The EU’s General Data Protection Regulations came into force on May 25th 2018, but whilst the regulations were enforceable from that date it would have been unlikely that you ever had a visit from the Information Commissioner’s Office since then. However that date should have been the starting point from which you made sure you were collecting data legitimately and in line with the law. And this doesn’t just apply to your own business. As any virtual assistant CRM specialist or database expert will tell you – it’s about ensuring that all the third parties or service providers you use are compliant too.
How do I know who is compliant?
The first step is to note all the third party providers that have access to, or store data for you. This may include:
- Your CRM software provider
- External payroll provider
- Accounting software and your accountant/bookkeeper
- Marketing database programmes such as MailChimp
- IT support companies that back up your data
- Outsourced partners such as virtual assistant agencies or contractors who process personal data on your behalf
This applies no matter where your third party is based – inside the UK, inside the EU or further afield. In fact, data that is transferred outside the EU is subject to restrictions set out in the GDPR legislation. Most big suppliers are well aware of GDPR and have already made the changes needed, but it is your responsibility to be sure that this is the case, so that you can show that your data is held securely, backed up or encrypted as appropriate and only used for the purpose that consent or other allowed use is intended.
What do I need to do?
You may already have been contacted by your current software or systems suppliers, to tell you what they are doing to be GDPR compliant. But remember that your business is the data controller for the personal data you hold and remains responsible for it, even whilst it is in the care of the third party processors. Therefore you must be able to show that part of your contract or agreement with the supplier covers the way they protect, remove and store your data, and that they will only make changes to the data if you ask them to.
In this instance – as with other providers like a virtual assistant company – the supplier is the data processor. This means they work with the data you provide in order to carry out regular business tasks. They have to be compliant in the way they access, use and protect your data and can only use the data in accordance with your instructions. However it is important to remember that you as the company that collects that data is responsible for ensuring that compliance is in place and requirements are being met.
What if my provider isn’t compliant?
It’s recommended that you only work with suppliers who have the relevant procedures and protections in place – and understand how to apply them in respect of your business data. For example, a virtual assistant agency should already have clear policies on how they manage your data and how they will work with you to ensure compliant use of that data. If you are looking for outsourced help like a virtual assistant firm and that help will have access to information about individuals, you must be absolutely confident that they are compliant with GDPR. The same is true of all other providers – if you’re not sure they are compliant, or they are not able to prove that they are, you should think about looking for a replacement supplier.
How’s your data looking?
If you’re not sure where to start with your outsourced providers, or you need help with your database management to give you confidence about complying with GDPR, then a virtual assistant with CRM and database expertise can help. We are fully GDPR compliant and have been working with our clients to demonstrate that we process, protect and use their data within the requirements of the new legislation. So, if you are looking for help with CRM data management or would like to learn more about our UK based virtual assistants, feel free to call us on 0800 994 9016 or use our contact form in the menu above.