There is a lot of advice floating around about the GDPR – for everyone from large enterprises to small business. What I haven’t seen much of (though I have seen some) is an attempt to relate it to self-employed or freelance individuals, sole traders, and small partnerships. Recently my wife came across some questions about it on one of her social media translator groups where there were concerns about how it will impact these groups.
The advice for SMEs and larger is generally very official, designed for consumption by the legal and technical teams of a company. That’s great for a company which has those, but doesn’t apply so much to a sole trader who doesn’t specialise in law and IT. So I offered to summarise as best I could, and translate things a little. Before I do that I need to make a couple of things clear:
- This post is aimed to make the GDPR understandable for sole traders and other small businesses, I do not aim to present or suggest solutions here, simply try and help to ensure that the responsibilities and duties are understood appropriately.
- This is not official advice from a lawyer or similar and you should not lean on it if you have a particularly complex situation, instead consult a professional who is willing to put official advice in writing and has liability insurance.
- This first post is a brief summary – I will be skimming over the legislation, as I don’t know which are the most pertinent questions to go into depth. If you have any questions please get in touch, or post a comment, and I’ll happy elaborate on any areas of confusion or concern.
Principles of the GDPR
The GDPR is based around a number of principles, largely building and elaborating on existing principles in data protection legislation.
- Lawfulness, fairness and transparency: treat personal data according to the law, fairly, and be open and transparent about your usage of it with the subjects of the data
- Purpose limitation: only collect and use data for clearly defined purposes, do not use it for anything outside of those purposes (transparency applies here, as the data subjects must be informed of the purposes)
- Data minimisation: you should only keep the most limited data you can which is adequate and relevant to your purposes in processing
- Accuracy: personal data you hold must be accurate, and where necessary kept up to date
- Storage limitation: this is more an extension from data minimisation – you must not hold data in a form that allows identification of subjects longer than necessary for your stated purposes, note that this permits anonymisation of data for further storage and processing
- Integrity and confidentiality: make sure that the data is secure, using (and this is the key word) appropriate technical or organisational measures
- Accountability: the data controller (different from the data processor, we’ll get to that) is responsible for and must be able to demonstrate compliance with the GDPR legislation
GDPR Data Subjects, Processors and Controllers
The other three key terms that come up in the GDPR are about who it applies to. Here we have data subjects, processors, and controllers. Subjects is fairly clear, it refers to the subjects of the data being gathered and their rights to control that data. Specifically their right to be informed of any data held on request, and their right to have it shown to them or removed on request. Processors and controllers are where some confusion comes in, but are quite simple. The controller is the one who decides what the data is to be used for, while the processor is the one who carries out those uses. For sole traders and other small businesses these are almost certain to be the same people – although there will be cases where they are not (where your business is about providing analytical resource and expertise to third parties, for example).
Contractual Basis for Processing
I’m going to end with this section, for now, as it is the area which seems to raise the most concern. As mentioned if anyone has questions around other areas, please get in touch or comment and I’ll happily expand this series to address them, but this I really wanted to cover.
One of the most common questions I have heard is whether the GDPR will interfere with normal business, in particular starting a new business relationship with someone. Do you need to e-mail them to get informed consent, keep them notified that you’ll be storing their contact details in your address book/CRM, and so on? Marketing is a bigger, separate subject, so if it’s asked about I’ll go into it in a separate post.
Essentially if you are holding and processing someone’s personal data for the purposes of fulfilling an agreed contract and/or agreeing a contract then you have a lawful basis for processing. Contract here refers to any agreement that meets the terms of contract law (not necessarily written down, but means that terms have been offered and accepted, you both intend for the terms to be binding, and there is an element of exchange).
The good news is that this will apply if you are establishing a relationship and contract with a new client. It will also apply if, as part of the contract, they are asking you to process their personal data (i.e. getting a personal document translated to another language). What is important is that when you obtain the data you ensure the client/customer/third party is informed on how you will be using it, why you will be using it, what you will be using it for and how long you intend to keep hold of it.
