What do you need to do?
The EU has special rules for what you need to do when sending data in and out of the EU. Many VA’s do not realise they are doing this since a lot of the terms used can be misleading.
If your prospects and customers, or your clients’ prospects and customers are in the EU, then EU GDPR laws are, according to the EU, applicable to you, even if you are not based there. This affects VAs all over the world – and your clients.
Are you processing personal data?
Sitting at your desk viewing data without changing it at all is ‘processing data’ from the EU GDPR point of view. You don’t have to change it or upload it to a database in order to be processing it.
What if we are both in the EU/EEA?
If you and your client, or you and your associate are both in the EU/EEA then as long as you have a proper data processing agreement, appropriate security arrangements and the data controller has a ‘lawful reason’ for processing personal data, no additional steps are required UNLESS you are passing data onwards and outside the EU/EEA.
You can find a list of member countries here
What if one of you is not in the EU/EEA?
The EU has a system of approving the data privacy standards of countries not in the EU/EEA. The EU makes a finding of ‘adequacy’. You can find a list of countries whose data privacy systems are accurate here
The UK was also granted adequacy status this summer.
It is worthwhile checking this list as you take on new associates and clients since countries are added to the list from time to time. Countries are also removed from time to time.
Most notably the USA was ‘adequate’ a while ago using the Data Privacy Shield, but this finding has now been revoked and the USA is no longer regarded as an adequate country.
As long as you take the usual contractual, risk assessment and security precautions you normally do, transfers to an adequate country do not require extra steps between VA and Associate or between VA and client compared to transfers within the EU/EEA.
Transfers to ‘non-adequate countries’
The EU requires the use of ‘standard contractual clauses(SCCs). The first version existed from the start of GDPR but those documents are no longer valid from 27 September. You must use the new version.
The clauses are written by committee and very much aimed at large corporations. But they still apply to you.
If you are sharing data across borders in and out of a non-adequate country you will need to update your SCCs. This is trickier than it looks since the new versions require you to choose from various options depending on whether you are a data controller, data processor, or sub-data processor and whether you are exporting or importing data (or both).
We have spent six months figuring out how to make this work in our own business and how to simplify it (as much as possible) for Virtual Assistants. If you want to try figuring it out yourself and choosing the right options for you, you can find the master document here.
If the whole thing makes your headache – I don’t blame you! But please don’t ignore this update if it applies to you. Your professional indemnity insurance may not be valid if you are working on the old terms, or none at all.
If you are interested in more information about GPDR for your clients, you can find plenty more information, specifically for Virtual Assistants by clicking here