VA’s, or Virtual Assistants, are becoming more common for small business owners. They can be a wonderful addition for any organisation needing an extra pair of hands.
If however, they’re handling any of your client’s personal data, you need to know who is responsible, for what, and how you can protect yourself under the data protection laws. Companies such as CVG Solutions can help with advice and training for business and VAs on the complexities of data regulations in the UK. Here are some initial points to consider.
Who is responsible for complying with General Data Protection Regulations?
The compliance lies with the data controller, so in other words, the company doing the hiring. The organisation hiring the VA is the entity that establishes the purpose and the means of the processing of data. In short, that means you! Your customers gave their data to you, not to your VA. In this context, the VA becomes the data processor because he or she is processing the data on your behalf.
How can you ensure your VA complies with the regulations?
Limiting any system access to a strictly ‘need to know’ basis is good practice. Also ensure that you have a data processing agreement (a legally binding agreement) and a non-disclosure agreement in place. You should require, as part of the contract, the VA to attend GDPR training.
What should you do before hiring a VA?
You should carry out Due Diligence. Find out what level of GDPR training he/she has undertaken. How long ago was it done, and where he/she is based i.e., will they access the data from outside the UK. If so this is referred to as a Cross Border Transfer via access. This means that if your VA is based in a country that does not have an Adequacy status, you are responsible to put in place additional safeguards such as to carry out a Transfer Risk Assessment followed by an International Data Transfer Agreement (this is a legally binding agreement).
Who will the ICO fine in the event of a breach of GDPR?
You. The data controller.
As you are the data controller then you are accountable. As a controller you could be fined by the ICO but you could also face law suits from your customers.
This should not put you off hiring a Virtual Assistant if you are at the point where you need help. VAs are a great tool and there’s a reason they are so popular amongst business owners. The responsibility of handling your client’s data ultimately lies with you though, so go into any agreement carefully, ensuring you protect both yourself and your clients.
Written by Cristina Vannini-Goodchild, Managing Director & Founder CVG Solutions.
