In 2018, the EU -- along with any country doing business within the EU -- went through a GDPR frenzy. Massive corporations with unorganized, loose, personal data were constantly reminded that if they do not comply with GDPR rules, a massive fine would follow along with hours of labourious work to fix the problem. Many freelancers and small businesses still do not know what GDPR is exactly and do all facets of their business comply with the regulations.
Companies, particularly large ones, have informed themselves on GDPR. They have gone through the regulations provided by the EU, they have sought out a Data Protection Officer (DPO) and they have sent countless emails to users notifying them that their data is safely stored and can be removed at any time upon request.
However, research shows that sole traders and Small to Medium Enterprises (SME) are lagging behind. They are so small - what data policies could they possibly be breaching? What kind of data does the company have that is so important and how could it not be protected?
A recent investigation into 500 U.K. SME owners’ engagement with the digital landscape showed that 39 per cent don’t know who GDPR affects, while one in ten respondents don’t think GDPR gives consumers any new rights. This lack of awareness is concerning as SMEs are putting themselves at serious risk by ignoring the new regulation.
Still, sole traders and freelancers in the gig economy must ensure that they are being GDPR compliant like the rest. The finest detail and rule could be broken and lead to an unforeseeable fine and dilemmas that one can do without. Let’s first dive in -- for old time’s sake -- to what being GDPR compliant means.
What is GDPR?
The EU General Data Protection Regulation (GDPR), which came into effect on May 25th, 2018, is designed to standardise data privacy laws across Europe and protect individual’s data privacy. GDPR is intended to give consumers assurance that their data will be secured. All companies that handle personal data must ensure they have adequate security measures in place to protect the customer data they hold. It doesn’t only apply to the way this data is stored; every aspect of the way customer data is handled is covered.
As an SME or freelancer, the potential fines and figures might seem fairly abstract, but as GDPR becomes bedded in, the likelihood is that it will be increasingly policed. By ensuring a foundational good practice now, you’ll be in a better position should anything happen in the future.
Businesses who don’t comply with the laws could be subject to large fines. Facebook, after spending 18 months preparing for GDPR, was confronted with a $4.5B lawsuit on day 1, and complaints have been filed against Google, Instagram and WhatsApp too.
GDPR and invoices
Freelancers and sole traders take care of the whole business. This includes dealing with invoices, emails and other documents that involve private data. And although the database may be relatively small compared to that of large corporations, freelancers are still at risk of not organising and securing data.
Invoicing is a basic attribute of all business. Digital or paper-based, all invoicing requires freelancers to keep certain fundamental pieces of personal information about customers whether they are B2B or B2C. Take a B2B invoice for example –- typically it would only include business relevant data such as product category, VAT rate, ship to location or currency, but there are common and important exceptions, such as the name of reference person(s) from the buying and/or selling organisation. B2C invoices by contrast, will almost always include personal data of the consumer.
Most basic invoices will include at a minimum:
- First name, last name
- Invoice mailing address
- Delivery address
In addition, freelancers and sole proprietors selling goods and services will have purchasing history which again, is considered as private information. It is therefore extremely important that freelancers archive and protect private data according to GDPR compliance rules. For both B2B and B2C invoices, a data breach with the name of an individual is enough to break the rules from the GDPR framework -– and the risk of fines and penalties that go along with it.
Accounting and marketing obligations
In general, there are two main purposes for the storage and processing of personal data - accounting obligations or sales and marketing activities. According to the ICO, accounting obligations include:
Art.6(1)(c),“processing is necessary for compliance with a legal obligation to which the controller is subject.” Since businesses are obligated to produce taxation reporting and keep financial records for a period of time, SMEs are allowed to keep an archive of past customers, their contact details and contact history. No explanation is necessary as it is legally obliged to keep the data under European Law regulations. However, SMEs do need to ensure that the data is secure and that there are practices in place in case of a data breach.
Sales & marketing activities, in contrast, have no EU or UK legal ties other than GDPR consent from an individual. The data does not have to be kept for future audits. For B2C, marketing related communications and data processing typically happens on the basis of an explicit opt-in consent - the users must give permission for you to keep, store and proctect their data.
It is vital that you regularly ask permission to hold personal information for marketing activities -- for example: checkboxes saying that the company has permission to keep individual data or reminding current and past clients that you have the data and the GDPR policy you have placed to withhold that data.
