We have been working on this since 2017 with our VAGDPR groups. Would love to collaborate.
In essence it is not just about kit or set up (though having your kit set up right including wifi is a great start) it is also about understanding how data moves through your business, and where the risk points are and making decisions about how to minimise that risk.
The biggest problem when working with clients is still that clients ignore data privacy/security and not only work in insecure ways but want the VA to ignore it all too as ‘it is too much trouble’.
The biggest problem of real security is the number of platforms (social media in particular, but CPP Panels for websites too) that do not offer multi user options, thus forcing VA and client to share a log in. Even though shared through something like Last Pass (or equivalent) this offers no traceability of who did what if something goes wrong. This means no multi factor authentication most of the time, since this is impossible unless client and VA prebook a time for the VA to have access. This reduces security enormously and increases risk. If a third party gains access noone can trace where the problem came from!.
This further increases risk as the client having done this just wants to share log ons on everything even where additional users are available.
Good practise for VA data handling is always going to have to be a mixture of secure and pragmatic .
I encourage VAs to have business subscriptions (not home or student ones) that usually allow more security and hosting options for their own software/platforms, to encrypt all devices routinely and to enter into a proper data processing agreement with each client that really addresses what needs to be done at both ends.
I encourage using MFA whenever it is available, and password lockers as a matter of routine. And to properly set up wifi so that guests do not have access to other devices on the system (or children) since a big source of viruses etc is the home wifi when accessed by others.
Malware and anti virus of course.