General Data Protection Regulation (GDPR)
A guide to GDPR for clients who use Virtual Assistants
What is GDPR?
The General Data Protection Regulation (GDPR) came into effect on 25 May, 2018, replacing the 1995 EU Data Protection Directive. It's a new pan-European regulation. GDPR expands the privacy rights granted to individuals and places greater obligations on organisations who handle personal data of those individuals (data controllers and processors).
The purpose of the GDPR is to provide a set of standardised data protection laws across EU member countries which citizens greater control over their personal data. For example, giving you greater transparency into how your data is being used and ensuring that the organisations you entrust with your data are taking care of it.
FlexiWorkr is compliant with GDPR and has been since it's introduction in 2018.
We've put together this brief guide to highlight some of the most important aspects of GDPR as regards your relationship with us. We've spent a lot of thinking about and reacting to GDPR. But the application of GDPR is highly specific to your own unique circumstances. Also, guidance is still being issued by regulators regarding how it is to be implemented. So, this guide is provided for informational purposes only ,as a general guide to some of the issues GDPR may present for your business. It should not be relied upon as legal advice, or to definitively determine how GDPR might apply to you and your organisation. We'd encourage you to understand your own GDPR responsibilities and requirements, and that might include you talking to a legal or privacy professional about how GDPR affects your business and what to do about it
Will FlexiWorkr be GDPR compliant?
As a data subject
As a controller
Where personal data is contained in any materials you provide to us or your freelance Virtual Assistant, then depending the nature of your business, and the tasks that your freelance Virtual Assistant carries out for you, you are highly likely to be a data controller under the scope of the GDPR. If you use our tools to store and process that data, then we will be your 'data processor', and as such will be responsible for it being processed in accordance with your instructions and GDPR. Where you send materials direct to your freelance Virtual Assistant, and we do not view or receive it, your freelance Virtual Assistant will be your 'data processor' and as such directly responsible to you for the processing of the data.
Being a data controller means that you have serious obligations under GDPR - for example you must inform any data subjects that you collect data from that you pass that data to third parties for sub-processing. These are detailed elsewhere in this document.
What we'll do
We need to work together to drive our compliance with GDPR. These are the things we'll take care of.
Broadly, we will:
Take steps to be a GDPR compliant business
Ensure our platform facilitates GDPR compliance
Ensure our platform has the right level of security
Have requirement of GDPR front of mind in our collection, processing and storing of your data
Implement GDPR compliant privacy policies, notices and terms and conditions (including GDPR 'processor' clauses where we are your data processor)
Publish GDPR material and guidance to all freelance Virtual Assistants
Publish GDPR material and guidance to our clients
Require that our freelance Virtual Assistants are GDPR compliant
Implement GDPR 'processor' clauses in our freelance Virtual Assistant service agreement
Offer GDPR audits to our freelance Virtual Assistants on an, at least, annual basis
Train our internal team on GDPR compliance
More information about how we comply with GDPR and take care of your data is available in this section
What you must do
As a data controller you have a range of obligations under GDPR. You must take full responsibility for ensuring that your business acts in a GDPR compliant way.
Your general obligations as a business
Any business that processes personal data belonging to data subjects in the UK or Europe must be fully compliant with GDPR. We can't advise you on this. For official guidance on how to ensure that your business is GDPR compliant please talk to your lawyer; for a summary of the requirements, visit the ICO's guide for small businesses here.
Informing your data subjects and gaining consent
One of your most important responsibilities under GDPR is that you must inform your data subjects if you intend to share their personal data with your Virtual Assistant and, if applicable, FlexiWorkr Limited. You must also gain explicit consent from your data subjects, where required.
