Unless you live on the moon, I’m sure you’ve heard of the upcoming changes to the new EU data protection laws, commonly known as the GDPR. These changes come into force on 25th May 2018 and will affect every business whether it’s in the EU or not – so that means you AND your clients. Here’s what you need to know and how to comply.
The General Data Protection Regulations (GDPR) are laws that the European Parliament, the Council of the European Union and the European Commission will use to strengthen and unify data protection for all individuals within the European Union as well as the export of personal data outside the European Union (The EU).
The GDPR are there to give citizens and residents control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The regulation was adopted in April 2016 and becomes enforceable from 25 May 2018 and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable. *
* Taken from Wikipedia
In the UK it’s currently called the Data Protection Act but it will become the GDPR in May. And no, Brexit doesn’t affect any of what you’re about to read!
Why are these changes happening?
The EU wants to give people more control over how their personal data is used because the current legislation was enacted before the Internet and cloud technology created new ways of exploiting data.
They also want to give businesses a clearer legal environment in which to operate and make data protection law identical throughout the single market.
Data protection is ongoing. It isn’t something you set and forget so you always need to be aware of what the current laws are.
What does this mean for you?
You not only need to comply with GDPR when processing personal data for your own business, you’ll need to explain to your clients how you’re doing this, and you need to be compliant when doing work for them.
This is important because these new changes mean that it’s now YOU who’s responsible for the data you process and not your client. So you’ll need to know the source of personal data you’re working with and how any data service providers are storing it on your behalf.
What counts as personal data?
Personal data is any information that makes a person identifiable such as their name along with either their email, telephone number, address or any other contact details.
Basically any info that means you can identify who that person is.
But I don’t process any personal data!
Yes you do.
- Do people from the EU visit your website? (Yup, IP addresses also count!)
- Do you or your clients have a mailing list that EU citizens can sign up to?
- Do you have personal data stored on a USB stick, an external hard drive, in an automated backup system or on an old computer?
- Do you have contacts on your phone?
- Do you or your clients use a CRM system?
- Do you or your clients have an email contact list?
- Do you or any of your clients obtain and use other people’s names and contact details?
Then you need to comply with the new data protection regulations.
I’m not in the EU nor are my clients
Because EU data protection law extends to all foreign companies processing the data of EU residents, GDPR will affect you even if you don’t live in the EU. So even if you’re based in a non-EU country and none of your clients are from the EU, you will still have to comply with EU law.
- What if your client moves?
- What if your client lives in the US but their company is registered in the EU?
- What if you take on a new client who is based in the EU?
- What if someone from the EU signs up for your newsletter?
- What if someone in the EU signs up to your client’s newsletter and you manage it?
What does this mean for your clients and the way you help them?
Data protection effects Virtual Assistants in so many ways because they do many different tasks for many different people.
If you send out marketing emails for a client and they took the contact data from LinkedIn or the Internet (for example) without the person’s permission, you’re the Data Processor so it’s YOU who’ll be prosecuted if someone complains.
So you need to know how people got on their email list.
One of the biggest areas of data protection is around email marketing because the subscriber needs to have actively given consent to be added to a mailing list.
Double opt-ins are a great way to do this, but in November 2017 Mailchimp automatically rolled out single opt-in to most MailChimp lists. If your primary contact address is in the EU, your lists will have stayed double opt-in after the change, but if not, then you’ll have to manually turn it on in the settings.
You can’t store an EU citizen’s ‘special category data’ outside of the EU. Special Category data includes info pertaining to health, political or religious beliefs, so if you work with medical or health practitioners then you can’t store this data in Dropbox.
You’re gunna need to know stuff like this.
The good news is that not only will your own data be more secure, the more you know about the new regulations, the more info you’ll be able to give your clients and you’ll also be saving them a headache (and possibly a fine) in the long run.
You can also score brownie points and get more work by suggesting that you clean up their data lists or even act as an external Data Protection Officer for their company.
How to ensure you’re compliant with the GDPR
My time is much better spent helping you guys set up and run your business than worrying about all the legal stuff, so I now refer all my readers to KoffeeKlatch for legal documents such as contracts and Associate agreements, but they’re also extremely knowledgeable about GDPR.
KoffeeKlatch are legal experts who already work closely with other VA trainers and organisations such as the SVA to ensure VAs are fully compliant. You could spend hours of billable time looking into it all this GDPR legislation yourself and take your chances, but I recommend just getting them to help you.
