From understanding expenses to starting a limited company, our downloadable business guides can help you.
Handling your clients’ confidential personal and financial details is a great responsibility. Freelancers fall into the category of data controllers and, as such, are legally required to guarantee the privacy of the sensitive digital information they store and handle about their customers. Since non-compliance may have severe consequences, such as monetary penalties of up to £500,000, loss of business reputation, compensation claims, or even imprisonment, it is very important to be aware of, and comply with, the relevant regulations.
To get started, let me give you some background info about the Act and a few important terms it mentions that identifies you as data controller. Passed in 1998, the DPA was intended to give guidelines for and regulate the processing of personal data by data controllers in the UK, applying the European Directive 95/46/EC in UK legislation.
According to the definition found in DPA, a data controller is “… a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.” And as far as the definition of personal data is concerned, it is basically “any data that can be used to identify a living individual.” Since you handle customer names, email addresses, physical addresses, etc, according to these terms, you qualify as a data controller in the eyes of the law.
While I do encourage you to familiarize yourself with the content of the entire Act step by step, to save you from the headache of having to go through its numerous complex paragraphs right now, I’m going to sum up for you what your responsibilities are when it comes to protecting your customers’ digital data privacy. While most of them are quite selfexplanatory, some will likely require you to update your data management practises and create a data breach response plan.
The first principle basically requires you to make it very clear for your customers what purpose(s) the data you obtain from them is going to be used for. As long as the way in which you obtain the data is not misleading, or deceiving about the purpose of its intended usage, you won’t have problems. Make sure that the signup, payment, feedback, contact, or testimonial forms on your website, the surveys you conduct, your correspondence emails, etc., are in line with that requirement.
Let’s take some everyday scenarios to illustrate this point. For instance, if some customers signed up for your monthly newsletter on your website, you are not allowed to use their email addresses as a vehicle to help advertise your side projects. Or, don’t make up surveys requiring your customers to provide you with various personal details just to obtain extra email addresses you later want to send advertising and marketing content to.
Say you want to create a signup form for your web design services. Asking for obvious details, such as name, email address, etc. are fine, but avoid including unnecessary, irrelevant, or intrusive questions about further sensitive personal details. For instance, asking for your customers date of birth would likely be irrelevant to your web design service.
As much as it is possible, try to make sure that your customer database is updated on a regular basis. It won’t only help you comply with the Act, but your business will also benefit from it. For instance, it helps you prevent wasting time and money by sending out newsletters to an outdated email database, or personal messages to obsolete addresses. Your customers will also appreciate your efforts to maintain a tidy database as an essential element of your business.
If some of your customers’ details have changed, or are no longer needed for the purpose(s) you obtained them, you need to make sure that the obsolete details are securely deleted from the computer(s), devices, or removable media you stored them on. For instance, if some customers have updated their billing address, credit card details, email addresses, or closed their accounts, you are required to arrange the destruction of the obsolete, or unneeded confidential details.
You need to make sure that your customers can avail of their rights, listed below, any time. They have the right to:
The most important thing here is to make sure that you keep your clients’ data safe and secure with the most up-to-date software and hardware solutions possible. You should also educate yourself about the latest trends in privacy threats and protection. Here are some best practices:
If you need to transfer your clients’ data into countries outside of the EEA, it is your responsibility to arrange proper protection for that data, especially if that country does not maintain the level of data protection the Act requires. Let’s say you have a business partner in a country outside of the EEA. Assigning jobs to him requires you to send him contracts in emails that contain details of your customers. If that country does not have the same level of data legislation in place that the DPA requires, it is your sole responsibility to make sure that customer data sent to your foreign partner is properly protected during communications.
Hope this article managed to sum up what your responsibilities are as data controller and is going to help you comply with the principles required by the Act.
Adam Csorghe is Communications Manager at East-Tec, an award-winning company producing privacy and security products and solutions since 1997.
Those who don't learn from history are condemned to repeat it. If you don’t have an understanding of why businesses fail, your startup is doomed.
All visitors from Crunch who complete the free online legal health check will get access to unlimited free legal documents from Lawbite for eight weeks.