Should you share passwords in a GDPR world?

Are you paying a VA and sharing passwords?  Are you emailing your log ins and passwords to them? 

Password sharing and GDPR

Should you share passwords in a GDPR world? 1GDPR is a big subject but when you boil it all down it is about security, transparency, accountability and minimising the amount of data that is shared to avoid risk.

If you simply share all your logins and passwords, how will you be able to tell who did what?

Suppose something goes wrong and a lot of data is accidentally deleted or exported?  How will you be able to trace who did what?

Assuming you are the master user or administrator, password sharing means giving your VA access to all rights and all areas of data regardless of whether it is needed to do the task you have paid them for.

What happens if they change that password and you are locked out?

Reduce access by creating role-based logins for each user

You can do a lot to reduce the GDPR risks in your business by creating separate logins for your VA.  This allows you to give them only the rights they need to do the work you have paid them for.  This gives you more control – and as the Data Controller for your own business data it is important you retain control and don’t just give it all away to your outsourced team.  This means you can also restrict what your VA can do, and often what they can see.  You need to do this.  This is not because you don’t trust your VA, but because it is your job to minimise who has access to what.

What about platforms that don’t offer multi-user logins?

Many social media platforms, in particular, do not offer multi-user logins.  They are set up as ‘personal’ accounts’ in technology terms.  However, that account may link to hundreds, if not thousands of other subscribers, all of whom will share some data about themselves.

You should consider using third-party posting platforms such as Hootsuite where you can set up teams who have the right to post to certain social media accounts.

What if there is no option but to share logins and passwords?

If the platform does not integrate with a posting app or there is some technical problem, you may as a final resort consider sharing your login and password.  Check before you do that this is not in breach of the platform’s terms of service.  If you are going to do that you still need to do so securely.

LastPass is a great way to securely share (and store) password and login data.  You can share access without disclosing your password.  You won’t be able to track who did what, but at least you won’t have sent your passwords round in an email for the whole world to intercept!  You can get a basic account for free.

Don’t want to spend money on security?

Should you share passwords in a GDPR world? 3We all sympathise with ‘bootstrapping’ your startup but if you can now afford a VA you really do need to invest in secure ways of working before you start giving your team access to customer data.

You need secure methods of working, a proper contract that covers security and GDPR (and a lot else besides) and a data privacy policy that reflects the way you work today.

Your customers will never know (hopefully) how much to thank you for doing this.  Your VA will love you for taking care of it all properly and you won’t be wondering who did what or where all your data went!

Drop us a comment

Leave a Reply

Bestselling Contracts and Support for a Range of Industries

The perfect business contract protects more than just your boundaries. The perfect business contract protects your clients in relation to things like Copyright, IP, GDPR, scope-creep and all the other things that eat away at your profitability.

Check out our contract shop and GDPR support today and start earning what you should in your business.