GDPR for Freelancers: A How-To Guide
In recent years, many consumers have become a lot more concerned about how companies collect and use their personal data. GDPR (General Data Protection Regulation) – the latest piece of EU regulation to try and address these concerns – will impact not just companies but also individual freelancers. So the question is, how exactly will GDPR affect freelancers?
Data is the new Oil
For over a century, the world’s most lucrative resource, and one that underpinned almost every aspect of the global economy, was oil. Now, that resource is data.
In 1911, increasing concern about the business practices and market dominance of Standard Oil eventually led to a US Supreme Court decision, that it was in the public interest, to have the company broken up. Now, similar concerns surrounding huge tech giants such as Facebook, Google and Amazon have spawned the creation of a radical and far reaching piece of European regulation – GDPR.
GDPR has received much attention, being branded by the EU itself as the most important change in data privacy regulation for 20 years. This is hardly an exaggeration, especially given it’s almost global impact – it applies to any business that holds or processes the data of an EU resident.
These days, you can find dozens of articles on what GDPR means for both small businesses in the UK and international companies. But in all the discussion about it’s implications for companies of all sizes, relatively little attention has been given to how GDPR will affect freelancers.
Key Principles of GDPR
GDPR will result in several key changes to existing European data laws, some of which will have a direct impact on freelancers. In this context, data is defined as any personal information that you have collected about an individual. This can range from fairly basic details such as name, age and address to highly sensitive information like credit card details, health records and biometric data.
- Purpose Limitation and Data Minimisation: Technically two separate principles but with very similar objectives. Any data you collect must have a specific and legitimate business purpose. You must collect no more data than is required for these specific business purposes.
- Right to Access: An individual has the right to be shown all of their data.
- Right to be Forgotten: An individual has the right to have all of their data deleted.
- Data Portability: An individual has the right to have all of their data transferred to a third party.
- Privacy by Design: You must take proper precautions, both in terms of self organisation and technology, to protect all stored data. You will ultimately be held responsible for any data breach or loss.
- Consent: When asking for consent to collect data, you must make the process as simple, clear and easy to understand as possible (no more hiding it under 20 pages of terms and conditions). An individual should also be able to remove consent as easily as they gave it.
Preparing for the GDPR
Don’t think that a single spreadsheet on your computer is the only place where you store data. It’s in your emails, on your cloud storage and on your smartphone. Think about every place where you have stored data and who else has access to it.
After you know where all this data is stored, invest some time in organising it. That way, if a client asks for all their data to be deleted, you can comply quickly and without hassle. This should also been taken as an opportunity to fully reflect on the necessity of all this data and delete anything you no longer need. Before asking a client for personal information, always ask yourself why exactly you need this information. If the answer isn’t clear, most likely you shouldn’t be asking for it. Less unnecessary data also means less time spent organising it.
Take Security Seriously
When it comes to taking adequate security precautions, exactly what constitutes “adequate” is very much up for debate. However, you should certainly invest in some antivirus software and encrypt all of your devices. The latter will protect data if a device has been lost or stolen. Specific advice on how to encrypt a device will depend on the type of device eg. iPhone, Android, Mac or PC. Create strong and unique passwords and use a private VPN when working on public wifi. Remember that you are ultimately liable for any security breach.
Method of Consent
When asking for consent to collect data, be clear and concise. Review your current mailing list, no matter how small it is, and think about how you received the consent to create it.
Ultimately, the radical nature of GDPR means that even the largest and most vigilant organisations are at times struggling to know what compliance looks like. Full enforcement begins on 25th May, and so undoubtedly a greater understanding of the law’s nuances will come with time. However, as long as you can point to a genuine effort to prepare and that you take data privacy seriously, you should be able to avoid severe penalties. Data still remains an incredibly valuable and useful resource, but it will no longer be allowed to flow so freely.