If your virtual assistant handles personal data, you must have a Data Processing Agreement (DPA) in place before they begin work.
Personal data includes information that identifies a living person, such as:
- customer names
- email addresses
- phone numbers
- shipping addresses
- payment details
- employee records
A Non-Disclosure Agreement (NDA) or standard services contract does not meet this requirement.
Under UK GDPR and EU GDPR, businesses must sign a DPA whenever a third party processes personal data on their behalf.
There are no small business exemptions. The legal obligation depends on the type of data processed, not the size of the company.
According to the European Commission, over 70 percent of small and medium-sized businesses process personal data through external service providers, including IT contractors, marketing agencies, and virtual assistants. This makes processor agreements one of the most common compliance requirements in modern outsourcing.
This guide explains:
- when a DPA is required for virtual assistants
- which tasks trigger data processing obligations
- what a compliant agreement must include
- common compliance mistakes businesses make
- how international outsourcing affects your legal responsibilities
Key Takeaways
- A DPA is required whenever a virtual assistant processes personal data on your behalf
- An NDA does not satisfy GDPR requirements
- Everyday tasks such as inbox management, CRM updates, scheduling, and customer support involve personal data
- International outsourcing may require additional legal mechanisms beyond the DPA
- GDPR penalties can reach £17.5 million or 4 percent of global annual turnover
Understanding the Controller and Processor Relationship
Under Article 28 of UK GDPR and EU GDPR, organisations must only work with processors who provide sufficient guarantees that they will protect personal data.
In most virtual assistant arrangements:
You are the data controller
You determine:
- what personal data is collected
- why it is collected
- how it is used
Your virtual assistant is the data processor
They process personal data on your instructions and do not determine the purpose of the processing.
Because of this relationship, the law requires a written processing agreement between the controller and processor.
That agreement is the Data Processing Agreement.
Research from Deloitte’s Global Outsourcing Survey shows that 59 percent of businesses outsource at least one operational function that involves customer data, which means controller-processor relationships are now standard in modern business operations.DPR compliance requirement applies….they are a data processor. The GDPR compliance requirement applies.
Which Virtual Assistant Tasks Require a DPA?
Many business owners assume their VA does not handle personal data. In reality, most operational tasks involve some form of identifiable information.
Below are common examples.
Email Inbox Management
When a VA manages an inbox they often see:
- customer names
- email addresses
- enquiries
- complaints
- order confirmations
Even reading and sorting emails qualifies as data processing under GDPR.
Example:
A VA replying to customer enquiries in a support inbox is processing personal data because each message contains identifiable contact information.
CRM Management
Customer Relationship Management systems store extensive personal data.
Common CRM platforms include:
- HubSpot
- Salesforce
- Zoho CRM
- Pipedrive
A virtual assistant updating records in a CRM may access:
- names
- company information
- phone numbers
- conversation history
- purchase records
According to HubSpot research, companies using CRM systems store an average of six to ten data fields per contact, which means even simple updates involve structured personal data processing.
Customer Support
Support platforms such as Zendesk or Intercom store identifiable customer information.
Every support interaction typically includes:
- a customer name
- an email address
- a message describing a problem
A single support ticket therefore qualifies as personal data processing.
Appointment Scheduling
Virtual assistants often manage calendars and meeting bookings.
These tasks involve:
- contact details
- meeting notes
- sometimes sensitive context
Example:
Scheduling medical consultations or legal meetings may involve special category data, which requires even stronger protection under GDPR.
Ecommerce Order Processing
If a VA accesses ecommerce systems, they can view:
- customer names
- delivery addresses
- order history
- payment references
According to Shopify merchant data, the average ecommerce store processes hundreds of customer records each month, meaning outsourcing operational tasks quickly creates a processing relationship.
HR Administration
Virtual assistants helping with recruitment or HR administration may access:
- job applications
- CVs
- employee records
- payroll inputs
Employment data is considered highly sensitive personal data and requires strong access controls.
What Must a Data Processing Agreement Include?
A DPA does not need to be long, but it must include several specific elements defined in GDPR.
Description of Processing Activities
The agreement should clearly state:
- what personal data will be processed
- whose data it is
- why the data is processed
- how long it will be retained
Example:
“Customer contact details stored in HubSpot CRM for sales and support purposes.”
Controller Instructions
The processor may only act on documented instructions from the controller.
This ensures the VA cannot process data for any other purpose.
Confidentiality Requirements
Anyone handling personal data must be bound by confidentiality obligations.
Most organisations implement this through both a confidentiality agreement and internal policies.
Security Measures
The agreement should describe the technical and organisational measures used to protect data.
Examples include:
- two-factor authentication
- encrypted cloud storage
- restricted access permissions
- device security policies
The UK Information Commissioner’s Office emphasises that vague statements such as “appropriate security” are not sufficient. Specific controls should be documented.
Sub-Processor Management
Many tools used in daily work also process data.
Examples include:
- Google Workspace
- Slack
- Notion
- project management platforms
These tools become sub-processors, and the DPA should specify how they are approved and managed.
