Virtuoso-PA | Virtual Assistant Data Protection Procedures
With the imminent arrival of the GDPR data protection is in the news and on social media daily. Any personal data held by a business which could be used to identify an individual, needs to come under the data protection umbrella.
As an example; your client list & CRM will contain contact details, addresses, telephone numbers and email addresses. Everyone in business, no matter the size, holds this type of information.
To comply with the Data Protection Act even before GDPR comes into effect you must follow correct data protection procedures. Meaning that from the moment you receive the data, until it is archived, destroyed or deleted, regardless of whether the client data is held in paper format or electronically you have to comply.
Make sure Your Clients’ know their Data is in Safe Hands
- Personal data received is obtained only for one or more specified and lawful purposes – You need to ask and receive written consent if you’re planning on using it further – i.e. Can I add you to my mailing list?
- That personal data is adequate and relevant and not excessive in relation to its requirement – If it’s not relevant, you don’t need to know or hold records pertaining to say, their religious beliefs
- That all personal data is accurate and kept up to date – Yes, it’s up to you to check
- Personal data processed for any purpose shall not be kept for longer than is necessary – If you no longer support a client. I would suggest archiving the data rather than deleting it
- Suitable technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data – Run regular malware, virus checks and back-ups and make sure you are protecting the data from cyber attack
Storing Client Data online
The chances are as a Freelancer you choose to store your files in the cloud. Therefore, you need to check that the security and availability of the service provider is right for the types of files you want to upload.
I use Office 365 and Dropbox to store my clients’ personal data. By following the procedures below I ensure that my clients’ data is protected :
- I use strong passwords – as an example, use a good mix of Upper & Lower case, numbers and symbols. And update them regularly
- Check the providers terms & conditions and privacy notices – I know that Microsoft Office 365 and Dropbox are working towards full compliance by 25th May 2018
- I use Two Factor Authentication – I receive a texted code when I attempt to log into or make changes to my cloud services
- Before I store them client documents are encrypted – I password protect documents and folders
- I only share a document with the client – all other data is stored in private encrypted folders – There are three levels Private, Shared and Public. Choose wisely!
When GDPR comes into effect how will Data Protection rules change?
Caroline Wylie from The Society of Virtual Assistants has spent a fair bit of time looking into GDPR and what it means for Virtual Assistants. You can read her full findings here: GDPR
Basic considerations of the GDPR are as follows:
- If you are responsible for processing client data, you must tell your client
- You must be registered with ICO
- If you suffer a Data Breach it must be reported within 72 hrs of the breach
- You need explicit consent to marketing communications and easy unsubscribe options
- You need to ascertain where the data you hold came from and who it is shared with
- From 25th May 2018 you will be responsible for data your clients’ have collected and provided. Therefore, if they have illegally collected the data, and its use receives a complaint, you will also be liable
The information Commissioners Office have a monthly update which shows the areas they’ve been working on and you can be found here. Although, it’s not always easy to understand, so it’s best to keep checking with those who explain it in an easy to read and understandable way.
Taking Data Protection and GDPR seriously is paramount when you are a freelance contractor. If you ignore it and think it doesn’t apply to you, you could theoretical obtain a fine of £500,000 + You have until 24th May 2018 to make sure you are aware and complying with GDPR.
I’ve already started a data audit… Have you?