Is data privacy hard for Virtual Assistants?

Is data privacy hard for Virtual Assistants?

If you are a new VA you may find yourself struggling with what people tell you about data privacy and GDPR.  There’s a lot of misunderstanding and misinformation going around.  Whilst many people will chip in with well intentioned advice, it is not always accurate or appropriate for the way you are working in your own business and with your client.

You may remember some of what you were taught when working in your most recent jobs.   However, unless you update and refresh that understanding and make it work for your new micro business you are soon going to get yourself into a tangle.

Who is who?

The jargon around data privacy can be confusing and unless you have a firm grasp on who is who, moving on to who does what can rapidly make your head hurt.  Let’s look at the most popular terms:

Data Controller

As the boss of your new business you are acting as a data controller.   A data controller is responsible for deciding what information your business collects about whom, how it is used, when and how it is shared, how it is stored, and when and how it is removed.

If you worked for a big organisation they had a person (DPO) whose entire job was sorting this out.  In a smaller organisation it would be a job for a Partner or a Director to add to their responsibilities.  Now it is your responsibility to do this and it starts not when you have clients, but when you start collecting personal data.  For most of us that is at the sales and marketing stage when we start to collect the names and contact details of individuals we wish to approach.

Data Subject

Once you have information about a living individual then you have data subjects.  They have all the rights that data subjects have.  The size of your business does not affect that or exempt you.

Data Processor

When you are viewing or using data in your own business for your own business purposes – for example marketing, invoicing your clients, credit control for your business, then you are acting still as a data controller.   

But as soon as you start viewing or using personal data to help your client with their business the roles switch around. Your client is the data controller for their business, just as you are for yours.  But they are using you as a data processor.

The data controller should be securing the data and only sharing it with you to the extent that you need it to do what you have contracted with them to do.

Personal Data

Many VAs get in a muddle about what personal data is.  Data is just another word for information.  It does not have to be stored or kept electronically.  For example, sign-up sheets at exhibitions contain personal data.

It does not matter whether that individual is in business or a private person, if you have information that on its own or together with other elements of information allow you to identify a living individual, then you are collecting personal data.
Name based emails are personal data.  Even email addresses like info@ can be personal data if you combine them with a mobile telephone number to an individual who uses that email address and whose name you know.


Whilst UK data laws protect UK data subject and EU ones protect EU data subjects, both legal systems claim this applies to people overseas who are processing data about these citizens.

An increasing number of other countries are implementing data privacy laws (over 150 at the last count) and some of those also say the same.

VA problems

Whilst some VA customers are aware of data privacy and do make proper provision for sharing data inside the UK or overseas, we find this is less than 4% (having risen from 0% in 2016).

The trouble is that without the right paperwork and systems in place a VA can find themselves liable for data losses and fines.   And many customers don’t know what they should do, or even simply ignore the whole thing.

VAs walk a tight rope at best between compliance (which may mean influencing your client to get it straight) and keeping the client.  At one end of the extreme is a client who simply refuses to care and at the other is the busy growing small business owner, who knows nothing about this, has no time to think about this, but if given a simple way to comply, would take it on board.   Most clients are in the middle and it is up to you as a business owner to decide what risks you will take and with whom.

VAs who can demonstrate a basic competence in data privacy and security are in increasing demand as your customers find their bigger customers demanding to know what processes are in place.

We will be exploring in this series of articles, some of the common scenarios and mix ups you will face.  These scenarios come from the support queries we receive regularly in our dedicated Virtual Assistant GDPR Training Group.  They are not made up or imagined.



Annabel Kaye has been helping VAs with contracts and GDPR support for more than 15 years. There have been a lot of changes in that time.

Last year Jo Brianti joined the KoffeeKlatch team as a Director.

Together the two of them provide a clear technical support system designed to help VAs create a profitable business that does not ignore the realities and legalities of the way you work today.

Post your Comments