How to share Mailchimp with your VA in a GDPR compliant way

Would you like to know how to share your Mailchimp account with your VA in a GDPR compliant way?  It is not always obvious how to do this.

It can be very tempting to just hand over your Mailchimp log in and ask your VA to do everything for you.  But is this the GDPR compliant way to do it?  Just handing over your login can put you instantly in breach of GDPR if that is all you do.

You can always delegate the work but in GDPR terms the responsibility for GDPR compliance remains with you and you have to give access in a proper way.   The days of verbal agreements and login sharing are gone if you want to share your data in a compliant way.

Here are the key steps you need to take:

Contract your VA to GDPR security and confidentiality

You need to have a contract that sets out your confidentiality and security requirements.  Many Virtual Assistants and Digital Assistants have their own terms of business.   Not all of these are protecting your business and your customer data in the way they should.  Here at KoffeeKlatch we regularly review VA terms of business and up to 30% to not comply with GDPR requirements.   There are still many who have no terms of business at all.     You are the one setting the standards, so it is your job to make sure the right paperwork is in place.

Give your VA GDPR data processing and security instructions

How to share Mailchimp with your VA in a GDPR compliant way 1

You will need to issue written instructions on how your lists are to be accessed and what can and can not be done.  These may be quite brief if your Assistant is just setting you up, but if they are going to be accessing the data on a regular basis, you will need to make it plain exactly what they can do with the information they have access to.

If your Assistant is GDPR savvy they will be asking you for this anyway since it is now lawful for them to access your data without them.

They may not use these words, but if they are content to access your data without any formalities this should tell you that your Assistant is not GDPR savvy and may not know what they are doing in GDPR terms.

If they don’t know what they are doing this can cause problems for you since it is up to you to use your Assistant in a GDPR compliant way.


Own your Mailchimp account

If you don’t yet have a Mailchimp account make sure you set it up in your business name and with your email address.   This makes you the owner in terms of how Mailchimp categorises roles.  Even if you don’t know how to do anything else like create lists or content, it is vital that you are the Owner.  This gives you the right to add and remove other users.  You will find it hard to comply with GDPR if you can’t turn off users who no longer need access.

Here at KoffeeKlatch we often see business owners who are not the Owner of their Mailchimp account as they let someone else set it up.   This means that other person can lock you out of your account!  This is not a good idea for business anyway but certainly prevents you from properly fulfilling your responsibilities as a ‘Data Controller’ – which is what you are when collecting information about individuals such as names and email addresses, for your business.

Turn on two-factor authentication and improve your GDPR compliance

Make sure you have turned on two-factor or multi-factor authentication.   This is easily done in Mailchimp – see here.   You also get a temporary discount for all users if you are paying for Mailchimp.  You will be making your data more secure and saving yourself some money.

While this will make your data more secure, the second factor is tied to your phone.  You might want to think about what will happen if you lose your phone!.   It can take days or longer to get back in if you lose your phone.

Multi-user set upHow to share Mailchimp with your VA in a GDPR compliant way 3

Don’t all share one login.  You will find it impossible to control or track who does what.  Mailchimp lets you set up multi-users.

Before you set up one for your Assistant, create a duplicate account using another email address that also has two-factor log in but authenticates to another device!  You can see Mailchimp’s instructions here.  Make sure your own duplicate account has a full set of rights.  Set your duplicate account at Admin level.

Then set up your Assistant with their own login (don’t forget to turn on two-factor authentication for them too).  If they lose their device you can change their set up.

Set up the right roles for GDPR compliance

It can be tempting to set your Assistant up as ‘Admin’ and leave them to it.   However, as a GDPR principle, it is not a good idea to give people maximum rights ‘just in case’.  It is more sensible to set people up with only the rights they need to do the particular work you are paying them to do.  That way they can’t accidentally do something you do not want them to do.     Here is a link to the Mailchimp user roles – click here.  It is safer to choose lower roles.  We recommend you do not set anyone up at higher levels than Manager except on a temporary basis.  You can change the user role without having to create a new user.

Minimise the data you collect

It can be tempting to create sign up forms requiring all sorts of information about your prospect or customer.   Try to avoid this temptation.   The more information you ask for at an early stage, the less comfortable people will feel.

Imagine you are at a networking event and you meet someone you are about to hand your card to.  Just as you do they ask you – can I have your date of birth, what is your home address,  can I have your personal phone number.  It starts to feel a bit creepy, doesn’t it?  The same thing applies to signing up to an email list or claim a special offer (your lead magnets).

Not only that, if you don’t need the data at that stage you are breaching GDPR if the information is not necessary.

Whatever your Assistant says, it is your job to make sure you are not going too far.

Consent and GDPR compliance

How to share Mailchimp with your VA in a GDPR compliant way 5The rules on email marketing and consent are being overcomplicated..  As a simple guide, you will need consent if they are not an existing customer (customer lists can be created without consent provided there is an opt-out on the material you send (provided you send only relevant offers to what they purchased).

When you are relying on consent, it must be clear to the person what they are consenting to.    You can’t assume anything and the old days of a handshake are gone.  Clear information at the point of sign up is vital.   People must know what they are getting into.

While consent is just one of six ways to collect data under GDPR when it comes to email marketing to prospects it is usually necessary.

Remember, if they can’t understand it, they can’t have really consented to it.

Keep it simple.

Whatever your Assistant sets up it is your responsibility to check it is OK.


Who is writing and providing your GDPR Data Privacy Policy

You or your Assistant will need to link sign up forms to your Data Privacy Policy.   That policy should reflect what you are actually collecting and using (and why) along with other information.   While templates can be a great place to start (we have some on our store) you will need to make sure it accurately reflects what you are doing – not something copied from someone else who is doing things differently!


GDPR is not just about documents

Mailchimp is a great email marketing platform and it gives you the tools you need for GDPR compliance – but if you don’t work with the people you pay in a GDPR compliant way it can all come back to bite you.  GDPR and data privacy is about every step of your business process when it comes to handling data.


If you would like to know more about how we support micropreneurs to understand and make GDPR really work for you check out our GDPR support groups – you can even purchase a spot for your Assistant to help you work through the study course and coaching programme.  Make sure you know what you are doing – without giving yourself a major headache.

For more contracts and GDPR coaching designed to get all this clear and easy for you check out our Team Hiring Page






Drop us a comment

Leave a Reply

Bestselling Contracts and Support for a Range of Industries

The perfect business contract protects more than just your boundaries. The perfect business contract protects your clients in relation to things like Copyright, IP, GDPR, scope-creep and all the other things that eat away at your profitability.

Check out our contract shop and GDPR support today and start earning what you should in your business.