Assistant Guide:
General Data Protection Regulation (GDPR)

A guide to GDPR for freelance Virtual Assistants

What is GDPR?

Introduction

The General Data Protection Regulation (GDPR) comes into effect on 25 May, 2018, replacing the 1995 EU Data Protection Directive. It's a new pan-European regulation. GDPR expands the privacy rights granted to individuals and places greater obligations on organisations who handle personal data of those individuals (data controllers and processors).

The purpose of the GDPR is to provide a set of standardised data protection laws across EU member countries which gives citizens greater control over their personal data. For example, giving you greater transparency into how your data is being used and ensuring that the organisations you entrust with your data are taking care of it.

Time etc is working hard to be fully compliant by the end of May 2018. This involves considerable work on our systems and processes in addition to updating our client and freelancer facing contracts and privacy policies.
We've put together this brief guide to highlight some of the most important aspects of GDPR as regards your relationship with us. We've spent a lot of thinking about and reacting to GDPR. But the application of GDPR is highly specific to your own unique circumstances. Also, guidance is still being issued by regulators regarding how it is to be implemented. So, this guide is provided for informational purposes only, as a general guide to some of the issues GDPR may present for your business. It should not be relied upon as legal advice, or to definitively determine how GDPR might apply to you and your virtual assistant business. We'd encourage you to understand your own GDPR responsibilities and requirements, and that might include you talking to a legal or privacy professional about how GDPR affects your business and what to do about it. As a first step, please review the ICO materials below in the 'Further Reading' section

Will Time etc be GDPR compliant?

Time etc's GDPR compliance, by May 25th

We are updating our privacy policy and terms and conditions to be fully compliant. In addition we have conducted a full audit of the information we hold and have made a number of changes to our business to accommodate GDPR. Many of these changes, security measures and GDPR requirements are listed in this document.

Our relationship

You as a data subject

You are a data subject and Time Etc is a controller responsible for its processing of personal data about you. We collect and use your personal data in order to assess your suitability to offer services through Time Etc, advertise your services to potential clients, provide support and customer service and to enable us to meet our contractual obligations. More details of our use of your personal data are in our Privacy Policy.

As a freelance Virtual Assistant outside Time etc

When you work directly with clients outside of Time Etc's platform you will be a data controller and / or processor, depending on the exact nature of the relationship. You should be clear on your obligations under GDPR to ensure that you do not open yourself up to enforcement action and / or fines.

As a freelance Virtual Assistant working for clients through Time etc

Working on a brief for a client through Time Etc, may involve processing personal data for the client. Conducting work and assignments for clients may result in you becoming a data controller and / or processor in a relationship directly with the client, even if the relationship was formed through Time Etc.

It is important that you fully understand the risks and obligations of being a controller and or processor. For example if your client asks you to contact third parties without their consent, and that consent is required in order to lawfully contact them, you could have some responsibility.

You will be a data processor in respect of any personal data you are working with in order to deliver the brief – for example, a list of email addresses you are qualifying as leads for the client.

1. Where client brief materials are only exchanged directly between you and the Time Etc client:

Where you receive that personal data direct from the client and it isn't provided via Time Etc, then you will have a direct controller-processor relationship with the client. The client is the data controller – the one who decides the purposes for which the data is processed and the means by which it is processed. You will be their data processor, responsible to them under data protection law for processing the personal data. Remember, your contractual relationship remains with Time Etc – the brief is agreed with Time Etc and Time Etc will pay you for your work on it. But, just like on the occasions when a client may ask you to sign a confidentiality agreement with them directly, you have an additional direct responsibility to the client in respect of your processing the personal data they give to you to carry out the brief.

The client may ask you to agree some 'data processing' terms direct with you in these circumstances. If they don't then we provide in our client and freelancer terms for a default set of processing terms to be effective as between clients and freelancer virtual assistants. Whichever set is used, you should review them carefully to make sure you understand your obligations and are comfortable complying with them.

2. Where client brief materials are received from or sent between you and Time Etc :

Where you receive client materials for the brief from Time Etc (or send them to Time Etc), and those details contain personal data, you will have that 'processor' relationship with Time Etc, not with the client. In this case, Time Etc is the client's data processor. This makes you Time Etc's sub-processor. That is someone appointed by them to receive the data and work on it. The terms under which you process personal data in client brief materials for Time Etc are set out in our freelancer terms. You should review them carefully to make sure you understand your obligations and are comfortable complying with them.

