The GDPR has been a hot topic with the Collective in recent months. And rightly so. With the enforcement date rapidly approaching, the GDPR is going to affect all business owners – whether you are a freelancer, agency or global pharma company. So we should all be preparing now to ensure our compliance.
We’ve been supporting the Collective’s pool of freelancers prepare for the GDPR and in this blog post Carly, our Head of Making Things Happen, outlines some of the key things we’re doing ahead of the enforcement date based on our understanding of the guidance made available by the Information Commissioner’s Office (ICO).
So, grab a coffee and let’s get stuck in!
Okay. I’ve got my coffee and I’m listening. So, what is the GDPR?
The EU General Data Protection Regulation (GDPR) replaces the current Data Protection Directive 95/46/EC and has been designed to align data privacy laws across Europe, to protect our own data privacy and to reshape the way organisations across the region approach data privacy.
The GDPR applies to ‘personal data’. This means any information which can alone, or in combination with other information, result in the identification of the person to which the data is referring to. Think name, date of birth, address, email address, telephone number, bank details and IP address as a starter for ten. The GDPR also covers ‘special personal data’, including genetic and biometric data.
The enforcement date of the GDPR is the 25th May 2018. After this date businesses (including freelancers and sole traders) that are found to be non-compliant are liable to fines – as high as 20 Million Euros or 4% of global annual turnover, whichever is higher. But, don’t panic. The ICO has stated that “it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm. This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.”
How can freelancers prepare for the GDPR?
Here are nine ways freelancers can prepare for the GDPR ahead of the enforcement date. If you are a health comms freelancer and haven’t started preparing yet, keep reading. These are the actions we are taking as a Collective, and have encouraged all of our freelancers to work through too.
1. Conduct a software and device audit
Getting a good handle on what data you have and how it is stored and processed is good practice under the current Data Protection Act as well as for the GDPR.
Your data audit should be reviewed regularly and updated as needed so that you always have a current picture of the data stored across your business.
Conducting this audit now means that you will have a clear understanding on what updates you need to make to be compliant with the GDPR and will enable you to take action quickly should you experience any data breaches.
Freelancers can prepare for the GDPR by listing the following (we’ve captured our information in a simple Excel spreadsheet).
1. What software do you use for your business?
Include paper-based systems, cloud storage, Microsoft products, CRM systems, email accounts, mailing software, hosting providers, project management software etc. For each of these systems note what personal data they hold.
2. Who has access to these systems and data?
3. What permission do you have to store and use this data?
4. Where are the serves for each system you use located?
Does the software company intend to comply with the GDPR? You can find out more about the reason for this and what GDPR says about international transfer of data here. The bottom line is that, under the GDPR, businesses are prohibited from transferring personal data outside of the EU to a country that does not have adequate data protection. This includes the US. If the software you use transfers data to/stores data in the US, make sure the data is protected by the Privacy Shield to ensure compliance with GDPR.
5. What devices do you use to access these systems and data?
Who else has access to these devices?
2. Review the data you currently store
This is a good time to securely delete (or shred) any documents you no longer need or are legally required to keep and ensure the data you do hold is necessary and secure.
3. Encrypt your devices
Encryption is the only way to protect data that may be lost or stolen – for example if you lose a memory stick or laptop. Password protecting your devices is not enough, the data could easily be transferred to another machine and read.
If you aren’t sure how to encrypt your devices, find out. The below information may be helpful.
4. Protect against viruses and malware
Install the appropriate software on all of your devices to protect against viruses and malware. Our Head of All Things Technical, James, recommends Sophos for Mac users.
It is also important to ensure you regularly install software updates. These are easy to ignore when we are busy working, but new updates fix issues that could potentially lead to software vulnerability.
5. Keep passwords secure
I can’t stress enough how important it is to keep your passwords secure and share them securely. Doing so can help to demonstrate that you are trying to protect the data you hold in every way possible. Passwords should be changed regularly to maintain their integrity.
