Client Guide:
General Data Protection Regulation (GDPR)

A guide to GDPR for clients who use Virtual Assistants

What is GDPR?

Introduction

The General Data Protection Regulation (GDPR) comes into effect on 25 May, 2018, replacing the 1995 EU Data Protection Directive. It's a new pan-European regulation. GDPR expands the privacy rights granted to individuals and places greater obligations on organisations who handle personal data of those individuals (data controllers and processors).

The purpose of the GDPR is to provide a set of standardised data protection laws across EU member countries which citizens greater control over their personal data. For example, giving you greater transparency into how your data is being used and ensuring that the organisations you entrust with your data are taking care of it.

Time etc is working hard to be fully compliant by the end of May 2018. This involves considerable work on our systems and processes in addition to updating our client and freelancer facing contracts and privacy policies.
We've put together this brief guide to highlight some of the most important aspects of GDPR as regards your relationship with us. We've spent a lot of thinking about and reacting to GDPR. But the application of GDPR is highly specific to your own unique circumstances. Also, guidance is still being issued by regulators regarding how it is to be implemented. So, this guide is provided for informational purposes only ,as a general guide to some of the issues GDPR may present for your business. It should not be relied upon as legal advice, or to definitively determine how GDPR might apply to you and your organisation. We'd encourage you to understand your own GDPR responsibilities and requirements, and that might include you talking to a legal or privacy professional about how GDPR affects your business and what to do about it

Will Time etc be GDPR compliant?

Time etc's compliance by May 25th

We have updated our Privacy Policy and Terms and Conditions to be fully compliant with the requirements of GDPR. In addition we have introduced a Cookies Policy and Data Processing Terms. We have also conducted a full audit of the information we hold and have made a number of changes to our business, processes and systems to accommodate GDPR. Many of these changes, security measures and GDPR requirements are listed in this document and in our privacy policy.

Our relationship

As a data subject

As a client, you are a data subject and Time etc is a controller responsible for the processing of personal data about you. We collect, store and use your personal data principally in order to meet our contractual obligations, contact you, provide a Virtual Assistant service to you, provide access to your account and provide help and support. We may share your data with third parties, some of which may be outside of the EEA, but only for the purposes of servicing your account. You have certain rights around this data. More detail on our use of personal data about you is provided in this document and in our privacy policy.

As a controller

Where personal data is contained in any materials you provide to us or your freelance Virtual Assistant, then depending the nature of your business, and the tasks that your freelance Virtual Assistant carries out for you, you are highly likely to be a data controller under the scope of the GDPR. If you use our tools to store and process that data, then we will be your 'data processor', and as such will be responsible for it being processed in accordance with your instructions and GDPR. Where you send materials direct to your freelance Virtual Assistant, and we do not view or receive it, your freelance Virtual Assistant will be your 'data processor' and as such directly responsible to you for the processing of the data.

Being a data controller means that you have serious obligations under GDPR - for example you must inform any data subjects that you collect data from that you pass that data to third parties for sub-processing. These are detailed elsewhere in this document.

What we'll do

We need to work together to drive our compliance with GDPR. These are the things we'll take care of.

Broadly, we will:

  • Take steps to be a GDPR compliant business
  • Ensure our platform facilitates GDPR compliance
  • Ensure our platform has the right level of security
  • Have requirement of GDPR front of mind in our collection, processing and storing of your data
  • Implement GDPR compliant privacy policies, notices and terms and conditions (including GDPR 'processor' clauses where we are your data processor)
  • Publish GDPR material and guidance to all freelance Virtual Assistants
  • Publish GDPR material and guidance to our clients
  • Require that our freelance Virtual Assistants are GDPR compliant
  • Implement GDPR 'processor' clauses in our freelance Virtual Assistant service agreement
  • Offer GDPR audits to our freelance Virtual Assistants on an, at least, annual basis
  • Train our internal team on GDPR compliance

More information about how we comply with GDPR and take care of your data is available in this section

What you must do

As a data controller you have a range of obligations under GDPR. You must take full responsibility for ensuring that your business acts in a GDPR compliant way.

Your general obligations as a business

Any business that processes personal data belonging to data subjects in the UK or Europe must be fully compliant with GDPR. We can't advise you on this. For official guidance on how to ensure that your business is GDPR compliant please talk to your lawyer; for a summary of the requirements, visit the ICO's guide for small businesses here.

Informing your data subjects and gaining consent

One of your most important responsibilities under GDPR is that you must inform your data subjects if you intend to share their personal data with your Virtual Assistant and, if applicable, Time etc Limited. You must also gain explicit consent from your data subjects, where required.

Your other obligations:

  • You are accountable for your own GDPR compliance
  • You must ensure that the relationship between you and your freelance Virtual Assistant meets GDPR requirements
  • You must satisfy yourself that your freelance Virtual Assistant is GDPR compliant
  • You must ensure that any data that you share with your freelance Virtual Assistant is done so in a GDPR compliant way
  • Ensure that the tools or services you use to share data with your freelance Virtual Assistant are GDPR compliant
  • Ensure your own agreements, contracts and policies are GDPR compliant
  • Ensure that your own systems are GDPR compliant
  • Do not ask your freelance Virtual Assistant to act in contravention of GDPR
  • Do not send any sensitive data to your freelance Virtual Assistant
  • Ensure that you only share data with your freelance Virtual Assistant where it's strictly necessary
  • Provide your freelance Virtual Assistant with clear instructions on when to delete data
  • Assist your freelance Virtual Assistant in ensuring data records are up to date
  • Process, store and manage your freelance Virtual Assistant's data in line with GDPR requirements

How we look after your data

We take our obligations under GDPR very seriously and have made extensive improvements to our platform and legal documentation to comply with the requirements of GDPR.

