New EU regulations come into force 25 May 2018 – General Data Protection Regulations (GDPR)

• You must tell people who is responsible for the data you hold and process – this person must be registered with ICO
• Data processors now also have direct obligations to process data correctly – as a virtual assistant processing any sort of data from clients, that means you!
• Data breaches of the General Data Protection Regulations (GDPR) must be informed within 72 hours
• New “fair processing rules”
• Explicit consent to marketing communications and easy unsubscribe options.

What does General Data Protection Regulations (GDPR) mean for virtual assistants?

New EU regulations surrounding General Data Protection Regulations (GDPR) come into force 25 May 2018 – yes, even with Brexit, we still need to comply!  The big change is that virtual assistants will now be responsible for the data they process, not the client.  So it’s important you know the provenance of any data you are working on, and how your service providers are storing it on your behalf.

However, it’s worth pointing out that those VAs who do have good data protection in place already will see very few changes.  And there are opportunities within the GDPR for virtual assistants in cleaning up client lists, putting necessary information online for clients, or even acting as an external Data Protection Officer for their company.

We all benefit from less spam and more control over how our information is stored.

What is personal data?

A lot of VAs will say they don’t process personal data – but your client list contains contacts, addresses, telephone numbers and emails – that’s personal data as you can identify people associated with it.  If you type a letter for a client with the recipients name/address on it, that’s personal data.  As is arranging appointments for clients where they’ve given you someone’s phone number to arrange a meeting.  VAs who manage social media accounts or email newsletter lists for their clients will be particularly vulnerable to these changes – and should make their clients aware of what they need to do in order to comply ASAP.

You should be getting a “Data Processing Agreement” in writing before doing anything with that personal data.  This outlines exactly what you will do with the data.

What steps should you take before General Data Protection Regulations (GDPR) comes into force?

ROLES

You must have a Data Protection Officer/Data Controller who is responsible for making sure you comply with these rules.  We suggest you may want to name this person on your T&Cs on your website, and they should be listed on any marketing communication you send out.  SVA already recommends that you register for data protection as part of the SVA Approved scheme.

The latest advice is that Data Protection Registration will be replaced by a GDPR compliant list for businesses processing personal data on behalf of other people (i.e. our client’s work if it contains personal information of their clients) and it will cost most small businesses around £40 to register.  This is still not confirmed, our advice remains to make sure you are registered under the existing scheme.

REVIEW

You need to review the data that you hold, make sure it’s still relevant and complies.  For example, are you still storing old client documents from 7+ years ago?  Has everyone on your mailing list actively opted in rather than being added, simply because they are a client?  Where else is your data stored – accounts programmes? online workspaces? on a flash drive? on an automated backup? a mobile/ laptop/your old computer?

You may well have a good reason for holding this data (e.g. some insurance policies want you to hold client data historically or for tax purposes).  But anything which is not needed, should be deleted.

You might also consider where this data is being held – what happens if your phone gets stolen? Or your laptop?  Sending sensitive information via the post and it gets lost?  The legislation is asking you to think about the risk of the information you hold and how you process it within your business.

HOW DID PEOPLE OPT IN?

Data processors now also have direct obligations to process data correctly – that’s a biggie for Virtual Assistants, as you could be held liable for a client not collecting their data properly.  So for example, a client may ask you to send out a marketing email on their behalf…  Even if they’ve mined the data from Google or LinkedIn and you know nothing about it, you (as the processor) are still liable for prosecution if you send out that email and someone complains.  So you need to be asking clients questions about where they got their data, and how people opted into the list.

DATA BREACH OBLIGATIONS

You must inform clients or others affected by data breaches without undue delay (preferably within 72 hours).

Let’s think about that:

Anyone have a LastPass or Dropbox account?  Both have been affected by serious data breaches in the last few years, and you would have to inform all clients and all data affected within 72 hours.  One of your processes should now be thinking about where you are storing data and how you contact everyone affected if there is a data breach.  How you do that if the original data is deleted?  Or you no longer have access to it as a result of the data breach?

WEBSITES

Websites process data automatically – most will track how many users visit the site, what they click on, how long they spend etc.  Therefore, if you track these details (either via webstats from your hosting company, Google Analytics or just within the WordPress installation) you need to tell people visiting the site that their actions are being monitored with a cookie notice as they enter the site.  This has been in place since the Data Protection Act was updated anyway, so it’s not new to the GDPR laws.  However what is new is the need to identify the data controller within your cookie policy and to have a publicly viewable privacy policy which identifies how to get in touch with the person controlling the data – including a full mailing address.

In other words you now need:

• Cookie pop up
• Privacy policy
• Your name and address on the privacy policy

“FAIR PROCESSING”

New “fair processing rules” deem that you must honour unsubscribe requests quickly and explain how the data is held to subscribers.  You might want to update your website privacy policy, for example.  It also contains specific information about processing any data on children.  Under 13s need an adult with parental responsibility’s permission in order to be included in the data.

There must be explicit consent given to marketing communications – you can’t have pre-ticked boxes or assumed consent.  People have to know who will have access to that data, and what they are signing up for.   You can’t just say “Our newsletter” – you have to include if that’s going to also include marketing communications.  Review all your marketing materials and website… Good practice has always been that you include Opt Out requests on all email communications and a double Opt In system.  But now you have a legal obligation to comply with these requests.

RISK ASSESSMENT

Lastly – and there is some debate about how this will be policed! – the GDPR restricts transfer of data outside the EU unless an international organisation has “an adequate level of protection”.  Which could have a wide impact on all sorts of VA software and services.

Services which might be affected:

• Online workspaces like Google Docs or Smartsheet
• Online back ups like OneDrive, iDrive
  
• Accounting software like Xero or Kashflow
• Your webhosts or mailservers
• CRM systems or email newsletter software

We recommend asking your providers for the physical location of their servers and their security management systems accreditation – for example ISO 27001 or US Data Privacy Shield.  If there is a breach, you will be asked to demonstrate the risk assessment you undertook, so keep a note of the answers!

Tim Morgan, Lead Policy Officer at ICO says:

“Where an organisation is transferring personal data overseas, they must be satisfied that the data will be handled appropriately.  Our data protection reform microsite covering international transfers has more information on safeguards. The GDPR is principles-based legislation, as is the DPA.”

• Please note this advice is published as a useful guide and is not exhaustive.
• Should you have a specific query, please refer to ICO’s Case Study team.
  
• More free information from: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/