Here are some steps you can take:
1. Set up a password manager.
I use both Lastpass and 1Password. These allow both secure password storage and sharing. If you have previously shared passwords with others and they a) haven’t been strong and unique and/or b) were not shared securely, you should change the passwords and re-share them securely as needed.
2. Ensure all of your passwords are strong and unique.
Both Lastpass and 1Password can generate passwords for you. Use this feature. Please do not use a password that has any reference to your name, date of birth, address or any other very obvious information! This is an example password generate by LastPass: SFTAD0C827y3i5un7uy4g6z1o2. This is what I mean by secure!
3. Enable two/multi-factor authentication (where possible).
6. Use a private VPN when working in public
Public WIFI is not secure and someone could easily intercept your data if you are using a shared network. When working on public WIFI (for example your local Starbucks) you should use a private, encrypted network.
7. Backup data securely
So, you’ve lost your laptop with all of your data on it. Including personal data. Right, now you need to inform those it might affect. Okay, this is not ideal. But at least you can find out whose data you had because you have a back-up, right? In the cloud? No? Hard Drive? No? Ah, it was only on your hard drive. Oh dear.
That’s right. Not only are backups a good idea should your computer break, but they are critical to being able to comply with the reporting and notification requirements of the GDPR should a data breach occur. You are required to notify anyone whose data may have been compromised as part of the breach and therefore may be at risk. Without a backup, it would be very difficult to do this.
We use both cloud and encrypted hard drive back up of our systems and data.
8. Review mailing lists and methods of consent
When preparing for the GDPR it is essential that you review your mailing lists to ensure they are compliant. In some cases, you will need to re-opt in those on your list.
Consider the following:
1. Were all of your signups collected via a double opt-in?
The double opt-in process includes two steps. In step 1, a potential subscriber fills out and submits your online signup form. In step 2, they’ll receive a confirmation email and click a link to verify their email. If your answer is no, can you prove that people gave their permission to be on your list (giving you their business card DOES NOT count!)? Personally, I would ask anyone who didn’t sign up via double opt-in to re-opt-in in advance of the enforcement of the GDPR. (Note: double opt-in is not specifically mentioned by the GDPR but it is the best way of proving that those on your mailing list gave their permission to be on it and consent is a big part of the regulations).
2. Are tick boxes for signup pre-ticked?
Under the GDPR pre-ticked boxes are not permitted.
3. Is your opt-in positive?
Under the GDPR a positive opt-in is required (i.e. you can’t ask people to ‘tick here if you don’t want to be on the list’).
4. Is it clear when someone signs up what they are signing up for?
Under the GDPR, saying those who sign up will receive your ‘newsletter’ isn’t adequate – you need to be specific about what communication they are signing up for. How often will they receive your newsletter? What information will it contain?
5. Can an email subscriber easily unsubscribe?
All of your emailers should have a clear unsubscribe button.
Further information on consent can be found on the ICO website. Mailchimp also has a guide on the GDPR and mailing lists. If you use another mailing software, it’s worth checking their specific advice too.
9. Update privacy policies
The ICO’s Privacy Notices Code of Practiceis a good place to start and includes information on privacy notices under the GDPR.
Liz Henderson’s LinkedIn article also breaks this down in simple language and provides an example GDPR compliant policy.
And that is how we are preparing for the GDPR…for now. I say for now because we fully expect that as we edge closer to, and even beyond, the enforcement date we’re likely to receive new advice and best practice guidance.
We hope this was a useful insight into what the regulations are all about and how you can start preparing for the GDPR ahead of the May enforcement date.
About the Author
Carly is Head of Making Things Happen at The Difference. She is an accomplished executive assistant and marketing expert with nearly 10 years’ experience in the healthcare communications industry. She has also worked remotely for the past three years and brings valuable expertise and insight to our #WorkDifferently culture.