Caira can review your contract in 3 clicks:

• Get suggested changes and comments added directly to your file

• Generate an email summary to send to the other party

It takes less than 30 seconds to sign up for a free trial. No credit card required: Start your free trial

A Virtual Assistant (VA) is the modern business's secret weapon. You hold the keys to the castle: social media passwords, CRM data, personal diaries, and bank details.

The relationship between a VA and a client is often born out of chaos. The client is drowning in admin; you are the lifeline. They throw tasks at you—"Can you just sort my inbox?" "Can you fix my website?"—and you catch them.

But because you are helpful, flexible, and "virtual," clients often treat you like a casual employee or a friend. They forget you are a business. This informality is dangerous. When a GDPR breach happens, or when a client tries to treat you like a 24/7 on-call employee without paying overtime, the lack of a contract leaves you exposed.

Here is why your "can-do" attitude needs a contract to back it up.

1. The GDPR Trap (You Are a Data Processor)

The Scenario: A client hires you to manage their email list. You download their database to your laptop to clean it up. Your laptop gets stolen. Or you accidentally cc everyone instead of bcc'ing them.

The Legal Reality:

• The Controller: The Client (it's their data).

• The Processor: You (you are handling it).

Under UK GDPR Article 28, there must be a written contract (a Data Processing Agreement or DPA) between the Controller and Processor. If there isn't one, and a breach occurs, both of you can be fined by the ICO (Information Commissioner's Office).

Furthermore, most VAs need to pay the Data Protection Fee to the ICO (usually £40/year). It’s a criminal offence not to pay if required.

The Fix: Your Terms & Conditions must include a Data Processing Clause that limits your liability to your specific role and confirms you have security measures in place (e.g., using LastPass, not writing passwords on post-its).

2. Employee in Disguise? (IR35)

The Scenario: You have one main client. You work 9-5, Monday to Friday. You use their laptop. They tell you exactly how to do the work. They treat you as part of the team.

The Legal Reality: This sniffs of "False Self-Employment" (IR35). If HMRC investigates, they might decide you are a "disguised employee."

• For the Client: They could owe thousands in unpaid Employer's National Insurance.

• For You: You lose the right to claim business expenses against your tax bill.

The Fix: Your contract must prove you are a business.

• Right of Substitution: "I reserve the right to send a suitably qualified substitute to perform the tasks." (Employees can't do this; businesses can).

Control: The contract should focus on outputs (what you deliver), not inputs* (how/when you do it).

3. The "Scope Creep" & Rush Fees

The Scenario: It’s 9pm on a Friday. The client texts: "Emergency! Need you to format this report by 8am Saturday." You are efficient, so you do it. Now the client expects this every weekend. When you finally say no, they get angry and refuse to pay your invoice because "you let me down."

The Legal Reality: Without defined "Hours of Business" or "Service Level Agreements" (SLAs), clients assume you are available 24/7.

The Fix:

Hours of Business: "My standard hours are 9am-5pm. Communication outside these hours will be addressed the next working day."*

Rush Fees: "Urgent tasks required within 24 hours or over weekends incur a +50% Rush Fee."*

This isn't about being difficult; it's about being professional. It stops the midnight texts.

4. The Password Breach

The Scenario: You manage Instagram accounts for 5 clients. You use the same password for all of them. One gets hacked. The hackers DM the client's customers asking for money. The client sues you for Professional Negligence.

The Legal Reality: As a professional service provider, you owe a duty of care. Failing to use basic security hygiene (like 2FA) is negligence.

The Fix:

• Security Clause: State that you use industry-standard tools (like 1Password) and will reasonably protect data.

• Limitation of Liability: Cap your liability to your insurance limit (e.g., £1,000,000) or a multiple of fees paid. And get Professional Indemnity Insurance—it is essential for VAs.

Why Contract Review is Your Assistant

You are the expert in organization. Apply that to your own legal footing.

AI contract review acts as your shield. It ensures your Data Processing Agreement is compliant with GDPR. It checks your Substitution clause so you stay outside IR35. It allows you to build a scalable business, not just a job with no benefits.

Disclaimer: The information in this article is for general guidance only and is not intended as professional legal, financial, tax, or medical advice.