personal data actually includes your email contact list and the numbers in your phone. So we really need to change the way we look at personal data and how we keep it safe – and that can only be a good thing in the long run.
What happens if you or your client experiences a data breach?
In this 15 minute interview with international contracts lawyer Janet Alexandersson, I ask what a data breach is, how it might happen and what you should do if you experience one.
Although it could be you who experiences the data breach, a client might also ask you to take care of the admin side of things if they experience one themselves.
So it pays to be prepared and know what to do.
The video covers
- What constitutes a data breach – and what doesn’t
- Why a data breach isn’t just about being hacked
- Which data breaches need to be reported – and which ones don’t
- What to do if LastPass gets hacked
- What you need to report and how long you have to report it
- Why you might be in trouble if you don’t report a data breach
- How to be safe even if you experience a data breach
You can buy a Data Breach Notification Template here. It’s £10 and outlines everything you may need to report and shows you what to delete or keep.
Further reading and resources
- The ICO (Information Commissioners Office) has in-depth GDPR information and resources. These guys should be your main source of information.
- Read more about how to report a breach to the ICO.
- Call the ICO on 0303 123 1113 if you’re in the UK and on +44 1625 545 700 if you’re not.
- You should register with the ICO if you’re in the UK . Register here.
- Here’s a great article on social media and GDPR.
- If you can even access personal data that your client stores (so if you can log in and see their address book, mailing list or social media accounts) then you should get your client to sign a Data Processing Agreement.
- Most of the online data storage companies you use are based in the US and can voluntarily register with Privacy Shield. You can check if the companies you use are registered on the Privacy Shield website here.
** UPDATE Dec 2018: the ICO have issued their first fines. Unless they are exempt, all organisations, companies and sole traders that process personal data must pay an annual fee to the ICO. Fines for not paying can be up to £4,350. These fines were issued to organisations for not renewing their fees and more fines are set to follow.
More than 900 notices of intent to fine have been issued by the ICO since September so please make sure you’re registered!