GDPR goes live on the 25th May 2018, that is in about a month from the time of writing. In my professional circle I keep hearing that it probably won’t affect freelancers and small businesses all that much. The Information Commissioner’s Office (ICO) will not be interested in small fry, they will be going for the big companies. Time will tell, but whatever way you look at it, doing nothing about GDPR is a risk. For larger businesses doing nothing is not an option. By now most businesses will have an Data Protection Officer in place and preparations for GDPR compliance will be well developed. But what about work undertaken by contractors? Will they have access to personal information? Are they trained in Information Security? What could possibly go wrong? Because I usually bank on it.
My audience for this article is companies which hire contractors or freelancers. I am also addressing fellow small business owners. After all, it will be a lot harder to get hired if there is any question about security. GDPR is a game changer, it radically transforms the way businesses manage data. It is not just confined to Europe, but has global reach. It seeks to bring businesses to book who do not demonstrate a comprehensive risk based systems for managing data. Can we really afford not to comply? Among the myths circulating about GDPR, the most prevalent are that it won’t affect us. That SMEs are not covered by the new regulation or that data processors (as opposed to data controllers) are not affected. Or that the ICO will not impose large fines on smaller businesses.
There are also a number of benefits that come with GDPR compliance. For a start, it enhances reputation, the main asset of any freelancer or small business. With GDPR compliance, potential clients can be reasonably confident that they can trust you with their data. It also means your much less likely to have a data breach, which is also bad for business. Data breaches are also expensive, not just in reputational terms but in fines and compensation. Going through the GDPR compliance check list will help to organise your data, ensure that you have asset registers and a filing system which works.
The principles of GDPR are fairly simple and easy for a small company to grasp. Essentially, think about how you want people to treat your personal information and apply it to your business. There are 6 main principles:
- Personal information is to be processed lawfully, fairly and in a transparent way
- Personal information can only be collected for specific and legitimate purposes
- Personal information should be relevant to the job in hand, limited to minimum disclosure necessary
- Personal information should be accurate and up to date
- Personal information is not to be held any longer than necessary
- Security of personal information must be maintained at all times
There are also a number of individuals’ rights which go along with any personal information you may hold:
• The right of access to any information you hold on an individual (including appraisals)
• The right to be informed of what you are doing with the data
• The right to have personal information erased from your system
• The right to restrict processing of personal information
• The right to data portability (you cannot say they cannot see the data because it is on a different system)
• The right to rectify personal information
• The right to object
• Rights related to autonomous decision making based on personal information
This does not seem too onerous at first glance. It is after all, how we would all like to be treated, and how we should be treated after the 25th May. In practice, however, this is a step change in how organisations tend to treat personal information. Your company will need to demonstrate cyber security and data protection, technical measures to improve security (such as anti-virus), organisational measures, encryption and an information security framework. If you hire contractors or freelancers you will need to ensure all of these are in place for them, as well as for your full-time employees. There are two ways to achieve this. Firstly, your on-boarding or professional development process could include GDPR training. If your contractors are qualified to the same level as your employees, there should be no problems. Of course, this can be awkward as you may need to bring a contractor in to do the staff training and it also increases the costs of compliance. An online course could be the answer which solves these issues. Another approach is to look for contractors who already have the Cyber Essentials or IASME Governance badges, which is a high level form of assurance giving confidence that the contractor is at the standard expected from ICO. This has the advantage of being best practice.
For owners of small businesses, I would recommend, based purely on personal experience, getting accreditation in the form of the Cyber Essentials or IASME Governance accreditation. The ISO 27001 information security framework is also an option. But this is not ideal for a small business and takes far longer to complete. Arguably, the ISO standard is over-assuring for a small business as it is geared up for larger organisations. I went through the IASME website (click here) and I would strongly recommend it. It cost me £480 (inc VAT) and a couple of days work but the result is that I can advertise my compliance. Potential clients do not need to worry about GDPR compliance when hiring me. I would say it was worth it. Continuous assessment is also important, so it is worth reviewing your information security framework regularly.
GDPR is coming very soon, there is no doubt that it affects everyone using data. For the sake of a little time and a little money, it is well worth getting prepared, even if you are a small business. Think: what could possibly go wrong? Then prepare for that.