General Data Protection Regulation (GDPR)
A guide to GDPR for clients who use Virtual Assistants
What is GDPR?
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, replacing the 1995 EU Data Protection Directive. It’s a new pan-European regulation. GDPR expands the privacy rights granted to individuals and places greater obligations on organisations who handle personal data of those individuals (data controllers and processors).
The purpose of the GDPR is to provide a set of standardised data protection laws across EU member countries which citizens greater control over their personal data. For example, giving you greater transparency into how your data is being used and ensuring that the organisations you entrust with your data are taking care of it.
Best Assistant UK is working hard to be fully compliant by the end of May 2018. This involves considerable work on our systems and processes in addition to updating our client and freelancer facing contracts and privacy policies.
We’ve put together this brief guide to highlight some of the most important aspects of GDPR as regards your relationship with us. We’ve spent a lot of thinking about and reacting to GDPR. But the application of GDPR is highly specific to your own unique circumstances. Also, guidance is still being issued by regulators regarding how it is to be implemented. So, this guide is provided for informational purposes only, as a general guide to some of the issues GDPR may present for your business. It should not be relied upon as legal advice, or to definitively determine how GDPR might apply to you and your organisation. We’d encourage you to understand your own GDPR responsibilities and requirements, and that might include you talking to a legal or privacy professional about how GDPR affects your business and what to do about it
Will “Best-Assistant” be GDPR compliant?
“Best-Assistant” compliance by May 25th
As a data subject
As a controller
Where personal data is contained in any materials you provide to us or your freelance Virtual Assistant, then depending the nature of your business, and the tasks that your freelance Virtual Assistant carries out for you, you are highly likely to be a data controller under the scope of the GDPR. If you use our tools to store and process that data, then we will be your ‘data processor’, and as such will be responsible for it being processed in accordance with your instructions and GDPR. Where you send materials direct to your freelance Virtual Assistant, and we do not view or receive it, your freelance Virtual Assistant will be your ‘data processor’ and as such directly responsible to you for the processing of the data.
Being a data controller means that you have serious obligations under GDPR – for example you must inform any data subjects that you collect data from that you pass that data to third parties for sub-processing. These are detailed elsewhere in this document.
What we’ll do
We need to work together to drive our compliance with GDPR. These are the things we’ll take care of.
Broadly, we will:
- Take steps to be a GDPR compliant business
- Ensure our platform facilitates GDPR compliance
- Ensure our platform has the right level of security
- Have requirement of GDPR front of mind in our collection, processing and storing of your data
- Implement GDPR compliant privacy policies, notices and terms and conditions (including GDPR ‘processor’ clauses where we are your data processor)
- Publish GDPR material and guidance to all freelance Virtual Assistants
- Publish GDPR material and guidance to our clients
- Require that our freelance Virtual Assistants are GDPR compliant
- Implement GDPR ‘processor’ clauses in our freelance Virtual Assistant service agreement
- Offer GDPR audits to our freelance Virtual Assistants on an, at least, annual basis
- Train our internal team on GDPR compliance
More information about how we comply with GDPR and take care of your data is available below.
What you must do
As a data controller you have a range of obligations under GDPR. You must take full responsibility for ensuring that your business acts in a GDPR compliant way.
Your general obligations as a business
Any business that processes personal data belonging to data subjects in the UK or Europe must be fully compliant with GDPR. We can’t advise you on this. For official guidance on how to ensure that your business is GDPR compliant please talk to your lawyer; for a summary of the requirements, visit the ICO’s guide for small businesses here.
Informing your data subjects and gaining consent
One of your most important responsibilities under GDPR is that you must inform your data subjects if you intend to share their personal data with your Virtual Assistant and, if applicable, “Best-Assistant”. You must also gain explicit consent from your data subjects, where required.
Your other obligations:
- You are accountable for your own GDPR compliance
- You must ensure that the relationship between you and your freelance Virtual Assistant meets GDPR requirements
- You must satisfy yourself that your freelance Virtual Assistant is GDPR compliant
- You must ensure that any data that you share with your freelance Virtual Assistant is done so in a GDPR compliant way
- Ensure that the tools or services you use to share data with your freelance Virtual Assistant are GDPR compliant
- Ensure your own agreements, contracts and policies are GDPR compliant
- Ensure that your own systems are GDPR compliant
- Do not ask your freelance Virtual Assistant to act in contravention of GDPR
- Do not send any sensitive data to your freelance Virtual Assistant
- Ensure that you only share data with your freelance Virtual Assistant where it’s strictly necessary
- Provide your freelance Virtual Assistant with clear instructions on when to delete data
- Assist your freelance Virtual Assistant in ensuring data records are up to date
- Process, store and manage your freelance Virtual Assistant’s data in line with GDPR requirements
How we look after your data
We take our obligations under GDPR very seriously and have made extensive improvements to our platform and legal documentation to comply with the requirements of GDPR.
