Home Data Protection What data privacy rules apply to you as a global virtual assistant?

What data privacy rules apply to you as a global virtual assistant?

What data privacy rules apply to you as a global virtual assistant?

*This post may contain Affiliate Links which means we may earn from qualifying purchases you make via our website. Check out our Affiliate policy and what this means here

As a virtual assistant, you’re required to follow the best practices of data privacy and safety as any other online business, if not more.

The nature of the job is fully digital and requires VAs to deal with lots of highly personal data from their clients. Every time you perform a task for your client and help keep their schedule free by taking care of administrative tasks, you are handling sensitive data.

The data ranges from access to phone numbers and logs (all the way to handling all calls and correspondence), to handling IDs and passports, payment information, social media accounts, marketing campaigns, accounting, and more.

Having access to such accounts and data means that you and every other VA out there must ensure online business data privacy and comply with several data protection regulations and laws, depending on where the clients are from.

As a global virtual assistant, ideally you don’t want any limitations on what country your clients are from – something that can happen if you are not compliant with certain regulations.

Anyone who offers virtual assistant services must definitely be familiar with the three most important regulations dealing with data protection for digital businesses globally:

  • The General Data Protection Regulation (GDPR) – EU-based but global reach
  • The California Consumer Privacy Act (CCPA) – California-based and covers California residents
  • The Controlling the Assault of Non-Solicited Pornography And Marketing (CANSPAM) Act – US-based and covers anyone doing business in the US or towards US residents in terms of emailing.

Now, let’s go over all of them in detail and see how they affect virtual assistants, their businesses, and all the daily tasks you do for your clients.

The General Data Protection Regulation (GDPR)

The GDPR came into effect a little over two years ago, in May of 2018, and pushed organisations and businesses around the globe to change their data policies, from transparency on how they collect and use, to better regulations on how consumers can control data that’s collected from them.

The point of the GDPR is data protection and control: to give people back power over their data and data privacy. All the data that companies and various organisations collect from them should be easily available for review.

The novelty of GDPR is that now, people have the freedom to disallow companies to use their data for marketing purposes or to sell it further to their partners – something that was done behind the scenes all the time until 2018, and it was very hard for anyone to get access to what data was collected and sold and to whom.

Now that this must be transparent, businesses reacted to the change very differently.

Most of them are doing their best to understand the regulations and comply fully. Yet, there are also some who try to avoid disclosing this. The truth is however, that there’s no avoiding it. Even if you transfer the data to another country, you must be compliant with Chapter V of the GDPR.

But what does the GDPR mean for VAs?

Virtual assistants deal with personal data daily, and process personal data for their own business and for their clients too. As such, they will have to comply with GDPR and ensure data protection.

Under the GDPR, a VA (or any other business or person dealing with personal data) can be identified as both a data processor and data controller – the main difference being the controllers determine why, how, and which data should be processed, while the processors do that on behalf of controllers.

You will probably be determining the type of data you’ll be collecting for your own purposes, which makes you a controller, and your clients will let you know which data you should handle for them, which makes you a processor. If they give you the freedom to decide what data you handle for them, you will be both: a controller and processor.

To be compliant, you must determine how you’ll store the data and ensure it’s accurate, how long you’ll keep it and know how to report leaks and breaches. For processing, you are in charge of data privacy and must ensure data is safe and anonymised (meaning it can’t be traced back to any person even if it’s ever accidentally disclosed or stolen).

You must also keep a record of all the data you’re processing and how you’re doing it, and have solutions that keep the data safe while you acquire, store, transfer, and dispose of it.

The most important thing to note here is that even though the GDPR is an EU law, it covers absolutely everyone. If you have a client, or even a website visitor from any EU country that you keep tags on (those cookies from your website you need for traffic analytics), you must comply with the GDPR.

So even if you’re doing business from the US and deal with UK clients, you are liable under the GDPR, but also have your own laws on data privacy to comply with. These include the following two:

The Controlling the Assault of Non-Solicited Pornography And Marketing (CANSPAM) Act

The oldest of data protection acts, the CANSPAM Act dates back to 2003 and is the first national standard for commercial messaging via emailing in the United States. It regulates ways on how emailing can and cannot be done. The most important (and still very much required) things it regulates are:

  • You are prohibited from sending emails to people who opted out from your emails.
  • You must remove anyone who opts out within ten (business) days.
  • Your emails must have an opt-out procedure that’s easy to follow.
  • Your emails must have your business’ (or your own) physical address.
  • Your emails must NOT have misleading headlines.
How does the CANSPAM affect VAs?

You must comply with this act in case you run your own active marketing campaigns or handle them for your clients. You must ensure you have mechanisms in place that will allow you to collect and manage opt-outs on time and have a list of everyone who opted out to ensure someone doesn’t accidentally get an email from you.

In case you are using an external email marketing service that will manage your campaigns, you must be sure they are compliant with CANSPAM (and all the other regulations and acts). The same applies to any type of affiliate programmes you or your clients have: everyone must be compliant.

The California Consumer Privacy Act (CCPA)

Following the GDPR, the state of California passed a statute to enhance privacy and data protection for all California residents in 2018, just one month after the GDPR came into effect.

The CCPA mentions many issues on online business data privacy addressed by the GDPR, such as the requirement to disclose how data is being collected, if it’s being sold, and gives consumers the right to access the data and request removal of the gathered data, but the resolutions that must be followed are a bit different.

How the CCPA affects VAs?

The CCPA became effective on January 1 of 2020. As a VA, working from California or having clients and website visitors who are California residents means you must comply with this act. As a minimum, you have to implement all the required procedures, the most important being:

  • A method for visitors and clients to submit a data access request.
  • A link saying “Do not sell my personal information” that’s clearly visible on the website of your VA business, which will direct them to a page where they can opt-out from personal information sales.
  • Have a privacy policy that states all the rights of California residents

The main difference between the CCPA and the GDPR is the opt-in and opt-out requirements.

The GDPR states that there should be no automatic opt-in to data collection (visitors must opt-in via informed decision making) while the CCPA only gives them the option to opt-out easily and the right to not be bothered to opt-in again for a full year after opting out.

Now, while you will comply with CCPA if you give a good opt-out mechanism, you will breach the GDPR if you put an automatic opt-in, so it’s best to have both mechanisms clearly visible so that clients and visitors can make these decisions on their own.

Being compliant makes your life and business easier

Working as a virtual assistant globally means being compliant with all the regulations that deal with data protection for digital businesses. It might seem like a hassle to get to know all these rules and learn new procedures, but in the long run, it shows that you are serious about your business.

It will keep your business safer in terms of potential breaches and issues, you will have ready made procedures for any scenario, and you can be sure your client’s data is as secure as possible thanks to the measures you have implemented.


Please enter your comment!
Please enter your name here