What is important for both B2B and B2C client to provide users the means to opt out as well as full disclosure on how the data is managed, stored and protected. If you are processing on the basis of legal obligation, as seen above in accounting, the individual has no right to erasure, right to data portability, or right to object.
For administrative purposes remember to:
- document your decision that processing is necessary for compliance with a legal obligation;
- identify an appropriate source for the obligation in question; and
- include information about your purposes and lawful basis in your privacy notice
For any kind of email marketing or collection of email addresses for a newsletter, you’ll need to review how you’re gathering, using and storing that data.
- Under GDPR, you must use a tick box for people to give their consent for you to keep their data, and it can’t be pre-ticked. This can be done via email or during the registration process.
Setup double opt-in for your newsletter
- People who subscribe to your list receive a confirmation email where they’ll need to click a link to verify their email address. This is the best way to show that people on your mailing list gave their permission to be on it. If you use Mailchimp, this is likely already setup.
Communicate how information is used
- Under the new regulations, you need to make sure it’s clear to users what they are signing up for. Be specific about what communication they’ll receive from you.
Allow individuals to delete themselves from your list
- All of your emails should have a clear unsubscribe button, and you must be able to delete all of a user’s personal information upon request.
Protect against viruses and malware
- Security of data needs to be a top priority; this means ensuring you have adequate protection from malware and viruses.
Use a private VPN when working in public
- Freelancers have the luxury to work anywhere, but if you’re working from public WiFi in your local coffee shop, you’re much more susceptible to data being intercepted. Make sure you use a private, encrypted network.
Backup data securely
- Losing data can happen to anyone. Backing up is good practice for any freelancer, but they’re also crucial if you hope to comply with data breach reporting and notification requirements of the GDPR. You are required to notify anyone whose data may have been compromised as part of a breach – something which would be pretty difficult without a backup.
Review and accept 3rd party terms of service
- If you use Google Analytics to track traffic to your site or any other third party that deals with private data, you may have already been notified about GDPR policies. Make sure you check you accept the terms of service if it is necessary to do so.
Keep data that’s essential for your business
- As discussed earlier, you’re allowed to keep data if you need it for legal or accounting reasons. This means that things like contracts, signed proposals and invoices can be kept for multiple years if necessary, even if your client asks you to delete their data.
GDPR and Freelance Management Systems
Freelance Management Systems (FMS) are cloud-based platforms that manage invoices, contracts and personal data. These platforms are used to onboard freelancers and work with them and in addition, they are GDPR invoice compliant. Every time a freelancer gets added to the company database there is a KYC procedure, little exchange of private information or sensitive data between contractor and freelancer and all the private data is managed, secured and stored in one place.
SMEs and freelancers can reduce their risk of data breach or not being GDPR compliant by moving the administrative tasks and private data needed for legal obligations to a secure third-party platform. What is left for business owners to do is ensure that all marketing activities are in line with GDPR rules.
Invoices and Brexit
Now that we are getting closer to Brexit, SMEs and freelancers may be wondering where GDPR stands in all this. According to the ICO, if the UK leaves the EU without a deal, most of the data protection rules affecting small to medium-sized businesses and organisations will stay the same. In fact, the government aims to incorporate GDPR into UK law after Brexit.
If you are a UK business or organisation that already complies with the GDPR and has no contacts or customers in the EEA (European Economic Area), you do not need to do much more to prepare for data protection compliance after Brexit. If you are a UK business or organisation that receives personal data from contacts in the EEA, you need to take extra steps to ensure that the data can continue to flow after Brexit.
Any company that processes EU data is subject to GDPR compliance. Chief technology officer at Auriga Consulting, Jamal Elmellas states: “ Organisations outside of Europe must first decide if they currently are – or are planning to – conduct business in the region. Once they have answered this question, the next port of call is dissecting their intended business model to understand if they handle citizen data and if so, what that data is.”
This can be a little complicated. Some businesses may not be present in the EU, but may still retain EU data from previous purchases or from cookies that will help analyse individual’s purchasing behaviour. It will be up to those companies and freelancers to go through their database and ensure that any individual from the EU has been notified that their data is being stored and can be removed at any time.