Unless you live on the moon, I’m sure you’ve heard of the General Data Protection Regulation, commonly known as the GDPR. These changes came into force on 25th May 2018 and affect every business whether it’s in the EU or not – so that means you AND your clients. Here’s what you need to know about global data protection and how to stay compliant.
The General Data Protection Regulations (GDPR) are laws that the European Parliament, the Council of the European Union and the European Commission will use to strengthen and unify data protection for all individuals within the European Union as well as the export of personal data outside the European Union (The EU).
The GDPR is there to give citizens and residents control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The regulation was adopted in April 2016 and became enforceable on 25 May 2018 and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable. *
* Taken from Wikipedia
In the UK it used to be called the Data Protection Act but it became the GDPR in May 2018.
Why did these changes take place?
The EU wants to give people more control over how their personal data is used because the old legislation was enacted before the Internet and cloud technology created new ways of exploiting data.
They also want to give businesses a clearer legal environment in which to operate and make data protection law identical throughout the single market.
Data protection is ongoing. It isn’t something you set and forget so you always need to be aware of what the current laws are.
What does this mean for you?
You need to comply with GDPR when processing personal data for your own business, you’ll need to explain to your clients how you’re doing this, and you need to be compliant when doing work for them.
You also need to comply when processing personal data for your client.
This is important because these new changes mean that it’s now YOU who’s responsible for the data you process and not your client. So you’ll need to know the source of personal data you’re working with and how any data service providers are storing it on your behalf.
What counts as personal data?
Personal data is any information that makes a person identifiable such as their name along with either their email, telephone number, address or any other contact details.
Basically, any info that means you can identify who that person is.
But I don’t process any personal data!
Yes, you do.
- Do people from the EU visit your website? (Yup, IP addresses also count!)
- Do you or your clients have a mailing list that EU citizens can sign up to?
- Do you have personal data stored on a USB stick, an external hard drive, in an automated backup system or on an old computer?
- Do you have contacts on your phone?
- Do you or your clients use a CRM system?
- Do you or your clients have an email address book?
- Do you or any of your clients obtain and use other people’s names and contact details?
Then you need to comply with the EU data protection regulations.
But I’m not in the EU nor are my clients
Because EU data protection law extends to all foreign companies processing the data of EU residents, GDPR will affect you even if you don’t live in the EU. So even if you’re based in a non-EU country and none of your clients is from the EU, you will still have to comply with EU law.
- What if your client moves?
- What if your client lives in the US but their company is registered in the EU?
- What if you take on a new client who is based in the EU?
- What if someone from the EU signs up for your newsletter?
- What if someone in the EU signs up to your client’s newsletter and you manage it?
What does this mean for your clients and the way you help them?
Data protection affects Virtual Assistants in so many ways because they do many different tasks for many different people.
If you send out marketing emails for a client and they took the contact data from LinkedIn or the Internet (for example) without the person’s permission, you’re the Data Processor so it’s YOU who’ll be prosecuted if someone complains.
So you need to know how people got on their email list.
One of the biggest areas of data protection is around email marketing because the subscriber needs to have actively given consent to be added to a mailing list.
Double optins and consent checkboxes go some of the way but in November 2017 Mailchimp automatically rolled out single opt-in to most MailChimp lists. If your primary contact address is in the EU, your lists will have stayed double opt-in after the change, but if not, then you’ll have to manually turn it on in the settings.
You can’t store an EU citizen’s ‘special category data’ outside of the EU. Special Category data includes info pertaining to health, political or religious beliefs, so if you work with medical or health practitioners then you can’t store this data in Dropbox.
You need to know stuff like this.
The good news is that not only will your own data be more secure, the more you know about the new regulations, the more info you’ll be able to give your clients and you’ll also be saving them a headache (and possibly a fine) in the long run.
You can also score brownie points and get more work by suggesting that you clean up their data lists or even act as an external Data Protection Officer for their company.
- Make the changes to your own business before you attempt to apply them to your client’s business.
- Make sure you stay on top of changes. Data protection laws will always change as technology advances so you can’t ignore them.
- It will help to think of HOW you’re using the data instead of WHERE you’re storing it..
- Your mobile phone is full of personal data. Your phone is valuable – that’s why people steal them!
- Don’t share login details with clients or Associates.
- Encrypt your phone and laptop hard drive.
- Register with the ICO if you’re in the UK and check your own country’s equivalent if you are not.
Data protection is a huge deal and affects all businesses who obtain personal data from EU citizens – which is pretty much every business on the planet.
But data and privacy is actually a good thing because that also means YOUR data is being protected.
We kind of think of personal data as being information we store in Excel spreadsheets or in CRMs, but personal data actually includes your email contact list and the numbers in your phone. So we really need to change the way we look at personal data and how we keep it safe – and that can only be a good thing in the long run.
What happens if you or your client experiences a data breach?
In this 15 minute interview with international contracts lawyer Janet Alexandersson, I ask what a data breach is, how it might happen and what you should do if you experience one.
Although it could be you who experiences the data breach, a client might also ask you to take care of the admin side of things if they experience one themselves.
So it pays to be prepared and know what to do.
The video covers
- What constitutes a data breach – and what doesn’t
- Why a data breach isn’t just about being hacked
- Which data breaches need to be reported – and which ones don’t
- What to do if LastPass is hacked
- What you need to report and how long you have to report it
- Why you might be in trouble if you don’t report a data breach
- How to be safe even if you do experience a data breach
You can buy a Data Breach Notification Template here. It’s £10 and outlines everything you may need to report and shows you what to delete or keep.
(Still under review as of 14th July 2020)
The Brazillian LGPD (Lei Geral de Proteção de Dados) is a new data privacy law that will apply to businesses (both inside and outside Brazil) that process the personal data of users located in Brazil.
So, this new law will only concern you if your clients are located in Brazil.
The new law is expected to come into effect on 16th August 2020 and is very similar to GDPR except that it will require every legal entity that collects data to have a Data Processing Officer.
The LGPD recognizes more lawful grounds for data collection than GDPR so there is no need to panic regarding what types of data that can be collected, and the rights of data subjects are also the same.
While the LGPD was meant to come into effect in February 2020, there is currently no Brazilian data protection reporting authority in place and so it has been continuously pushed into the future. It is currently scheduled to come into effect on 16th of August 2020 but it is possible the date may be moved again.
As with all of my legal contracts, when needed, and as a new law comes into effect, legal documents sold on my website are updated by the international contracts lawyer who created them to reflect any changes and then resent to previous buyers free of charge.
- The ICO (Information Commissioners Office) has in-depth GDPR information and resources. These guys should be your main source of information so subscribe to their newsletter for updates.
- Read what HMRC say about registering for data protection.
- Read more about how to report a breach to the ICO.
- Here’s a great article on social media and GDPR.
- If you can even access personal data that your client stores (so if you can log in and see their address book, mailing list or social media accounts) then you should get your client to sign a Data Processing Agreement.
- Most of the online data storage companies you use are based in the US and can voluntarily register with Privacy Shield. You can check if the companies you use are registered on the Privacy Shield website here.
- Read this article on cyber security for small businesses.
- Watch an expert debunk some cybersecurity myths.