If I use a VA from Fiverr, and they are not based in the UK, how does it work in terms of letting them have access to my systems/patients’ data from a legal/GDPR perspective? Is there anything else I should be aware of?
When working with a non-UK VA, make sure you follow UK data protection laws, including the GDPR and the UK Data Protection Act 2018. Here's what you should be thinking about:
- Get a written Data Processing Agreement with your VA that covers all of the things prescribed by the GDPR. There is a template for this in the GDPR module of the Small Business Legal Academy.
- Check if the country in which the VA resides has adequate data protection according to the UK government. The countries that have currently (as of March 2023) have had adequacy granted are:
- Countries within the EU
- Countries within EFTA (Iceland, Norway and Liechtenstein)
- Andorra
- Argentina
- Canada (for commercial organisations)
- Faroe Islands
- Gibraltar
- Guernsey
- Israel
- Isle of Man
- Japan (private sector organisations only)
- Jersey
- New Zealand
- Switzerland
- Uruguay
- South Korea
If the country in which your VA resides isn't on the list, you will need to use other safeguards such as the International Data Transfer Agreement (IDTA) – otherwise you will be processing personal data illegally – there is a template for this in the GDPR module of the Small Business Legal Academy.
- Only give your VA the minimum amount of personal data needed to do their job, as per the GDPR's data minimisation principle.
- Make sure there are solid technical and organisational security measures in place to protect the personal data your VA works with. This could involve secure communication, encryption, access controls, and regular security checks.
- Ensure your VA knows they must keep the personal data they work with confidential.
- Inform your VA about GDPR's data subject rights and how to handle requests from individuals about their data.
- If your VA suffers a data breach (eg a hacking, or loss of files or devices that aren’t properly password protected etc), your VA should let you know as soon as possible, and you should have a plan in place to deal with such situations. There is data breach training within the GDPR module of the Small Business Legal Academy.
- Keep records of your data processing activities, including the use of a VA, as required by GDPR. There is a data inventory and record of processing within the GDPR module of the Small Business Legal Academy.
- You might need to update your privacy policy to let data subjects know about your VA and how their data will be processed by your VA.
- Be aware that, as a data controller, you could be held responsible if your VA doesn't comply with the GDPR.
If you're interested to know more and to ask your own questions to top business lawyer Suzanne Dibble and learn from the experience of lots of other small business owners, then click here to join our thriving membership!
© Suzanne Dibble 2013-2022
The information contained above is provided for information purposes only. The contents of this article are not intended to amount to advice and you should not rely on any of the contents of this article. Professional advice should be obtained before taking or refraining from taking any action as a result of the contents of this article. We disclaim all liability and responsibility arising from any reliance placed on any of the contents of this article.