How to comply with GDPR when you’re a freelancer

If you’re a freelancer working in the UK you can’t afford to ignore GDPR. If you’re not clear about your legal obligations, here’s what you need to do to comply.

If you’re a small business in the UK you can’t have missed all the talk about GDPR this year. But what if you’re a solo freelancer with a handful of clients? Does it still apply to you?

It doesn’t matter whether you have one client or one million clients – under GDPR you’re legally bound to stake certain steps to protect your customers’ data.

So if you’re not already aware of the new regulations or haven’t taken the steps to be compliant, here’s a quick look at what GDPR means for UK freelancers, and some steps you can take to comply. Here you can find whether your business needs GDPR DPO (data protection officer).

Will Brexit impact GDPR?

The first point we need to address is Brexit. If you are wondering whether Brexit will have any impact on GDPR, the answer is no for the most part. That’s because the UK has already adopted most of the provisions in GDPR in its own Data Protection Act and any country outside of the EU that has EU customers must comply with the GDPR guidelines.

So any British companies that want to continue doing business in the EU need to comply with GDPR. The same is true for British freelancers with clients in the EU.

What does GDPR cover for freelancers?

GDPR applies to all types of personal data held by a business – whether you’re a large corporation or a freelancer. This includes but isn’t limited to:

Customers’ names.
Dates of birth.
Addresses.
Phone numbers.
Email addresses.
Financial account information.
IP addresses.

It also covers ‘special personal data’ like biometric data and genetic data.

Some freelancers mistakenly assume they don’t need to comply with GDPR because of certain exemptions for companies with less than 250 employees.

However, anyone who handles sensitive data regarding anyone living in the EU must take the necessary precautions to protect that data. For example, if you store client information with their financial account information so that you can invoice them, you have to meet GDPR standards – even if you’re self-employed.

How to comply with GDPR as a freelancer

So how can you ensure you’re GDPR compliant if you’re a freelancer? The first step is determining what data you have, how it is stored and how and where it is processed.

You will need to list all software and paper-based systems used to collect and hold data and what personal data it holds. You also need to determine who has access to the data and the systems that store it and know where these are systems located.

If you’re using third-party software you need to check hether or not the software provider complies with GDPR. You also need to verify that the software doesn’t store personal data from EU customers or citizens in a country that lacks equally rigorous data protection regulations.

Putting measures in place to protect that sensitive information from unauthorised access makes it possible to quickly deal with data breaches. Antivirus protection and defences against malware should be seen as a minimum.

It’s a good idea to have policies to keep them up to date and in place, as is taking the time to run updates so that software vulnerability is kept to a minimum is a necessity. And if you’re working in a public place like the local coffee shop, it’s better to rely on a private VPN as public Wi-Fi is not secure.

How are you protecting your data and passwords?

Encryption is an excellent way to protect data, especially if you have information stored on local devices like laptops that could be lost or stolen. Encryption may be necessary for smart phones if they store sensitive information too.

However, none of this matters if you don’t keep your passwords secure. You can use secure password managers to store those you may have trouble remembering, which will also allow you to share them with specific individuals.

This doesn’t eliminate the need to change passwords and re-share them securely when a password has been compromised or stored insecurely. Secure password managers are a particularly good way to create ultra-secure passwords that are saved in a safe location, though you’d personally struggle to remember it.

All these safety measures need to apply to your data backups too. So make sure that your data backups are not to an insecure location, and that you comply with both the data breach notification and reporting requirements outlined in GDPR in case of a breach.

If you want to make absolutely certain that you’re fully aware of all your legal responsibilities and are compliant, it’s a good idea to work with national commercial law firms (like HJ Solicitors).

Have you checked your mailing list is GDPR compliant?

GDPR applies to mailing lists as well. So if you haven’t done so already, it would be wise to send an email to people to re-opt into being on your mailing list, especially if the original sign-ups weren’t done via a double opt-in.

A double-opt in is when someone has to sign up via an online form and then confirms it another way like clicking a link in an email sent to them. GDPR doesn’t specifically mandate this, but it is an excellent method for ensuring that the people on your mailing list gave their consent.

Your sign-up form will also need to be changed if you already have pre-selected tick boxes for opting in. Under GDPR, pre-ticked tick boxes like “I agree to receive soliciting emails from this company” are not permitted. You also can’t have a tick box that says, “tick if you DON’T want to receive soliciting emails.” People must take positive action to opt in and can never be tricked into automatically signing up.

Another requirement is clearly communicating what someone is signing up for. It isn’t enough to promise them a generic newsletter. Be clear what they’re signing up for. What is in the newsletter? What information will they get? Will they get marketing emails, too?

All emails to your mailing list must have a clear unsubscribe button (you need to make sure that your mailing software actually unsubscribes them). If you’re using third-party email software to maintain mailing lists, it is a good idea to check out their specific advice on GDPR compliance.

Your privacy policy also needs to be updated to reflect GDPR. You need to review all your policies and procedures against the requirements set by GDPR, but privacy policies, especially those on your personal website if you have one, are an obvious one impacted by the regulation.

It’s always wise to seek legal advice

GDPR is a necessity for British freelancers doing business in the EU. We’ve outlined a few methods for complying with GDPR regulations in this article, but it’s always a good idea to seek legal advice if you have specific questions, and to ensure that you’re fully complying with your legal obligations.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc	session	The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.

Cookie	Duration	Description
CONSENT	16 years 5 months 19 days 13 hours 20 minutes	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_39226696_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_omappvp	11 years	The cookie is set to identify new vs returning users. The cookie is used in conjunction with _omappvs cookie to determine whether a user is new or returning.
_omappvs	20 minutes	The cookie is used to in conjunction with the _omappvp cookies. If the cookies are set, the user is a returning user. If neither of the cookies are set, the user is a new user.

Cookie	Duration	Description
centerVisitorId	7978 years 5 months 19 days 13 hours 11 minutes	This is a HTTP cookie used to track the individual sessions on the website. It helps the website to compile statistical data from multiple visits. This data is used for lead generation as a part of marketing purpose.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
NID	6 months	This cookie is used to a profile based on user's interest and display personalized ads to the users.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.

Cookie	Duration	Description
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
view.ga79y7i4H2VjMus2eRJYqN.4ewaiz7cYMLxo2Fdorod4k	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.5659118702428160	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.5kjS2nejq2YcnYdvBnXie6	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.6M3TmeJYUdaXk4bFFoEsPB	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.AcqHN2Jx4LPTHTaVuvgpj7	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.az9ENbabTdjyzXZhvGZLsH	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.BfndspJeShXfBzLLV9vgf6	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.dExRyANhGorUfWBK88b8He	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.DLQVxHBCjsB8dSGzMQHEG8	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.ecCiQ7LhtWkSkJ7TaZBNeg	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.FQVDyuAXgSZP6EjzQVc8vZ	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.gm24Y7zkcqfXLnVYsG45ua	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.Jngw8VouAHPooyWULt96v8	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.JUp6DgKPEh2GnAKP6Hic9a	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.oXoiDpd347fYcUzoEogUp3	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.PxByyBFy44UYvo87EnhdAT	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.pXcNDvRdAUByFqYPw6mShD	1 day	No description
view.ga79y7i4H2VjMus2eRJYqN.QdALHubScinNuHaMzo6r4T	1 day	No description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.
_drip_client_6898597	2 years	No description
_drip_visitor_6898597	2 years	No description