Data privacy paperwork between you and your client
- 0 comments
- by Amanda Johnson
This a guest blog from Koffeeklatch on the subject of Data Privacy.
As a business owner (data controller), you will generally by sending out your contract (or ts and cs) to your clients as part of the pitching and onboarding process. You may them online, or send them when you have contracts that need signing. You are saying ‘this is how I work’ just as say Microsoft do when you sign up for their software.
If you have a client who is collecting personal data in their business and letting you view this information, this is not covered by your data privacy policy. Although you are still the data controller for you own business, when you are viewing or using personal data collected by your client, you are acting as a 3rdparty data processor.
In this case the data controller/client should give you written instructions (a data processing agreement) on how to deal with personal data that they are collecting in their business and sharing with you. You both sign this. it is separate to your ts&cs or data privacy policy.
Many people think a Data Processing Agreement (DPA) is the same thing as a data privacy policy. Just because they both contain the word data, does not make them the same thing.
A data privacy policy is issued by a data controller to inform the data subjects what is happening to their data
A data processing agreement is issued by a data controller to a data processor to inform them how to handle information about the data controller’s data subjects
So it looks a bit like this
Data Controller issues | For Whom? |
Data privacy policy | Data Subject |
Data Processing agreement | Data Processor |
If your client is a private client who is not in business and is only sharing information about them and your family, a properly written data privacy policy is what you need to give to them. This is not just about what you do on your website if you have one, but it covers every way you collect, store and share personal data.
If your client is a business or organisation who is sharing information with you so that you can do what they are paying you for, then for the personal data collected by them and shared with you (even if it is only names) While it is always helpful to see a client’s data privacy policy which will tell you what they are telling the world about they handle data, policy is no substitute for a DPA.
Clients don’t know much about DPAs.
Last time we ran a survey less than 4% of KoffeeKlatch contracted VAs had customers who issued DPAs to them. Many data controllers are still completely unaware of what they should be doing and what they should be issuing.
Generally speaking a VA who is following the written DPA will not be in trouble if something goes wrong with the data handling provided the DPA is being complied with.
But if the VA works on personal data (including just viewing it) without a DPA being in place, then there is no fall back of ‘I didn’t set up the system, I was following it’ and if there are data breaches, it is going to be much more difficult to show it is nothing to do with you.
This may seem a long way off, but it is in the nature of things that clients/data controllers who are not aware of data privacy and security are more likely to have data losses and hacks than those who are since they are failing to take basic precautions to prevent it.
While it is not the VAs job to produce this paperwork, we supply KoffeeKlatch VA contracts with a form and documents designed to help you and your client have that conversation and plug the paperwork gap.
It is just easier to sort out the administration gap than carry on with both in a muddle!