They have a service called Data Protection for Virtual Assistants preparing for GDPR which covers:
- An audit of the data you hold
- An explanation of what constitutes as ‘data’ and how to secure it and share it appropriately
- How to handle consent (when the final details are published)
- What your data protection responsibilities are as a business owner
- How to handle your own data
- Where your data is located – do you know where your software keeps it?
- How to handle clients’ data
- How to work with your associates and any suppliers in a GDPR compliant way
All the above is provided via one year’s membership of a dedicated Facebook group which is supported by GDPR/legal experts. This group is actually invaluable because you can just simply ask them questions whenever you (or your clients) need to check something.
I’ve secured a 20% discount for VA Handbook readers which you can get by entering the code VAHB20 at checkout.
GDPR interview with Annabel Kaye from KoffeeKlatch
Although this video is an hour and a half long (get comfy folks!), it contains everything you need to know.
The video covers:
- What VAs need to know about data protection
- How the new GDPR regulations affect the VA industry
- How they will affect non-EU VAs
- The difference between the Data Controller and the Data Processor (you’re both btw)
- The types of VA tasks that will be effected
- How a VA can ensure their client is compliant and how to approach this sensitively
- What to do if your client is not compliant and how to turn this to your advantage
- How to ensure your data storage systems (such as Dropbox/Drive/phone/computer are compliant
- Data protection clauses in contracts
- How to get the right procedures and habits in place when starting out
- Email marketing – adding people to lists, free opt-ins and existing subscribers
- Personal data held on CRM systems
- Where to store ‘sensitive/special category’ data
- Ensuring your Associates are compliant
- Prospecting via LinkedIn
- Encrypting your mobile phone and email contacts
- Website policies and cookies
- Registering with the ICO
- GDPR in relation to HR and bookkeeping practices
- What you can do now and what will happen if you don’t do anything
- Don’t wait – anything you can do now will be of benefit and will be one less thing you’ll have to do later.
- Make the changes to your own business before you attempt to apply them to your client’s business.
- They still haven’t finalised the details so make sure you stay on top of changes. Data protection laws will always change as technology advances so you can’t ignore them.
- It will help to think of how you’re using the data instead of where you’re storing it.
- Think of an email address as if it’s £1000 in cash.
- Your mobile phone is full of personal data. Your phone is valuable – that’s why people steal them!
- Don’t share login details with clients or Associates.
- Encrypt your phone and laptop hard drive immediately. Annabel said she would never employ a VA who didn’t encrypt their systems.
- Register with the ICO if you’re in the UK and check your own country’s equivalent if you are not.
- Know what you’re talking about and have a plan.
Data protection is a huge deal and will effect all businesses who obtain personal data from EU citizens – which is pretty much every business on the planet.
But data and privacy is actually a good thing because that also means YOUR data is being protected.
I’m definitely of the opinion that it’s better to just pay a legal expert to make sure you’re compliant. It’s what I’ve done myself and, even though it’s frustrating that it’s yet another thing to pay for and sort out, laws are always changing and I’d personally prefer someone who knows what they’re doing to make sure I’m covered so I can just get on with running my business.
We kind of think of personal data as being information we store in Excel spreadsheets or in CRMs, but personal data actually includes your email contact list and the numbers in your phone.
So we really need to change the way we look at personal data and how we keep it safe – and that can only be a good thing in the long run.
Further reading and resources mentioned in the video
- See the full GDPR explanation and citations on Wikipedia.
- KoffeeKlatch are compiling a list of compliant data storage systems/companies and you can buy a year’s worth of GDPR support here on their website.
- Most of the online data storage companies you use are based in the US and can voluntarily register with Privacy Shield. You can check if the companies you use are registered on the Privacy Shield website here.
- Register with the ICO if you’re in the UK. It costs just £35.
- Here’s where you can find all your other VA legal docs including freelance and Associate contracts.
- BitLocker comes with Windows – here’s how to turn it on.
Disclosure: I’m an affiliate of KoffeeKlatch which means I receive a small commission if you buy anything from them. However, my reputation is extremely important to me and I only ever recommend products or services that I know will help you. I chose KoffeeKlatch because of their reputation, their expertise in GDPR and other work laws, and the fact that they work closely with others in the VA industry. They are professional legal experts and it matters to me that you are fully compliant with all legislation.