07736307256 joanne@bravapro.com


One of the most common tasks outsourced to virtual assistants (VAs) is email marketing. Yet many VAs, especially those in offshore locations, do not fully understand the intricacies and responsibilities associated with delivering this service in a GDPR compliant way.

From my experience working for an international corporation, I knew my clients could not simply hand over their Mailchimp log-in details to me. This in itself could be an instant GDPR breach. I knew that while a client could delegate the work to me, they still had the responsibility to ensure any personal data they had collected was handled in an appropriate way.

In order to ensure I was advising my clients how to set up email marketing correctly, I contacted an expert in the field, Annabel Kaye from KoffeeKlatch.

Annabel has been helping small business owners with HR support since the early 1980s. With the advent of GDPR legislation, she became an expert in this field as well, particularly with regards to how it relates to VAs, web designers, bookkeepers and trainers.

Annabel explained to me that there is a big gap between the law, people’s expectations and what can actually work. The onus is on the outsourcing company, as the data collector, to make sure their VA is working in a compliant way, and that involves more than simply checking an ICO certificate.

 She shared the below advice for small business owners looking to outsource their Mailchimp email marketing: –

Contract Your VA To GDPR Security And Confidentiality

You need to have a contract that sets out your confidentiality and security requirements.  Many Virtual Assistants and Digital Assistants have their own terms of business.   Not all of these are protecting your business and your customer data in the way they should.  You are the one setting the standards, so it is your job to make sure the right paperwork is in place.

Give Your VA GDPR Data Processing And Security Instructions

You will need to issue written instructions on how your lists are to be accessed and what can and cannot be done.  These may be quite brief if your Assistant is just setting you up, but if they are going to be accessing the data on a regular basis, you will need to make it plain exactly what they can do with the information they have access to.

If your Assistant is GDPR savvy they will be asking you for this anyway since it is now lawful for them to access your data without them.

They may not use these words, but if they are content to access your data without any formalities this should tell you that your Assistant is not GDPR savvy and may not know what they are doing in GDPR terms.

If they don’t know what they are doing this can cause problems for you since it is up to you to use your Assistant in a GDPR compliant way.

Own Your Mailchimp Account

If you don’t yet have a Mailchimp account make sure you set it up in your business name and with your email address.   This makes you the owner in terms of how Mailchimp categorises roles.  Even if you don’t know how to do anything else like create lists or content, it is vital that you are the Owner.  This gives you the right to add and remove other users. You will find it hard to comply with GDPR if you can’t turn off users who no longer need access.

At KoffeeKlatch we often see business owners who are not the Owner of their Mailchimp account as they let someone else set it up. This means that other person can lock you out of your account!  This is not a good idea for business anyway but certainly prevents you from properly fulfilling your responsibilities as a ‘Data Controller’ – which is what you are when collecting information about individuals such as names and email addresses, for your business.

Turn On Two-factor Authentication And Improve Your GDPR Compliance

Make sure you have turned on two-factor or multi-factor authentication. This is easily done in Mailchimp – see here. You also get a temporary discount for all users if you are paying for Mailchimp. You will be making your data more secure and saving yourself some money.

While this will make your data more secure, the second factor is tied to your phone. You might want to think about what will happen if you lose your phone!   It can take days or longer to get back in if you lose your phone.

Multi-user Set Up

Don’t all share one login.  You will find it impossible to control or track who does what. Mailchimp lets you set up multi-users.

Before you set up one for your Assistant, create a duplicate account using another email address that also has two-factor log in but authenticates to another device!  You can see Mailchimp’s instructions here. Make sure your own duplicate account has a full set of rights.  Set your duplicate account at Admin level.

Then set up your Assistant with their own login (don’t forget to turn on two-factor authentication for them too).  If they lose their device, you can change their set up.

Set Up The Right Roles For GDPR Compliance

It can be tempting to set your Assistant up as ‘Admin’ and leave them to it.   However, as a GDPR principle, it is not a good idea to give people maximum rights ‘just in case’.  It is more sensible to set people up with only the rights they need to do the particular work you are paying them to do.  That way they can’t accidentally do something you do not want them to do.     Here is a link to the Mailchimp user roles – click here.  It is safer to choose lower roles.  KoffeeKlatch recommends you do not set anyone up at higher levels than Manager except on a temporary basis.  You can change the user role without having to create a new user.

Minimise The Data You Collect

It can be tempting to create sign up forms requiring all sorts of information about your prospect or customer.   Try to avoid this temptation.   The more information you ask for at an early stage, the less comfortable people will feel.

Imagine you are at a networking event and you meet someone you are about to hand your card to.  Just as you do they ask you – can I have your date of birth, what is your home address, can I have your personal phone number.  It starts to feel a bit creepy, doesn’t it?  The same thing applies to signing up to an email list or claim a special offer (your lead magnets).

Not only that, if you don’t need the data at that stage you are breaching GDPR if the information is not necessary. Whatever your Assistant says, it is your job to make sure you are not going too far.

Consent And GDPR Compliance

The rules on email marketing and consent are being overcomplicated. As a simple guide, you will need consent if they are not an existing customer (customer lists can be created without consent provided there is an opt-out on the material you send (provided you send only relevant offers to what they purchased).

When you are relying on consent, it must be clear to the person what they are consenting to. You can’t assume anything and the old days of a handshake are gone.  Clear information at the point of sign up is vital. People must know what they are getting into.

While consent is just one of six ways to collect data under GDPR when it comes to email marketing to prospects it is usually necessary.

Remember, if they can’t understand it, they can’t have really consented to it.

Keep it simple. Whatever your Assistant sets up it is your responsibility to check it is OK.

Who Is Writing And Providing Your GDPR Data Privacy Policy?

You or your Assistant will need to link sign up forms to your Data Privacy Policy.   That policy should reflect what you are actually collecting and using (and why) along with other information.   While templates can be a great place to start you will need to make sure it accurately reflects what you are doing – not something copied from someone else who is doing things differently!

GDPR Is Not Just About Documents

Mailchimp is a great email marketing platform and it gives you the tools you need for GDPR compliance – but if you don’t work with the people you pay in a GDPR compliant way it can all come back to bite you.  GDPR and data privacy is about every step of your business process when it comes to handling data.