Most of these independent consultants — be they marketing gurus, content strategists or website developers — are many things on any given day. In addition to creating and delivering goods and services, most have to actively market, sell, invoice, manage relationships and keep up with bookkeeping. Oh, and just like any other company, freelancers need to keep on the right side of laws and regulations.
This week, a Paris-based colleague of mine who happens to be a smart freelance content strategist asked for a quick chat. She had heard me mention that I was switching from Dropbox to Microsoft’s OneDrive in preparation for the European Union’s General Data Protection Regulation (GDPR). Specifically, I was starting to get a few things “straightened out” with my old files — straightened out being code for deleting data I no longer need but hoard just because I can.
It had never occurred to my colleague — nor does it occur to many freelancers — that such steps might be necessary because we are subject to many of the same legal and regulatory requirements that larger organizations pay people to address.
So, if you are a gig economy party of one, what does GDPR compliance look like? Let me share my thoughts as a freelancer and a digital policy consultant.
Related Article: An Introduction to the GDPR
Because the GDPR requires businesses — even freelancers — to protect the privacy of data pertaining to EU residents by securing the data and the infrastructure in which it resides, I started my compliance journey by winnowing my technology stack. I have been known to use Dropbox, Box, Google Drive and OneDrive for collaborating with clients and colleagues. To make life simpler, and to protect my clients’ data, I took the following actions:
- I reduced my work infrastructure, and now I only use OneDrive. The biggest selling point of Microsoft’s file-hosting service was its granular permission-sharing functionality and its ability to lock down file access to a listed IP address. I like Microsoft’s push for total GDPR compliance in its platform.
- I will still use Google Docs to collaborate on the fly with colleagues, but I will not store any personal or sensitive data there.
- I have decided not to allow my documents to automatically sync between my Macbook, my Apple desktop computer and my iPhone. While convenient, that functionality would have proved to be a point of weakness if I lost just one device or was the victim of a data breach. I now use a single cloud storage location for all data.
- I used to use two tools to back up my applications — Apple’s Time Machine and SuperDuper — but now I just use SuperDuper, a backup app from a company called Shirt Pocket. I use SuperDuper to back up applications only (no files that contain data) and have reconfigured my Apple Time Machine to only save the last 48 hours of work. This ensures that working documents are immediately accessible. All other documents go to the same place: OneDrive. In addition to making it easy to store and protect information, this approach would also make my life easier if someone were to request a copy of their data in electronic format. It would also simplify the deletion process if a user asked me to erase all of their personal data (i.e., if someone exercised the “right to be forgotten” granted by the GDPR).
Related Article: Marketers Are Missing the Point of GDPR - and the Opportunity
Data and File-Keeping
I have kept every contract and project artifact since I started to freelance in May 2006. Of course, I have deleted proprietary client files that I should not keep. But, like all freelancers with little free time on their hands, I had not kept my working documents very well organized. I stored information that had some peoples’ names, email addresses and roles, along with notes on their working patterns. Since many of my clients are global, I had information on people in the EU, the United States and other parts of the world. My approach to ensure that I am GDPR-compliant on this front included the following steps:
- I deleted all working-level files and notes that preceded 2016. I decided that it was reasonable and in alignment with warranty on services to keep the last two years of files, but to delete them on a rolling basis. The service warranty is my legitimate basis for keeping the data for two years.
- I am keeping track of required deletions going forward through a spreadsheet that resides in the OneDrive cloud. While GDPR does not require such record-keeping for businesses with fewer than 250 employees, I wanted to make sure I never have to worry.
- I decided to keep the last seven years of statements of work and contractual information, because they might be required for tax and business auditing purposes. Again, this qualifies as a legitimate interest under the GDPR, and the time frame is reasonable.
- Because all of my files are now in a single place, I have deleted all emails (including seven years of email history) because they identify unique individuals. Even in B2B scenarios where I contract with corporations and interact with employees of those corporations, the information in emails is still personal data: It often includes people’s names, phone numbers and more. Again, the exception to the deletion rule was any contractual matter.
