Last Updated on
We’ve been working really hard with our VA clients to help make sure they work in a secure and GDPR compliant way. From contracts, to data processing instructions it’s been a long journey making it all work and integrate with how VAs work today.
One question that comes up over and over again is about password sharing. It seems that many clients just want to share passwords with their VA and some even just email logins and passwords over to the VA.
Password sharing and GDPR
GDPR is a big subject but when you boil it all down it is about security, transparency, accountability and minimising the amount of data that is shared to avoid risk.
If you simply share all your logins and passwords with your VA how will you be able to tell who did what?
Suppose something goes wrong and a lot of data is accidentally deleted or exported? How will you be able to trade who did what?
Assuming you are the master user or administrator, password sharing means giving your VA access to all rights and all areas of data regardless of whether it is needed to do the task you have paid them for.
Reduce access by creating role-based logins for each user
You can do a lot to reduce the GDPR risks in your business by creating separate logins for your VA. This allows you to give them only the rights they need to do the work you have paid them for. This gives you more control – and as the Data Controller for your own business data it is important you retain control and don’t just give it all away to your outsourced team. This means you can also restrict what your VA can do, and often what they can see. You need to do this. This is not because you don’t trust your VA, but because it is your job to minimise who has access to what.
What about platforms that don’t offer multi-user logins?
Many social media platforms, in particular, do not offer multi-user logins. They are set up as ‘personal’ accounts’ in technology terms. However, that account may link to hundreds, if not thousands of other subscribers, all of whom will share some data about themselves.
You should consider using third-party posting platforms such as Hootsuite where you can set up teams who have the right to post to certain social media accounts.
What if there is no option but to share logins and passwords?
If the platform does not integrate with a posting app or there is some technical problem, you may as a final resort consider sharing your login and password. Check before you do that this is not in breach of the platform’s terms of service. If you are going to do that you still need to do so securely.
LastPass is a great way to securely share (and store) password and login data. You can share access without disclosing your password. You won’t be able to track who did what, but at least you won’t have sent your passwords round in an email for the whole world to intercept! You can get a basic account for free.
Don’t want to spend money on security?
If you feel you don’t want to spend money on posting applications, secure password sharing, or on professional software that allows multi-user logins you may be storing up trouble for yourself. We all sympathise with ‘bootstrapping’ your startup but if you can now afford a VA you really do need to invest in secure ways of working before you start giving your team access to customer data.
Your customers will never know (hopefully) how much to thank you for doing this. Your VA will love you for taking care of it all properly and you won’t be wondering who did what or where all your data went!