Your other obligations:
You are accountable for your own GDPR compliance
You must ensure that the relationship between you and your freelance Virtual Assistant meets GDPR requirements
You must satisfy yourself that your freelance Virtual Assistant is GDPR compliant
You must ensure that any data that you share with your freelance Virtual Assistant is done so in a GDPR compliant way
Ensure that the tools or services you use to share data with your freelance Virtual Assistant are GDPR compliant
Ensure your own agreements, contracts and policies are GDPR compliant
Ensure that your own systems are GDPR compliant
Do not ask your freelance Virtual Assistant to act in contravention of GDPR
Do not send any sensitive data to your freelance Virtual Assistant
Ensure that you only share data with your freelance Virtual Assistant where it's strictly necessary
Provide your freelance Virtual Assistant with clear instructions on when to delete data
Assist your freelance Virtual Assistant in ensuring data records are up to date
Process, store and manage your freelance Virtual Assistant's data in line with GDPR requirements
How we look after your data
We take our obligations under GDPR very seriously and have made extensive improvements to our platform and legal documentation to comply with the requirements of GDPR.
Active security measures:
Firewalls at network and server level
Attack detection with automated blocking
Encryption of data at rest
Encryption of data during transit
Data minimisation - all pages modified to display least viable amount of data
Checksums to ensure the integrity of data records
Intrusion detection monitoring
Regular software updates
Pin code access required to access data by staff
Access to data restricted to only required personnel
Access to data password protected
Physical security including alarm systems, physical barriers and access control
Third party vulnerability scans
Database access restricted to management persons only
Database access restricted to corporate IP addresses only
Backups and recovery:
Data is backed up to multiple replica servers on a live/live basis
Data is backed up on alternate days at 5am UK time
Data is backed up over secure encrypted tunnels
Data is also backed up to Amazon S3 cloud storage service
Privacy by default and design
Our development team have made extensive changes to our platform and infrastructure to minimise the processing and storage of personal data where possible. In addition our development team have adopted a new GDPR compliant development policy that puts the need for privacy at the heart of all new systems and projects.
The data we collect
Where we send data we collect about you
We have rolled out a package of ongoing training for our team on the safe handling of data and compliance with your rights under the GDPR. In addition we have introduced a number of further security measures such as advanced identity verification when you call us.
Respecting your rights
Demonstrating and documenting our compliance
FlexiWorkr has conducted a full information audit including data mapping and Privacy Impact Assessment. We conduct due diligence on the third parties that we share data with, ensuring they are GDPR compliant, and keep a record of our assessments. We keep up to date records detailing the data that we process as both a controller and processor. We also conduct regular reviews of our data controller and processing arrangements.
Who we share your data with
We routinely share your personal information as a data controller with a range of third party service providers who help us provide, analyse and promote the FlexiWorkr services and engage with freelancers. Some of those third party recipients may be based outside the European Economic Area.
We will share relevant information about you from your FlexiWorkr client account (including your name, email address, profile, biography) and the nature of your brief with a freelancer we think is suitable for your brief.
We will share personal information with law enforcement or other authorities if required by applicable law.
Sharing Your Data Outside EEA
Google, USA - for the purpose of analytics and documents. Basis: EU-US Privacy Shield certification.
Microsoft, USA - for the purpose of email. Basis: EU-US Privacy Shield certification.
Sentry, USA - for the purpose of bug tracking. Basis: EU-US Privacy Shield certification.
Xero, USA - for the purposes of financial reporting. Basis: Model clauses in contract.
Sharing your data inside EEA
Albert Goodman Chartered Accountants, UK - for the purpose of producing financial accounts, a legal requirement.
Wix Payments, USA - for the purpose of payment processing. Basis: EU-US Privacy Shield certification.
Zoom, EEA - for the purpose of communicating via live video calls.
As a data subject, you have several rights under GDPR including the right of access, rectification, erasure and data portability. For more information on your rights please see this guide on the ICO website. To exercise any of your rights, please email email@example.com.
Some articles and resources we think you might find helpful:
Contacts and help
Who can I contact for further help and advice on GDPR and related matters?
You can email queries and questions to firstname.lastname@example.org and we'll respond to you within 48 hours during the business week. Please note that we cannot provide general GDPR advice.
Who can I contact to report a breach?
Who can I contact to request updating, deleting or access to my data?
Please email email@example.com clearly stating the nature of your request. We will conduct security verification with you prior to completing your request. We may need to speak to you verbally to complete security verification.