Data Subject Rights Support
Individuals have legal rights over their data, including the right to:
- access their information
- request corrections
- request deletion
A processor must assist the controller in responding to these requests.
Under GDPR, organisations typically have 30 days to respond to a data subject request.
Breach Notification
If a processor becomes aware of a data breach, they must notify the controller without undue delay.
The controller then has 72 hours to notify regulators if the breach poses a risk to individuals.
Data Deletion or Return
When the working relationship ends, the processor must either:
- return personal data to the controller
- securely delete the data
This requirement prevents personal information from remaining in systems outside your control.
The Hidden Risk: Shadow IT
A signed DPA does not guarantee compliance if the operational environment is poorly managed.
One of the biggest risks in remote teams is shadow IT.
Shadow IT refers to tools or systems used without formal approval.
Examples include:
- storing client data in a personal cloud account
- sharing information through personal messaging apps
- uploading customer data into unapproved AI tools
A Gartner study found that up to 40 percent of IT spending occurs outside formal IT oversight, which shows how common shadow IT has become.
To reduce risk:
- define an approved tool stack during onboarding
- prohibit personal accounts for work data
- provide company-managed access credentials
- use systems with administrative visibility such as Google Workspace or Microsoft 365
The DPA creates the legal framework, but operational controls enforce compliance.
Freelance VA Versus Agency VA
The structure of your DPA depends on how the VA is hired.
Freelance Virtual Assistant
Your agreement is directly with the individual.
You must evaluate:
- their security practices
- their device policies
- how they manage data access
This model places most compliance responsibility on the business owner.
Agency-Provided Virtual Assistant
The agreement is with the agency.
The agency becomes the data processor and is responsible for ensuring their staff follow the agreed security procedures.
Industry surveys show that over 60 percent of companies prefer agency outsourcing for data-sensitive tasks, because it centralises compliance oversight.
International Outsourcing and Data Transfers
If your VA is located outside the UK or EU, additional safeguards may be required.
| Jurisdiction | Regulation | Typical Contract |
|---|---|---|
| United Kingdom | UK GDPR | DPA + International Data Transfer Agreement |
| European Union | EU GDPR | DPA + Standard Contractual Clauses |
| South Africa | POPIA | Operator Agreement |
| California | CCPA / CPRA | Service Provider Contract |
These mechanisms ensure that personal data transferred across borders receives equivalent legal protection.
What Happens If You Operate Without a DPA?
There are two major risks.
Regulatory Risk
Under UK GDPR, regulators can impose fines of:
- up to £17.5 million
- or 4 percent of global annual turnover
Importantly, failure to maintain a controller-processor agreement is itself a violation of Article 28, even if no breach occurs.
Commercial Risk
Many enterprise clients require proof of compliance before signing supplier contracts.
Without a documented DPA, companies may fail:
- vendor due diligence reviews
- procurement compliance checks
- security audits
For this reason, a well-structured DPA increasingly acts as a signal of operational maturity.
Final Thoughts
Virtual assistants can recover 10 to 20 hours of operational workload per week for founders and leadership teams. Studies on remote productivity by Stanford economist Nicholas Bloom show that remote workers often maintain equal or higher productivity when supported by clear systems and documentation.
However, once a VA handles personal data, data protection compliance becomes part of your operational infrastructure.
A properly structured Data Processing Agreement ensures that outsourcing efficiency does not introduce regulatory risk.
Outsource with confidence — speak to the Aristo Sourcing team today.
Frequently Asked Questions
Is a VA a data processor or a data controller?
In almost all cases, a virtual assistant is a data processor; they handle data on your instructions. You remain the data controller. The distinction matters because Article 28 GDPR mandates a written agreement between the two parties.
Does a small business need a DPA?
Yes. There is no size exemption under UK GDPR or the Data Protection Act 2018. Any organisation processing personal data of UK or EU individuals is subject to the regulation.
What is the difference between a DPA and an NDA?
An NDA covers confidentiality; it stops someone from sharing your business information. A data compliance contract covers your specific obligations under data protection law. They serve different purposes, and you may need both.
Does my VA need to be trained in data protection?
Not to a formal qualification level, but they must understand their role as a data processor, what they can and cannot do with personal data, and how to report a potential breach. Professional outsourcing agencies train their staff in these areas as standard.
What is a Data Protection Officer and do I need one?
A DPO is a designated role required for organisations that carry out large-scale or high-risk data processing. Most small businesses outsourcing a single VA will not need to appoint one. If you are unsure, the ICO’s self-assessment guide can help you determine your obligations.
What is Shadow IT and why does it matter for outsourcing?
Shadow IT refers to tools or apps used by a worker that are not authorised by your organisation. If a VA uses their personal cloud storage or messaging apps to handle your client data, that data is outside your controlled environment and potentially outside your VA data security contract. This is a real-world risk that a well-managed outsourcing agency actively prevents.
This article is for informational purposes only and does not constitute legal advice. For guidance specific to your business, consult a qualified data protection solicitor or visit ico.org.uk.
