Jargon and Confusion over Data Privacy

Now we have established who is who when it comes to data privacy, we need to move on to what that actually means – who does what.

Who does what and what paperwork they issue to whom is a function of which role you are acting within. 

Data Controller – that’s you 

It’s your job to make sure that you have what is known as a lawful reason for collecting the information you collect for your business.  You also need to secure it and not keep it any longer than you need to. 

Data Privacy policy  

A data privacy is a document designed to tell your data subjects what is going on and why. You will need a data privacy policy for your business explaining to your data subjects what you are collecting, why, who you are sharing it with, whether it is leaving the UK, how long you are keeping it for, who you share it with and how they can contact you to make a data subject access request or ask to have their information updated, changed or removed. 
Some VAs think you only need one if you have a website, but you need one if you are collecting information about living individuals.  It is useful to put a copy or a link to your data privacy policy on your website, but if you don’t have one you can create a link in DropBox, Sharepoint, Googledocs and make it available that way. 

Are you sharing data outside the UK? 

The biggest problems you may have with this is working out where the data you collect is being stored.  It is surprisingly difficult to find out from some software and app creators where all that data is going to.  Their data privacy policy will tell you where information about YOU is going (or at least it should do) but what they do with information you put into their systems about other people is not always covered in their data privacy policy.   Sometimes it is covered in data security documents.  Sometimes it is simply not mentioned at all. 

We spend a lot of time supporting out GDPR trainees and helping them find out the answers.  It never ceases to amaze me how difficult some organisations make it to discover this information as none of us should be sharing any information within their platforms UNLESS and UNTIL we know!  
You will find some free versions or software don’t give you the option to choose, whilst some paid versions let you choose the UK or EU as your ‘data location’.  It keeps changing so this is something worth checking from time to time. 

When you had a job it was usually someone else’s job to figure this out.  Now you are the boss, it’s your job unless you are paying someone else to. 

Bookkeeping VAs 

If you are registered for Anti Money Laundering (AML) supervision (through a Bookkeeping professional body or directly with HMRC you will need to view ID and finance data from your clients as part of our onboarding process. 
Your data privacy policy needs to make this clear and state clearly what you are doing with this information. 
Viewing this information does not necessarily mean keeping hold of it indefinitely so much as having a process to demonstrate you asked for it and you saw it.  You need to be very clear that this needs to be sent to you securely (open email is not generally secure), kept securely and if you have a team, with very restricted access. 

High Risk Information 

Financial information such as bank details (usually held in your accounting system once you have one) are usually viewed as high risk data, since if they are lost the individual may be harmed.   Similarly special category data (health, sexual orientation, trades union members, religious or political beliefs) are high risk.   Children’s data is also viewed that way. 

VAs don’t usually collect most of this, but you do need to be clear about what you are collecting and why and make sure you have extra security and restrictions on anything that comes into this category. 


Data Controller – that’s your client 

Your client usually is a data controller in their own right.   
If you are taking care of an individual (eg working B2C, not B2B) this will not be the case and they will not be a data controller they will not need a data privacy policy.  How you two handle and share data is covered by YOUR data privacy policy. 

Data Privacy policy from them 

If your client is based in the UK they will also need their own data privacy policy letting their data subjects (which will include you as they must have some information about you in order to work with you and pay you).   
Other countries have their own regulations on who needs to have which pieces of paper but many mirror the structure we have in the UK. 

You would also expect them to ask you to do work that is broadly in line with that policy, though that is not the document that is used to tell you what to do when you are supporting that client and acting as a data controller.. 


Data Privacy Policy problems 

One of the biggest problems with data privacy policies that people think they ‘paperwork’ that goes on a website and that they can be purchased, like a book, and just uploaded. 

Having no data privacy policy at all is not a good idea.  But what is a worse idea is having one you copied or got your web designer to upload that does not reflect the way you handle data in your business.  If that policy is incomplete, or worse still untrue because you are not doing the things that policy says you are you will find yourself in a complete muddle if you have a data breach or something goes wrong. 


Did your web designer do a data privacy policy for you? 

Web designers want you to have a data privacy policy on your website so that they can tick the boxes of data privacy policy and cookie policy.   Unless they do a data audit and they have no way of knowing what is going on with your total business.  Nor do they have the skills or the time to work that out.  Having a ‘fake’ policy – by which we mean one that is simply stuck there that does to reflect your actual working practises can make you look compliant, but it won’t make you compliant. 

Did you just copy someone else’s policy? 

We regularly see data privacy policies that simply do not reflect what a VA business would normally be doing.  Not only that when we ask a VA – what does that mean they have no idea that this means they have promised to do specific things. 
Not just a piece of paper!

A good data privacy policy is the result of knowing how you handle personal information in your business and is the end of a process, not a substitute for having one.  And it needs updating when you change how you operate, take on board new software and apps, new people etc. 

It is good to review your policy against what is going on.  The process of reviewing what is going on is known as a data audit.  In a start up business that should not take all that long, but it is worth doing. 




Annabel Kaye has been helping VAs with contracts and GDPR support for more than 15 years. There have been a lot of changes in that time.

Last year Jo Brianti joined the KoffeeKlatch team as a Director.

Together the two of them provide a clear technical support system designed to help VAs create a profitable business that does not ignore the realities and legalities of the way you work today.

Post your Comments