Guest Blog by Lesley Cooley: Ten things VA’s need to know about the General Data Protection Regulation (GDPR)

One of the biggest concerns I hear about, time and time is how will the General Data Protection Regulation (GDPR) affect the Virtual Assistant industry. So, this week, we are very lucky to have Lesley Cooley contribute this weeks guest post. Lesley is a qualified Data Protection Officer with 15 years’ experience in various sectors and we met at a Mastermind event a few years ago. So I am delighted she agreed to share 10 points we should be aware of:

  1. It applies to you

If you collect or process (use) personal information, the GDPR applies to you. Personal information is classified as a piece of information from which a person can be identified, so includes email addresses, names, addresses, IP addresses, etc. Most VA’s will have personal information in the form of a mailing list and the details they are working with on behalf of clients.

  1. It comes into force on 25th May 2018

You may have heard a lot about GDPR over the last few months and the key date is 25th May 2018 when it comes into force. By then, there will have been a two-year transition period and businesses are expected to be able to comply on that date.  Depending on how compliant you are now, you might struggle to meet that deadline, so find out what you need to do and then prioritise the tasks to reduce the risk of non-compliance.

  1. This applies to information relating to anyone based in Europe

If you are a VA that works with clients based in Europe but you are based outside Europe, you have an obligation to comply with GDPR.

  1. There is a need for accountability

GDPR brings in a requirement for organisations to be able to be accountable for the information that they are collecting. What does this mean? If you have an email list for marketing, you need to be able to prove that the person has made a conscious decision to sign up to your marketing emails. So, consider how you have been collecting email addresses and undertaking marketing and whether you can demonstrate that those on your mailing list gave their permission to be there. How would you prove this?

  1. Fines

Let’s get the scaremongering out of the way – fines are increasing significantly, with the maximum fine being about £17m or 4% of global turnover, whichever is the greater. Though that is scary, the Information Commissioner (the body for regulating data protection in the UK) has said that it is not their intention to issue the maximum fine and all fines would be proportional for the event. To put this into context, the maximum fine at the moment is £500,000 and it has, to date, never been enforced at the level. The maximum fine so far has been for TalkTalk for the 2015 breach and that was £400,000.

  1. Collecting information requires clarity

When you are collecting information, you need to inform the person what you are going to do with that information. This includes providing information about

  • who you are sharing it with (specifically who you share it with, a sentence saying selected third parties just won’t meet the requirement)
  • whether it is going outside the European Economic Area (EEA) (and you need permission for this) so be clear about what packages you are using and where the cloud storage for them is
  • how long you will keep the information and where it will be stored
  1. Data Processors are as liable as Data Controllers


Let’s cover who the Data Processor and Data Controller are. A Data Controller decides what information will be collected and how it will be used (so this is generally your clients) and a Data Processor means the person who follows the instructions of the Data Controller (so this is usually you in your role as VA). In the past, there was very little liability attributed to Data Processors and if there was an issue regarding data protection it was usually the responsibility of the Data Controller. That all changes under GDPR.

  • Data Controllers can only appoint Data Processors who provide sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of GDPR. This means that you must have adequate security measures, systems and processes in place to make sure the information that you are dealing with is handled appropriately.
  • If you are subcontracting the work out to another person, you need to get the written permission of your client before you can pass that work on. Any work you sub contract out has to meet the same contractual obligations as you have with your client.
  • You must have a written contract with your clients which clearly shows what services you will offer, how information will be secured, how long the arrangement will be and you have an obligation to tell your Client if you believe they are breaching the GDPR requirements.
  1. Cloud computing

Understand where your cloud packages are stored. Are they held in the EEA? When you sign up for things now you are frequently asked whether you would like it stored on an EEA server. You need to be saying yes to this. Any information stored outside the EEA needs the consent of the individual for you to be able to do it. If the information belongs to one of your clients and they are asking you to use a cloud package or send information outside the EEA, then they should be able to provide you with information that there are the appropriate safeguards and permissions in place to do so.

  1. Breach Notification

Under GDPR, there is a requirement to notify your client when you become aware of loss of personal information. Your Client, as Data Controller, has an obligation to notify the Information Commissioner’s Office of any significant loss of personal information.

  1. Historic data has to comply

Although GDPR doesn’t come into force until May 2018, when it does, all the criteria relates to information held at that date. For example, if you have a mailing list, for everyone on that list at May 2018, you need to ensure that you can prove that the person who signed up to the mailing list made a conscious decision to do so and was informed of how their information would be used, who it would be shared with etc. So, you need to be working already to make sure that your contracts meet the criteria, your mailing list is cleaned up and verified and you have put suitable security controls into place to meet the criteria ready for May next year.

To Learn More:  Lesley Cooley

You can go to the website for more information, (some great stuff on their blog that you will definitely want to read to learn more about this complex subject.)  Lesley has a specific course on GDPR and its implementation for VAs.  She knows that you don’t have the time to wade through pages and pages of legal jargon, and so has created a guide / e-course that doesn’t just quote the law but actually explains what YOU have to do and how to implement it (and when) in your business.  The course is £149 on a limited promotional offer, so click here to access it.

Facebook –
Linkedin –