To summarise: If you receive client material worked on for the brief from Time Etc (or you send it to Time Etc), and it contains personal data, you will be Time Etc's 'sub-processor' under terms between you and Time Etc contained in the freelancer terms. If you only exchange client brief materials containing personal data with the client (and don't send or receive them to or from Time Etc), you will be the client's data processor under data processing terms between you and the client. It all depends on who sends and receives the files you will be working on for the brief. If the client brief materials aren't passed through Time Etc on the way between you and the client – you will be the client's data processor. If they are passed through Time Etc, you will be Time Etc's sub processor.

(Additionally, unrelated to the materials worked on as part of a brief, you will in all cases be our data processor in respect of any personal data about the client itself (for example, their contact details).

Your obligations

GDPR places a range of obligations on data controllers and processors. These apply to your virtual assistant business, even if your business is small or you work on a part-time basis as a freelance Virtual Assistant. Below is a summary of some of your obligations. (For the full picture, as a first step please review the ICO materials below in the 'Further Reading' section).

Auditing and demonstrating compliance

You must review, understand and document information you process. You should also document how you store it and how long you keep it for. You'll need this document to demonstrate that you've audited and understood the risks surrounding the data that you deal with.

Fairness and Transparency regarding data

Data must be kept and processed under application of the current law and in a transparent way. For example, you must make what you intend to do with the data clear to your clients and you must tell your clients if you intend to share their data. You must not use your client's data for another reason.

Security

You must use appropriate and protective measures to secure personal data against malicious access, loss or alterations. This may involve encryption of data, deleting data when it is no longer required and minimising the use of data that can identify the data subject.

Purpose Limitation

The collection of personal data must have a legitimate and clearly defined purpose and you may not process or collect data that lies outside of this purpose. So, for example, if a client has provided you with secure access to their Amazon account to make a purchase on their behalf you would need to confirm their consent to use that login information for any other purpose.

Data minimization

You must only collect data that is needed for the defined purpose, but no information that isn't of use, and for no longer than is necessary. So, for example, if you were booking flights for a client you must request, process and store only the minimum amount of information required to book the flights (e.g. If you don't need to know the age of the passengers, don't ask for it).

Accuracy

You must keep the data that you hold correct and up-to-date. You should check in with your clients on a regular basis to ensure that the data you hold on their behalf is correct and up-to-date. If you know that data is old or outdated you should delete it or update it.

Deletion

You are only allowed to keep data for the fulfilment of the purpose under which it was collected but no longer. You may decide to retain client information for the length of your agreement to provide Virtual Assistant services to that client but should delete it immediately that relationship ends. You may decide that once you have completed a specific assignment for a client (such as bookings flight) you delete any personal data relating to that assignment after the task is completed. You should document your policy on this.

Accountability

You are responsible for the data that you handle and for your compliance with the GDPR. You must be able to demonstrate your compliance - one key part of this is documenting the data you process and what you've done to keep it secure. Fines for non-compliance with GDPR can be substantial.

Data breach notifications

You must notify the ICO within 72 hours of becoming aware of a data breach involving information you hold as data controller for the purposes of your own business (e.g. client contact data). If a data breach relates to a client you work with through Time Etc, you must notify us immediately.

If a data breach involves information you are working on for a Time Etc client, you must notify us immediately. To notify Time Etc you must email gdpr@timeetc.com with a subject line of "Breach notification".

Rights of the data subject

Among a range of other rights, the data subject has the right to request their data (in an easily portable format), make alterations or delete their data altogether. You must know how you intend to deal with such requests.

Simple Checklist

Make a list of the data you process

You need to demonstrate your compliance with GDPR. To help you do this create a simple list detailing the data you process, who you process it for, where you store it and how long you store it for. This record will be important in the event of a data breach.

Ensure any tools you use are GDPR compliant

If you're sending client data to third party tools such as Gmail, Google Docs, Office 365 and others you need to check that the tools you use are GDPR compliant. Luckily most online services are already GDPR compliant and have clear information about their compliance on their websites. Keep a list of services you use, a link to their terms and conditions and whether or not they are GDPR compliant.

Protect and secure your devices

If you store or process personal data on your devices you need to ensure they are secure. Ideally you should encrypt your devices using tools such as FileVault for Mac and Windows Encryption. At the very least you should have up to date Virus scanning software (available for free) and Malware detection.

