GDPR for Freelancers & the Self-Employed

You have probably heard of GDPR, you probably read the Cookies Notice on nearly every site you visit and you’re probably aware it is a really, really big deal. For most freelancers and self employed people running a solo operation with few assets or digital real estate, it may seem like something they do not have to worry about. However, GDPR is something that all people need to be aware of and take responsibility for. So, let’s take a look at what that looks for for freelancers and the self-employed! Firstly, the E.U. tends to have complicated laws but they are also very comprehensive and protective of the citizen - as the new OSS rules show. No one ever said creating the union would be easy…

So let’s start with what GDPR is exactly. The European Union's General Data Protection Regulation (GDPR) aimed to improve E.U. citizens' control over the data companies hold about them. While the goal is simple, achieving ‘’compliance’’ isn't that easy for most organizations. This includes a comprehensive review of who has access to which data and where the regulated data is located, as well as the ability to carry out necessary security audits and continuous controls. Which, if you are a giant multinational corporation you can just throw money at the problem.

If you’re a one person show freelancing or self-employed - well guess what, you have to become Privacy Expert. It goes further than this: while the regulation only applies to E.U. citizen data, all companies worldwide that operate in the E.U. or have websites that can be found in the E.U. must comply with these rules. It really has a global impact. This new regulation requires significant changes in the way and where companies store customer data, and most importantly, how they give employees, contractors and business partners access to this data.

The E.U. GDPR (General Data Protection Regulation) attracts so much coverage because of the increased administrative fines for non-compliance. However, not all infringements of the GDPR will lead to serious fines. Besides the power to impose fines, E.U. countries have a range of corrective powers and sanctions to enforce the GDPR. These include:

• Issuing warnings and reprimands;
• Imposing a temporary or permanent ban on data processing;’
• Ordering the rectification, restriction or erasure of data; and
• Suspending data transfers to third countries

Even under the old data protection law, it was not possible to simply put customers together in lists and, for example, send them a newsletter. The consent of the person concerned is not required for processes that are simply part of the business, such as invoicing. But as soon as I get the idea to do something else with the addresses, telephone numbers or e-mail addresses, I need the consent of my customer - preferably in writing, because in case of doubt I have to prove the consent, Art. 7 Para. 1 GDPR  and this is where it becomes relevant for the ‘’small timers’’ of freelancing and self employment. Ultimately, however, there are some really good reasons for GDPR compliance, for us in business and as people: 

• The protection of the privacy of every individual is essential in the age of the information society.
• In modern business life, data protection means a quality and competitive factor.
• Data protection and data security are pioneers for e-commerce.
• In the course of globalization, data protection is also becoming increasingly important internationally.
• Data protection means fundamentally guaranteed personal protection.

Assuming most freelancers and self-employed people reading this are not running giant corporations, there are likely some exceptions to the extent of your GDPR compliance. Below we will run through the important questions you need to ask your self about GDPR compliance.

Data protection checklist for freelancers and the self-employed

1. Do I process personal data (e.g. names, addresses, telephone numbers, IP addresses, email addresses, etc.)?

2. How do I process this data (online via the cloud, on my computer / Excel, Word, card index etc.)

3. Do I have a procedure directory?
Here, you have to list which personal data you are processing, which groups of people are affected and what they are doing to protect the data technically and organizationally. That was already there before, called the directory of procedures, but also only applied to automated processes.

4. What is the legal basis for using the personal data?

• consent
• Fulfillment of a contract (e.g. invoicing)
• legal obligation
• Protection of vital interests
• overriding public interest
• legitimate interests of the person responsible, provided that the interests of the data subject do not outweigh the interests of the person concerned

5. Is there a legal basis for collecting and processing all data?

1. Voluntarily
2. if necessary in writing (due to the obligation to provide evidence), but can also be done electronically or orally
3. Information about the possibility of revoking consent at any time
4. For data from under 16-year-olds: approval of the legal representative

6.. Have I fulfilled my information obligations by means of a data protection declaration (print or online)?

7. Do I observe the requirements of a data protection declaration?

1. Understandable language
2. Information about the type of data and how it is processed
3. Name of the person responsible
4. Reference to the rights of the person concerned (especially: revocation, information, deletion, correction)
   

8. Have I made a risk analysis? 

• Type of data
• Sources of risk
• Appropriate technical and organizational measures
• According to Art. 32 Para. 1 GDPR, companies must take suitable technical and organizational measures to protect data and prevent risks for those affected. To do this, you first have to be clear about the risks you are dealing with. And it is best to document these thoughts (the documentation obligations come from Art. 5 Para. 2 GDPR.

9. Do I need a data protection officer?

1. If I employ at least 10 people who are constantly involved in the automatic processing of data
2. Possibly from one person: When I have to do with special categories of data (e.g. health data) - this is currently controversial

Let’s expand on this a bit. As a rule, lone fighters do not need a data protection officer. According to  Section 38 of the new Federal Data Protection Act in Germany, a data protection officer must be appointed if, as a rule, at least 20 people are constantly involved in the automated processing of personal data. But: if a data protection impact assessment is required in accordance with Article 35 GDPR, a data protection officer is required for one person or more. This data protection impact assessment is always mandatory when special categories of data are processed, such as health data (see above). This would then apply, for example, to small medical practices or pharmacies.

However, since Art. 37 Para. 1 c GDPR indicates that a data protection officer must be appointed if the "core activity of the person responsible or the processor is the extensive processing of special categories of data", most healthcare companies are (one-man - Doctors' offices or pharmacies) excluded. Hence, why special categories are noted above.

10. Do I use external service providers to process the data (e.g. cloud services, external accounting, providers, social media connections etc.)?

11. Do I have an order processing contract with these processors? 

Very few companies manage to do their work without the help of external service providers. In certain cases, these service providers process personal data: customer data, patient data, employee data. Then there is order processing, which is specially treated by the GDPR. Because in the case of order processing, the data subjects do not have to give consent to the use of their data. The service provider is treated as if he were the client's extended arm. In order to guarantee a certain level of data protection, the GDPR now requires the conclusion of a contract for order processing.

12. What data do I collect on my website ?

1. How is this data stored?
2. Is it personal data?

13. Do I offer a newsletter?

14. Can a customer register for this newsletter using the double opt-in procedure (first via the homepage, then additional confirmation by email)?

15. Have I removed all social media plug-ins (e.g. Facebook share button) from my website that could monitor the behavior of website visitors? 

16. Is my data protection declaration visible as a link on every page of my website?

If you answer the questions above regarding GDPR checklist for self-employed and freelancers and take appropriate measures, you have already gained a lot for yourself and your business. Ultimately, it is nearly impossible to be a data protection expert, though, we hope this gives you some basic points to start your own research. With so many people now working with e-commerce it seems very important to take this seriously. 

You can also hire experts to look are you needs but this is of course only if you truly are collecting more data than your average freelancer and self employed persons. . We hope, however, that we can take away the feeling of panicking a little. Because that is the main thing when implementing the new data protection regulations is that you take it seriously and pay attention to the small details!