GDPR Compliance When Working With Freelancers

Accurate data is the lifeblood of any business. It helps make sense of events and supports decision-making. The same applies to your contingent workforce data, too. If you know who your organisation is already working with and the skills they have, then you’re in a better position to select the right person for a project. Or decide to search for someone new.

The problem is, managing a couple of freelancers is one thing. But 20, 100, 1,000? That’s a different matter – particularly if they’re located all over the world. Plus, if you’re dealing with freelancers based in the EU, you need to comply with the General Data Protection Regulation (GDPR).

GDPR – an overview

This EU-wide law came into effect on 25 May 2018 and is aimed at giving individuals more control over their personal and sensitive information. Every business should be compliant by now. However, according to IT Specialists Q2Q, “...40% of SMEs are still unsure about the rules and regulations surrounding GDPR.” That’s a worrying figure – particularly as organisations could risk huge fines of up to €20 million, or 4% of total worldwide annual company turnover (based on which is the higher figure).

At its core, the GDPR calls for organisations to be clear about the specific data they’re collecting, what it will be used for and who’s going to view it.

Essentially, it’s grounded on seven core principles: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality (i.e. security) and accountability.

The Information Commissioner’s Office (ICO), which is responsible for GDPR compliance in the UK, has some very good information on its website that’s fairly easy to digest. It’s worth taking a look if you haven’t already. There are also some handy tools and checklists – more details can be found at the end of this chapter.

However, at the most basic level, it breaks down like this. First, you need to decide if you’re handling personal data. Most organisations are on some level, regardless of size. Then you’ll need to work out whether you’re a controller, joint-controller or processor.

This will depend on your own situation but the ICO states, “Organisations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services.”

You need to define the lawful basis upon which you’re processing personal information too. Is it based on consent, contract, legal obligation, vital interest, public task or legitimate interest? At least one of these will apply. You should also document everything, along with your reasoning. The ICO is the best place to start, as it provides a lot of guidance to help you.

The bottom line is, that action can be taken if you misuse personal information, experience a data security breach, or are otherwise found not to comply with the regulations. However, if you’re organised, have everything well documented, store data in secure GDPR-compliant systems, regularly review the data, and have processes in place to deal with data requests, then you’re better placed to prove compliance.

As one might expect, there’s a great deal of detail in the legislation, so it’s always best to get legal advice for your own circumstances. However, on the plus side, ensuring freelancer data is GDPR-proof can have knock-on benefits for your organisation. But it needs to be viewed as a business-wide issue.

Don’t dump GDPR on HR

Freelancer data should be treated with the same due care as employee data – or any other individual’s personal data for that matter. This means GDPR isn’t just the domain of the HR department but the responsibility of everyone in the business. You can read more about why human capital is the responsibility of every department here.

That’s why it’s important to know who within the organisation is already working with freelancers and how they’re currently storing and processing that information. How they collate, retain and secure data is critical.

You’ll potentially need to reconsider and tighten up every aspect of your engagement with freelancers, from sourcing and hiring to the onboarding process and ongoing data management. It might also mean reviewing your contracts (think IR35 here too, What is IR35?)

Part of the process is also to make sure that all relevant persons in the business are educated on the importance of keeping freelancer contact details safe and secure – and giving them the means to do so.

Provide the right tools

A key part of compliance is ensuring the business has the right tools for the job. This means that freelancer data needs to be stored in a secure, encrypted system and not on a spreadsheet. The latter risks being copied to different computers, USB sticks or similar, shared via email or printed out, which could easily result in a data breach.

Whilst it’s possible to use your own database, you’d need to be confident that it was fully GDPR-compliant with security and privacy embedded at its core. Alternatively, a compliant professional Freelance Management System (FMS) might be the best way to go. Secure, password protected platforms should also provide controls over who can access the data so it doesn’t fall into the wrong hands.

Having a single centralised system – particularly a secure cloud-based system – also has the added benefit that it’s easier to share data with authorised individuals, wherever they’re based. No emailing spreadsheets or USB sticks involved. That means more control over the data and it significantly reduces financial and reputational risks.

Pro tip: whichever cloud service you use, you’ll need to check where the data is actually stored. If it’s in data centres outside the European Economic Area (EEA), make sure that the country in question has what’s known as an adequacy finding. If the company concerned is based in the US, are they certified under the Privacy Shield framework? If none of these apply then there are alternative safeguards as pointed out by business lawyer and GDPR expert, Suzanne Dibble, “The main existing way to safeguard personal data when it’s being transferred internationally and none of the above safeguards apply, is to enter into standard contractual clauses that have been pre-approved by the European Commission.”

Process and maintain data

With a robust FMS system in place, it’s easier to develop strict workflows and procedures to standardise the whole process, from the information being requested from freelancers to secure payment methods. This also includes ensuring that all documentation such as contracts and agreements are obtained in a timely manner.

In terms of GDPR rules, if a controller uses a processor (e.g. a client uses a freelancer) to process personal data (such as customer or prospect data), then according to the ICO '...there must be a written contract (or other legal act) in place'. An FMS system ensures that all documentation like this can be kept safely stored in one place.

Not only does this help with compliance, but it’s also very efficient. Plus, there’s the added benefit of access to up-to-date information that’s far easier to filter and search. Having the whole talent pool at your fingertips saves endless hours trying to find the right person with the right credentials. No more wasted time asking colleagues if they know of a good freelancer for your project.

And, if freelancers can also access their data via this password-protected system, they can make sure their details are accurate. Not only will this cut down data requests, but it also offers a way to collaborate and communicate with your flexible team. With the ability to always add new skill sets, it’s the perfect way to keep the relationship going as new projects emerge or evolve.

Data retention and removal

Under the GDPR rules, data should only be retained for as long as is necessary (unless it’s anonymised). An individual also has the right to have their data erased if you no longer need it (known as the ‘right to be forgotten’).

However, the latter only applies in certain circumstances - it doesn’t apply, for example, if there’s a legal obligation to keep the data or it’s needed to establish, exercise or defend a legal claim. You need to consider your other GDPR obligations when deciding if you should delete personal data.

The GDPR doesn’t state a time limit for how long the different data types can be kept; that’s been left to organisations. The key is that you’re able to justify the data you’re retaining, the time period, and how often you review it. A retention policy will help you do this. You can find more information on the ICO website.

Summary

GDPR may seem like a headache but it offers opportunities beyond compliance. Having control and oversight of all your freelancer data means you’ll spend less time finding the right person and more time getting projects completed, faster. Greater efficiency means there’s less drain on resources and more productivity overall.

On a deeper level, taking good care of freelancer data engenders trust and a high degree of professionalism. It demonstrates that you’re transparent, accountable and ethical in your data practices. And that means you’re more likely to attract and retain the best freelancers – as well as get the most from your talent pool.

Disclaimer: This chapter is for educational purposes only. The information contained within it does not constitute legal advice. Any use of this information is at your sole discretion. You are advised to obtain independent expert advice from a lawyer.