Keep passwords secure

Don't store passwords on your local device - use a service such as LastPass to security store and generate passwords for you.

Backup data securely

If data is stored on your devices you should keep it safe by backing up regularly - be careful to ensure that your backups are secure though.

Don't email without permission

Be careful when staying in touch with ex-clients. If they haven't clearly given you their consent (and you've recorded their consent) then you may not be able to legally email them. Subject to certain exceptions, they must give you their clear consent for you to stay in touch.

Where possible, use the Time etc platform

The Time Etc platform is designed to be GDPR compliant and is protected by various security measures such as encryption, intrusion detection and vulnerability scans. Where possible we recommend avoiding the transfer of personal data from the Time Etc platform to your own devices (for example saving a file).

Don't accept sensitive data

We recommend that you don't accept sensitive data from your clients where possible because once you are in possession of it, you're responsible for it. Consider whether it's strictly required to transfer the data to you. Very sensitive data such as medical histories, ethnicity and information about children should be avoided – for work undertaken through Time Etc, this is prohibited in our terms with clients. Please let us know if you are asked to work on any such information on Time Etc briefs.

Delete data you don't need any more

When a client ends their contract with you, delete their data. You can reasonably decide to keep hold of your client account management data for an appropriate period of time following it's use (for example if it may be needed again) but in general, keep things tidy by deleting as you go. When you've finished working on an assignment for a client, you must immediately delete any data involved (such as spreadsheets). This is part of your obligation as a data processor.

Know what to do in the event of a data breach

If you discover a data breach you must notify the ICO within 72 hours of your discovery. If your client is a client you're working with through Time etc you must also notify us. You can do this at gdpr@timeetc.com.

Understand your client's rights and know what to do if they exercise them

Your clients have several rights regarding their data - they can ask you to delete, alter or supply their data to them. If you work with your client through Time Etc you can email gdpr@timeetc.com and we'll coordinate your client's request with you. If you work with your clients directly, you'll need your own process to comply.

Create a GDPR compliant privacy policy

If you have a website (or even if you don't) you'll want to make sure that you have a GDPR compliant privacy policy. We recommend this Linkedin article for an excellent example of GDPR privacy policy wording.

How we look after your data

We take our obligations under GDPR very seriously and have made extensive improvements to our platform and legal documentation to comply with the requirements of GDPR. For more details on how we process your personal data, please see our Privacy Policy.

Data security

Active security measures:
  • Firewalls at network and server level
  • Attack detection with automated blocking
  • Encryption of data at rest
  • Encryption of data during transit
  • Data minimisation - all pages modified to display least viable amount of data
  • Checksums to ensure the integrity of data records
  • Intrusion detection monitoring
  • Regular software updates
  • Pin code access required to access data by staff
  • Access to data restricted to only required personnel
  • Access to data password protected
  • Physical security including alarm systems, physical barriers and access control
  • Third party vulnerability scans
  • Database access restricted to management persons only
  • Database access restricted to corporate IP addresses only
Backups and recovery:
  • Data is backed up to multiple replica servers on a live/live basis
  • Data is backed up on alternate days at 5am UK time
  • Data is backed up over secure encrypted tunnels
  • Data is also backed up to Amazon S3 cloud storage service

Privacy by default and design

Our development team have made extensive changes to our platform and infrastructure to minimise the processing and storage of personal data where possible. In addition our development team have adopted a new GDPR compliant development policy that puts the need for privacy at the heart of all new systems and projects.

The data we collect

We collect a range of data from you, as specified in our Privacy Policy. Data may include name, address, email address, telephone number, public profile, background information, career history, experience, skills and your financial information. We use this data in order to assess your suitability to offer your services as a freelance Virtual Assistant through the Time etc platform, to advertise your services to potential clients, to match you to potential clients, to provide clients with information relating to your services, to provide you with help and support and for analytical reasons including monitoring the quality of the services you offer.

Where we send data we collect

Our secure servers are all located within the EEA, however on some occasions we may share your data with companies based outside of the EEA. All of the suppliers that we use who are located outside of the EEA either comply with the EU-US Privacy Shield scheme or have modified their contracts to be GDPR compliant. For more information on who we share data with, please see our Privacy Policy.