Basically a lot of the GDPR boils down to being transparent with people about what you are doing with their data, taking responsibility and accountability for data you hold, and acting in a reasonable manner. If you are clear and open with customers about what you will do with their data (and remember, GDPR is opt-in, not opt-out, so the consent must be informed and documented), and keep track of data assets you hold then you should be fine. There’s a lot of use in the legislation about ‘reasonable’ measures, views, expectations and so on. Essentially – if someone contacts you in order to set up a contract and do business with you, particularly if the only personal data you obtain are contact details, you will need to take reasonable security measures to secure those contact details, and not misuse them to send out marketing e-mails without the explicit consent of the data subject.
Treat other’s data as you’d expect a responsible business to treat yours, and you should be fine. If you have questions either around other aspects, or around more practical security matters for a sole trader or small business (encryption, systems to use, what counts as ‘secure’) then please do leave a comment or get in touch directly.
I’ve been advised to add a small note around some specific scenarios:
- if you are working with a document with a signature, even if there is no other personal data, then once you are finished with the document you should destroy it and/or ensure that the signature is unreadable (there may be reasons to keep the document, in which case it should be fully anonymised if you have no need of the data)
- if you keep contact details (you do) then you should ensure that people are informed you are keeping them, and make sure they have a way to ask for the data you hold on them, ask for changes, ask for it to be erased, ask you to restrict the purposes you use it for (with contact details this essentially maps to asking for it to be erased I imagine), ask for an electronic copy, and object to you holding it – this is a large area, and I suspect will involve a separate post to cover fully
- having a password on your computer is not a way to protect your data from theft unless you have also set up encryption, or are storing all data on the cloud rather than the local machine, or other circumstances which may apply – if I get some questions on this then I’ll go into more detail, but it’s fair to say that whole-disk encryption along with a password is a reasonable option, while an unencrypted disk is not
7 Replies to “GDPR for Sole Traders – Brief Summary”
I’m intrigued by your last comment, as you seem to imply that cloud storage is somehow more secure than a password-protected computer. Anyone how is using cluod storage for personal data will need to ensure that their cloud sturage provider is also GDPR-compliant.
There are concerns with cloud storage, however if you’re an individual with your own business working as a sole trader then enterprise level storage (DropBox, OneDrive, Google Drive, take your pick) will be more secure than anything you can set up alone. On top of that all of the large storage providers are GDPR compliant, because they have to be in order to supply enterprise storage contracts, and it’s cheaper and easier to provide everyone with higher security and compliance with that sort of system than it is to try and maintain different levels.
In terms of a password-protected computer, without even full disk encryption, there is no real security involved if someone has physical access.
Thanks for the informative post!
I’m interested in solutions/systems for encryption of harddrive – if you have any suggestions, that’d be great!
There’s a few suggestions depending on how far you want to go – ranging from a secure storage area on your normal computer, through to full disk encryption. If you’ve got Windows 10 Enterprise or any other version that allows BitLocker, that’s the best recommendation. If not then there’s a few other options – I’ll list them here and go into depth on how exactly they can be set up on a later post (currently trying to finish off a paper, and need to get that done fairly urgently). Also there’s a good tool for secure e-mail which may be relevant in some cases, and is easier to set up than most think.
– VeraCrypt, a fork of TrueCrypt and an open-source (i.e. free) solution which is well-respected
– AESCrypt (good for individual files, not so much for larger scale)
– PGP (various implementations, but essentially allows you to send secure e-mails)
There are also a lot of commercial solutions out there (BitLocker being one) which are solid, but for most small businesses the costs are significant and so open-source and a bit of self-training tend to be a better solution.
Thank you! Very much appreciated!
Hi. I’ve been battling to understand this the past few weeks (even posted some articles about it, where I realized I wasn’t the only one who was confused about the topic. And I still somewhat am.)
I’m a freelance translator. I work from home on my personal computer. I work both with agencies and direct clients. I don’t have a website (yet).
In practical terms, what do I have to do to be compliant. How do I inform others that I am? And how do I prove that I am?
Thanks in advance for your help.
I’ve finally got some time over the next few days when I’ll be able to catch up and hopefully put together some articles/posts/FAQs to deal with some of these questions. I’m going to try and make them as relatable as possible, and please if they raise any other questions or don’t address a specific scenario feel free to raise it. The aim is to have the main ones covered (and currently that’s looking like how to handle encryption, cloud providers with GDPR, and how to deal with it from the point of view of normal business practices rather than specifically storing and/or processing larger quantities of personal data) and up by next Monday.
Hope they help when they come out, and if there’s anything specific please do ask here (or buzz me on twitter for shorter answers).