Things to consider when hiring a Virtual AssistantVA’s, or Virtual Assistants, are becoming more and more common for small business owners. They can be a wonderful addition for any organisation owner who needs an extra pair of hands. But with that does come responsibility, both from them and from you. If they’re handling any of your client’s personal data, then you need to know who is responsible for what and how you can protect yourself.
- Who does the compliance lie with?
The compliance lies with the data controller, so in other words, it’s the company doing the hiring. This is because the organisation doing the hiring is the entity that establishes the purpose and the means of the processing of data. In short, if you’re looking at hiring a VA – it means you! Your customers gave their data to you, for purposes that they set out when giving that data, not to your VA. In this context, the VA becomes the data processor because he or she is processing the data on your behalf.
- How can you ensure that your VA is compliant?
Limiting any system access to a strictly ‘need to know’ basis would help. Also ensure that you have a data processing agreement and a non-disclosure agreement in place to protect you both and set boundaries and expectations.
you should insist, as part of the contract, that the VA has attended GDPR training – in particular on data breaches and subject access requests as a very minimum. Ideally you actually want your data processor (in this case, your VA) to be fully trained on how to process personal data because ultimately you are accountable. You should also set out in the data processing agreement the required security measures that you VA should make use of when handling your customer’s data such as encryption and multi-factor authentication.
- What can you do if you suspect your VA has had a breach?
You can carry out an investigation and ask for details of the suspected breach to assess whether there has actually been a breach or not. To err on the side of caution I would recommend that you suspend any processing of data with the VA until the investigation is completed.
If it transpires that there has been a breach, assess the severity of it to determine how it has impacted on the rights of the individuals to ascertain whether to report it to the ICO.
- Who will the ICO fine?
You. The data controller.
As you are the data controller then you are accountable. Within your data processing agreement you can put in certain clauses to protect yourself including some penalties if the VA had caused a major data breach. As a controller you could be fined by the ICO but you could also face compensation from the customers, so in your data agreement with the VA you should look to include penalties of some kind.
This isn’t to put you off hiring a Virtual Assistant if you are at the point where you need help, but purely to protect you and them whilst working together. They’re a great tool and there’s a reason that they are so popular amongst business owners. But the responsibility to handle your client’s data ultimately lies with you, so you need to go into any agreement carefully and protect both yourself and your clients.