There’s no exemption for freelancers and small businesses when it comes to the General Data Protection Regulation (GDPR) and protecting personal data.

All businesses that handle or process 'personal data' need practices and tools to protect that data and treat individuals fairly. One reason is that it is a legal requirement. The relevant laws - the GDPR and Data Protection Act 2018 that sits alongside it - are very specific about a number of things you need to do and the legal sanctions if you do not. However, legal compliance aside, managing personal data professionally is important to build trust with customers, manage the risks of reputational disasters and – increasingly – in order to win work from larger organisations (who will not work with suppliers unless they can demonstrate data protection compliance).

What is personal data?

You may be wondering what ‘processing personal data' actually means!  Firstly, ‘personal data’ is broadly defined as any data relating to a living individual who can be identified, directly or indirectly, from that data. So names, telephone numbers and even work email addresses – whether they’re on LinkedIn and other public websites or not – are personal data. ‘Processing’ personal data includes all ways of handling the data, including storing it (for example on your phone, your computer or in Outlook contacts).  It covers other activities too, such as sending marketing emails, transactional emails or putting it in a spreadsheet to analyse it.  

Nearly all freelancers, as well as other businesses large and small, will be processing personal data about customers, contacts, suppliers, website visitors and potentially others. There is no exemption for small businesses, so the rules apply whether you are a sole trader or operate through a limited company, whether you employ staff or not, and no matter what your revenues. All small businesses, including freelancers, need to understand the basics of data protection to implement some initial measures. Beyond that, the lengths you need to go to will depend on the extent of the personal data you collect and what you do with it.

Where do I start?

So far so clear? As clear as mud I hear you say? I would guess that many readers will be asking: what exactly is it I need to do? That is the problem for smaller businesses without dedicated data protection specialists. Reading the legislation itself will not help you work out what to do. The website of the Information Commissioner’s Office (ICO) has some great guidance and resources, and we recommend you visit its SME support pages. However, you will still need many hours to get up to speed – as well as templates and support with some of the steps you need to take.

A useful starting point is the ICO online assessment tool called "How well do you comply with data protection law: an assessment for small business owners and sole traders”.  Key questions are:

• Do you know what personal data you hold, why you use it, and where is it stored? (Hint: possibly in multiple locations such as paper records, laptop hard drives, mobile phones, cloud-based systems such as Microsoft office, Google tools or Dropbox.)
• Do people know you have their personal data and how you use it? (Hint: the starting point might be to have a well-drafted privacy notice on your website.)
• Do you only collect the personal data you need and retain it only as long as necessary, and do you have the means to keep it accurate and up-to-date?
• Do you keep it secure? (Hint: as a starting point make sure you have encryption and password protection on laptops and mobile devices, ensure all cloud-based systems you use are secure and password protected, and also consider getting Cyber Essentials.)
• Do you have a way for people to exercise their rights over the personal data you hold about them? (Hint: as a starting point, do you even know what those data rights are?)
• Do you and your staff (if you have any) know your data protection responsibilities? (Hint: Introduce some form of training and some basic policies or procedures).

Where can I get support?

Taking this assessment only takes five minutes and will give you a better idea of the things you need to develop. It won’t help you implement them. We realise that small businesses do not have the budget to hire specialists to support them, but there are options to get guidance, tools and templates in a much more cost-effective way.  

One is Astrid Data Protection, which is specifically designed and priced for small businesses and has been developed by a team who are all experienced freelancers themselves. Our secure online platform shows you what you need to do and gives you the tools and information you need to become GDPR compliant as quickly and painlessly as possible. We have teamed up with IPSE to offer a 10 per cent discount off our one-person rate for IPSE members. If you would like to try before you buy, you can create a free trial account that offers you the starting modules and access to our knowledge base.

Taking some steps now to address data protection will help freelancer businesses ensure legal compliance, build trust with customers and win work. It may also have other benefits in terms of helping to demonstrate that (in IR35 terms) you are a genuine independent business that manages personal data and has its your own registration as a data controller with the ICO.