Data security

Active security measures:
  • Firewalls at network and server level
  • Attack detection with automated blocking
  • Encryption of data at rest
  • Encryption of data during transit
  • Data minimisation - all pages modified to display least viable amount of data
  • Checksums to ensure the integrity of data records
  • Intrusion detection monitoring
  • Regular software updates
  • Pin code access required to access data by staff
  • Access to data restricted to only required personnel
  • Access to data password protected
  • Physical security including alarm systems, physical barriers and access control
  • Third party vulnerability scans
  • Database access restricted to management persons only
  • Database access restricted to corporate IP addresses only
Backups and recovery:
  • Data is backed up to multiple replica servers on a live/live basis
  • Data is backed up on alternate days at 5am UK time
  • Data is backed up over secure encrypted tunnels
  • Data is also backed up to Amazon S3 cloud storage service

Privacy by default and design

Our development team have made extensive changes to our platform and infrastructure to minimise the processing and storage of personal data where possible. In addition our development team have adopted a new GDPR compliant development policy that puts the need for privacy at the heart of all new systems and projects.

The data we collect

We collect a range of data from you, as specified in our Privacy Policy.

Where we send data we collect about you

Our secure servers are all located within the EEA, however on some occasions we may share your data with companies based outside of the EEA. All of the suppliers that we use who are located outside of the EEA either comply with the EU-US Privacy Shield scheme or have modified their contracts to be GDPR compliant. For more information on who we share data with, please see our Privacy Policy.

Data retention

Time etc does not store data about you for longer than is strictly required for practical, commercial and law enforcement reasons. Time etc has introduced a number of data retention policies and associated systems in order to allow our compliance with GDPR. In short these automated systems help to ensure that data is not kept for longer than is strictly required to provide services to you. For more information please see our Privacy Policy,

Team training

We have rolled out a package of ongoing training for our team on the safe handling of data and compliance with your rights under the GDPR. In addition we have introduced a number of further security measures such as advanced identity verification when you call us.

Respecting your rights

You have the right to ask us to delete, modify or provide a copy of your data, and a number of other rights in respect of personal data we process about you. For more details see our Privacy Policy. To exercise your right please email gdpr@timeetc.com and we will respond to confirm next steps. We will respond to your request within 48 hours.

Legal documentation

We have released fully GDPR compliant Privacy Policy, Terms and Conditions, Cookies Policy and Data Processing Terms.

Demonstrating and documenting our compliance

Time etc has conducted a full information audit including data mapping and Privacy Impact Assessment. We conduct due diligence on the third parties that we share data with, ensuring they are GDPR compliant, and keep a record of our assessments. We keep up to date records detailing the data that we process as both a controller and processor. We also conduct regular reviews of our data controller and processing arrangements.

Who we share your data with

We routinely share your personal information as a data controller with a range of third party service providers who help us provide, analyse and promote the Time Etc services and engage with freelancers. Some of those third party recipients may be based outside the European Economic Area.

We will share relevant information about you from your Time etc client account (including your name, email address, profile, biography) and the nature of your brief with a freelancer we think is suitable for your brief.

We will share personal information with law enforcement or other authorities if required by applicable law.

Sharing Your Data Outside EEA

  • Google, USA - for the purpose of analytics and documents. Basis: EU-US Privacy Shield certification.
  • Amazon Web Services, USA - for the purpose of hosting and file storage. Basis: EU-US Privacy Shield certification.
  • Freshdesk, USA - for the purpose of providing you with a help desk facility to contact us. Basis: EU-US Privacy Shield certification.
  • Microsoft, USA - for the purpose of email. Basis: EU-US Privacy Shield certification.
  • Dropbox, USA - for the purpose of storage of information. Basis: EU-US Privacy Shield certification.
  • Inspectlet, USA - for the purpose of user experience monitoring. Basis: Model clauses in contract.
  • Stripe, USA - for the purpose of payment processing. Basis: EU-US Privacy Shield certification.
  • Paypal, USA - for the purpose of payment processing. Basis: EU-US Privacy Shield certification.
  • Slack, USA - for the purpose of internal team communication. Basis: EU-US Privacy Shield certification.
  • Sentry, USA - for the purpose of bug tracking. Basis: EU-US Privacy Shield certification.

Sharing your data inside EEA

  • GoCardless, UK - for the purposes of billing certain UK customers only.
  • Albert Goodman Chartered Accountants, UK - for the purpose of producing financial accounts, a legal requirement.
  • Netbanx / Paysafe, UK - for the purpose of processing some payments on behalf of UK customers.

Your rights

As a data subject, you have several rights under GDPR including the right of access, rectification, erasure and data portability. For more information on your rights please see this guide on the ICO website. To exercise any of your rights, please email gdpr@timeetc.com.

Further reading

Some articles and resources we think you might find helpful:

Contacts and help

Who can I contact for further help and advice on GDPR and related matters?

You can email queries and questions to gdpr@timeetc.com and we'll respond to you within 48 hours during the business week. Please note that we cannot provide general GDPR advice.

Who can I contact to report a breach?

If you suspect a data or security breach please email gdpr@timeetc.com with the subject line "Data breach" and we will respond as a priority.

Who can I contact to request updating, deleting or access to my data?

Please email gdpr@timeetc.com clearly stating the nature of your request. We will conduct security verification with you prior to completing your request. We may need to speak to you verbally to complete security verification.