VAs can get very confused by GDPR advice. A lot of it is aimed at large organisations and many of the processes and policies are impossible to understand or implement if there is really just you, or you and a few associates.

Another complication is that VAs are handling data privacy and data security not just as business owners, but as service providers to other business owners and even as associates further down the chain.

Here are some of the fundamental ideas to take on board

Are you a data controller?

If you are running your own business you are a data controller. A data controller is someone (or an organisation) who is deciding what type of personal data should be collected about living individuals.

It is just about impossible to run a modern business without collecting some form of information about living individuals – if only their names – so we are all data controllers for our own business.

What is a data controller responsible for?

If is your job to decide what information you business collects and to work out:

  • What the ‘lawful’ reason for doing so is. (There are six and you must be able to identify one for each type of information you collect)
  • How to secure it
  • How long to keep it for
  • Who should be given access to (securely)
  • What your data privacy policy should say
  • What risks this all poses to individuals whose data you collect

You are responsible for all of this when it comes to data used in your business for your business. But this is not your role when you are handling client’s data. They are the data controller and it is their job to specify all of these things.


Are you a data processor?

If you are handling your client’s data about their prospects, customers, suppliers, team, etc, then you are acting as a data processor. You will continue to be a data controller for your own business, so this role will be in addition to that role.

In order to even view this data (viewing is processing from a GDPR point of view) you need to have:

  • A contract that deals appropriately with confidentiality and GDPR and expressly makes it your job to handle the data in accordance with GDPR
  • A Data Processing Agreement (DPA) from the client setting out all the items listed as the Data Processors job
  • To follow the security instructions given to you by your client

In an ideal world, the client would give you access to their systems, and give you a ‘role’ on their system that gives you the minimum rights necessary to do your job. They should then ‘turn you off’ or ‘turn the role down’ when you no longer need that access.

In reality, this can be tricky as most clients have very little understanding of what they should be doing as a data controller and therefore do not take care of all of this properly.

But if you are handling personal data without all of this, you are at risk if there is a problem. If someone further up the chain of connection has a data loss, they will trigger an audit, and when that audit reaches your client’s arrangements with you, it will cause a problem even if neither of you is responsible for the problem.

You are also open to fines from the Information Commissioner’s Office. These are not just for data controllers but data processors too! It is true that so far these have been rare but that does not mean you should ignore it all.

There are other roles involved such as co-data controllers and sub-data processors – and we will be covering them separately.

If you are interested in more information about GPDR for your clients, you can find plenty more information, specifically for Virtual Assistants by clicking here