Active security measures:
- Firewalls at network and server level
- Attack detection with automated blocking
- Encryption of data at rest
- Encryption of data during transit
- Data minimisation – all pages modified to display least viable amount of data
- Checksums to ensure the integrity of data records
- Intrusion detection monitoring
- Regular software updates
- Pin code access required to access data by staff
- Access to data restricted to only required personnel
- Access to data password protected
- Physical security including alarm systems, physical barriers and access control
- Third party vulnerability scans
- Database access restricted to management persons only
- Database access restricted to corporate IP addresses only
Backups and recovery:
- Data is backed up to multiple replica servers on a live/live basis
- Data is backed up on alternate days at 5am UK time
- Data is backed up over secure encrypted tunnels
- Data is also backed up to Amazon S3 cloud storage service
Privacy by default and design
Our development team have made extensive changes to our platform and infrastructure to minimise the processing and storage of personal data where possible. In addition, our development team have adopted a new GDPR compliant development policy that puts the need for privacy at the heart of all new systems and projects.
The data we collect
Where we send the data, we collect about you
We have rolled out a package of ongoing training for our team on the safe handling of data and compliance with your rights under the GDPR. In addition, we have introduced a number of further security measures such as advanced identity verification when you call us.
Respecting your rights
Demonstrating and documenting our compliance
“Best-Assistant” has conducted a full information audit including data mapping and Privacy Impact Assessment. We conduct due diligence on the third parties that we share data with, ensuring they are GDPR compliant, and keep a record of our assessments. We keep up to date records detailing the data that we process as both a controller and processor. We also conduct regular reviews of our data controller and processing arrangements.
Who we share your data with
We routinely share your personal information as a data controller with a range of Third party service providers who help us provide, analyse and promote the Best Assistant UK services and engage with freelancers. Some of those Third party recipients may be based outside the European Economic Area.
We will share relevant information about you from your Best Assistant UK client account (including your name, email address, profile, biography) and the nature of your brief with a freelancer we think is suitable for your brief.
We will share personal information with law enforcement or other authorities if required by applicable law.
Sharing Your Data Outside EEA
- Google, USA – for the purpose of analytics and documents. Basis: EU-US Privacy Shield certification.
- Amazon Web Services, USA – for the purpose of hosting and file storage. Basis: EU-US Privacy Shield certification.
- Freshdesk, USA – for the purpose of providing you with a help desk facility to contact us. Basis: EU-US Privacy Shield certification.
- Microsoft, USA – for the purpose of email. Basis: EU-US Privacy Shield certification.
- Dropbox, USA – for the purpose of storage of information. Basis: EU-US Privacy Shield certification.
- Inspectlet, USA – for the purpose of user experience monitoring. Basis: Model clauses in contract.
- Stripe, USA – for the purpose of payment processing. Basis: EU-US Privacy Shield certification.
- Paypal, USA – for the purpose of payment processing. Basis: EU-US Privacy Shield certification.
- Slack, USA – for the purpose of internal team communication. Basis: EU-US Privacy Shield certification.
- Sentry, USA – for the purpose of bug tracking. Basis: EU-US Privacy Shield certification.
Sharing your data inside EEA
- GoCardless, UK – for the purposes of billing certain UK customers only.
- Albert Goodman Chartered Accountants, UK – for the purpose of producing financial accounts, a legal requirement.
- Netbanx / Paysafe, UK – for the purpose of processing some payments on behalf of UK customers.
As a data subject, you have several rights under GDPR including the right of access, rectification, erasure and data portability. For more information on your rights please see this guide on the ICO website. To exercise any of your rights, please email firstname.lastname@example.org.
Some articles and resources we think you might find helpful:
Contacts and help
Who can I contact for further help and advice on GDPR and related matters?
You can email queries and questions to email@example.com and we’ll respond to you within 48 hours during the business week. Please note that we cannot provide general GDPR advice.
Who can I contact to report a breach?
If you suspect a data or security breach, please email firstname.lastname@example.org with the subject line “Data breach” and we will respond as a priority.
Who can I contact to request updating, deleting or access to my data?
Please email email@example.com clearly stating the nature of your request. We will conduct security verification with you prior to completing your request. We may need to speak to you verbally to complete security verification.