Frankly, I should be better at marketing. But I am not. When it comes to GDPR compliance, the positive side of this weakness is that I don’t maintain a lot of marketing data. I don’t have a customer relationship management system or a contacts database, nor do I store prospect information.
The people that I need or want to connect with are part of my LinkedIn, Twitter or newsletter groups. Because I use those social media platforms to interact with people, I also use the them as my data processors and rely on them for data protection. I also use social media to give individuals the opportunity to opt out and be forgotten, or to disconnect from me.
However, there is still data hidden in some places, so I still had cleanup to do and took the following steps in an effort to be fully GDPR-compliant:
- My website uses Google Analytics, and I chose to anonymize all website user data and traffic so I wouldn’t have any way of tracking individuals.
- I have a workflow program that runs every 30 days to clean up unnecessary email. Users of my site who share information with me (via the contact form, for example) do so willingly. This provides me with a legitimate basis for collecting and processing their data: I must address the matters users contact me about. The email cleanup tool just creates a nice report that allows me to delete personal information when it is no longer needed.
Related Article: What the GDPR Means for Your Organization
The GDPR allows businesses (and freelancers) to keep data without user consent if they have legitimate uses for that data. This includes business development notes we take to form the foundation of contracts (i.e. prospecting notes), bookkeeping and tax records (including invoicing and VAT reporting), work documents to deliver on contracted work, and lists of individuals interested in classes, training or thought pieces and the like.
My bookkeeping records fall into the category of data for which I have a legitimate use. But there too, I had an opportunity to clean my records, so I took the following steps to make things nice and tidy:
- I deleted invoices that were more than seven years old.
- I removed identifying information about individual EU-based clients on invoices issued after 2011 that have been paid.
Verifying Vendor Compliance
I have reviewed the contracts of all vendors that I use, be they cloud vendors or subcontractors, to ensure that the agreements include terms stating that the vendors must be GDPR-compliant and that they must transfer and store information as securely as I do.
That was easy for the big platforms, such as OneDrive. It was infinitely more painful explaining GDPR to my tax accountant, conveying its importance and expressing what I needed their office to do. So be prepared for a mix of reactions — and there will be a mix!
I don’t sell things online, but if you do, having processors handle data (e.g. payment, signups for events, shipping, etc.) will require additional consideration and management.
Related Article: How Will the GDPR Impact Third-Party Lead Generation?
Other GDPR Considerations
- Update your prospect and customer notices to be GDPR-compliant. Among other things, make sure they are clearly written and easy to understand, verify that they are targeted to children where relevant, and ensure that they outline the specific purposes for which you collect and process data.
- Create and test process for complying with people’s requests that you stop processing their data or delete all their data (for those who exercise their “right to be forgotten”).
- Make sure you can give users their data in a portable electronic format.
- Create a GDPR-compliant data breach policy and response plan. Or review your existing data breach policy and response plan to make sure it is GDPR-compliant and update it if necessary. (Among other things, it should include actions to mitigate loss and state that you will notify people of a breach within 72 hours.)
- Consider and obtain (if needed) insurance that covers costs related to data breaches and/or GDPR penalties resulting from data breaches.
- Incorporate data breach terms and requirements into all vendor and third-party contracts. You may not get to dictate terms to big companies like Microsoft and Amazon, but those vendors should already be in alignment.
Get Started on Your Path to Compliance Today
In the process of trying to make myself GDPR-compliant, I found myself with a few additional gaps that still need to be addressed. Thankfully, we still have time before the May 25 deadlinne. If you are a freelancer who works with EU-based clients or prospects but has not yet undertaken the task of becoming compliant, I recommend that you start today. Compared with larger businesses, your vulnerability might be smaller. But you are not immune to the lost laptop that exposes users’ private data, data breaches that expose records you store with a cloud hosting provider, or complaints or lawsuits from people upset that you did not respond to their rights under the GDPR.
If you want to stay afloat in the gig economy, make sure you consider these risks and respond appropriately.