Data retention

Time etc does not store data for longer than is strictly required for practical, commercial and law enforcement reasons. Time etc has introduced a number of data retention policies and associated systems in order to allow our compliance with GDPR. In short these automated systems help to ensure that data is not kept for longer than is strictly required to provide services to you.

Team training

We have rolled out a package of ongoing training for our team on the safe handling of data and compliance with your rights under the GDPR. In addition we have introduced a number of further security measures such as advanced identity verification when you call us.

Respecting your rights

You have the right to ask us to delete, modify or provide a copy of your data. To exercise your right please email gdpr@timeetc.com and we will respond to confirm next steps. We will respond to your request within 48 hours.

Legal documentation

We have released fully GDPR compliant Privacy Policy, Freelancer Agreement, Cookies Policy and Data Processing Terms.

Demonstrating and documenting our compliance

Time etc has conducted a full information audit including data mapping and Privacy Impact Assessment. We conduct due diligence on the third parties that we share data with, ensuring they are GDPR compliant, and keep a record of our assessments. We keep up to date records detailing the data that we process as both a controller and processor. We also conduct regular reviews of our data controller and processing arrangements.

Who we share your data with

We routinely share your personal information with a range of third party service providers who help us provide, analyse and promote the Time Etc service and engage with freelancers. Some of those third party recipients may be based outside the European Economic Area.

If you are a freelancer, we will share information (including your name, email address, profile data, ratings, and the skills you have notified to us) with a client in respect of whose brief we have asked you to provide us with your services.

If you are a client, we will share relevant information about you from your Time etc client account (including your name, email address, profile, biography) and the nature of your brief with a freelancer we think is suitable for your brief.

We will share personal information with law enforcement or other authorities if required by applicable law.

We will not share your personal information with any other third party, except in accordance with the requirements of GDPR.

Sharing Your Data Outside EEA

  • Google, USA - for the purposes of analytics and documents. Basis: EU-US Privacy Shield certification.
  • Amazon Web Services, USA - for the purposes of hosting and file storage. Basis: EU-US Privacy Shield certification.
  • Freshdesk, USA - for the purposes of providing you with a help desk facility to contact us. Basis: EU-US Privacy Shield certification.
  • Microsoft, USA - for the purpose of email. Basis: EU-US Privacy Shield certification.
  • Dropbox, USA - for the purpose of storage of information. Basis: EU-US Privacy Shield certification.
  • Inspectlet, USA - for the purpose of user experience monitoring. Basis: Model clauses in contract.
  • Stripe, USA - for the purpose of payment processing. Basis: EU-US Privacy Shield certification.
  • Paypal, USA - for the purpose of payment processing. Basis: EU-US Privacy Shield certification.
  • Slack, USA - for the purpose of internal team communication. Basis: EU-US Privacy Shield certification.
  • Sentry, USA - for the purpose of bug tracking. Basis: EU-US Privacy Shield certification.

Sharing your data inside EEA

  • GoCardless, UK - for the purpose of billing certain UK customers only.
  • Albert Goodman Chartered Accountants, UK - for the purpose of producing financial accounts, a legal requirement.
  • Netbanx / Paysafe, UK - for the purpose of processing some payments on behalf of UK customers.

Further reading

Official articles from the ICO:

Data protection self assessment for data processors
The ICO's official guide to GDPR
GDPR: 12 steps to take now

Some articles and resources we think you might find helpful:

https://www.thedifferencecollective.com/how-can-freelancers-prepare-for-the-gdpr/ https://gowlingwlg.com/GowlingWLG/media/UK/pdf/170630-gdpr-checklist-for-compliance.pdf https://www.linkedin.com/pulse/gdpr-privacy-notice-have-you-written-yours-liz-henderson/ https://www.freelancermap.com/freelancer-tips/12222-gdpr2018

Contacts and help

Who can I contact for further help and advice on GDPR and related matters regarding my work with Time Etc?

You can email queries and questions to gdpr@timeetc.com and we'll respond to you within 48 hours during the business week.

Who can I contact to report a breach?

If you suspect a data or security breach please email gdpr@timeetc.com with the subject line "Data breach" and we will respond as a priority.

Who can I contact to request updating, deleting or access to my data?

Please email gdpr@timeetc.com clearly stating the nature of your request. We will conduct security verification with you prior to completing your request. We may need to speak to you verbally to complete security verification.