Handling your clients’ confidential personal and financial details is a great responsibility. Freelancers fall into the category of data controllers and, as such, are legally required to guarantee the privacy of the sensitive digital information they store and handle about their customers. Since non-compliance may have severe consequences, such as monetary penalties of up to £500,000, loss of business reputation, compensation claims, or even imprisonment, it is very important to be aware of, and comply with, the relevant regulations.
The UK Data Protection Act 1998 (DPA)
To get started, let me give you some background info about the Act and a few important terms it mentions that identifies you as data controller. Passed in 1998, the DPA was intended to give guidelines for and regulate the processing of personal data by data controllers in the UK, applying the European Directive 95/46/EC in UK legislation.
According to the definition found in DPA, a data controller is “… a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.” And as far as the definition of personal data is concerned, it is basically “any data that can be used to identify a living individual.” Since you handle customer names, email addresses, physical addresses, etc, according to these terms, you qualify as a data controller in the eyes of the law.
What are your responsibilities as a freelancer?
While I do encourage you to familiarize yourself with the content of the entire Act step by step, to save you from the headache of having to go through its numerous complex paragraphs right now, I’m going to sum up for you what your responsibilities are when it comes to protecting your customers’ digital data privacy once you’ve decided to go self-employed. While most of them are quite self-explanatory, some will likely require you to update your data management practises and create a data breach response plan.
1. Data must be used fairly and lawfully
The first principle basically requires you to make it very clear for your customers what purpose(s) the data you obtain from them is going to be used for. As long as the way in which you obtain the data is not misleading, or deceiving about the purpose of its intended usage, you won’t have problems. Make sure that the signup, payment, feedback, contact, or testimonial forms on your website, the surveys you conduct, your correspondence emails, etc., are in line with that requirement.
2. Data is obtained for limited purposes and is not processed for purposes other than those it was obtained
Let’s take some everyday scenarios to illustrate this point. For instance, if some customers signed up for your monthly newsletter on your website, you are not allowed to use their email addresses as a vehicle to help advertise your side projects. Or, don’t make up surveys requiring your customers to provide you with various personal details just to obtain extra email addresses you later want to send advertising and marketing content to.
3. Data must be adequate, relevant and not excessive
Say you want to create a signup form for your web design services. Asking for obvious details, such as name, email address, etc. are fine, but avoid including unnecessary, irrelevant, or intrusive questions about further sensitive personal details. For instance, asking for your customers date of birth would likely be irrelevant to your web design service.
4. Data must be accurate and updated
As much as it is possible, try to make sure that your customer database is updated on a regular basis. It won’t only help you comply with the Act, but your business will also benefit from it. For instance, it helps you prevent wasting time and money by sending out newsletters to an outdated email database, or personal messages to obsolete addresses. Your customers will also appreciate your efforts to maintain a tidy database as an essential element of your business.
5. Data must not be kept for longer than is necessary
If some of your customers’ details have changed, or are no longer needed for the purpose(s) you obtained them, you need to make sure that the obsolete details are securely deleted from the computer(s), devices, or removable media you stored them on. For instance, if some customers have updated their billing address, credit card details, email addresses, or closed their accounts, you are required to arrange the destruction of the obsolete, or unneeded confidential details.
6. Data must be processed in accordance with your clients’ rights detailed in the Act
You need to make sure that your customers can avail of their rights, listed below, any time. They have the right to:
- Have access to a copy of the data you obtained and store about them
- Object to the way you process their data if they fear that you misused it, or didn’t keep it a private
- Say no to processing their data for direct marketing purposes
- Object to automated decision making using their data
- Change, erase, destroy, or block inaccurate data held about them
- File a compensation claim against you for damages you caused them by the breach of the Act
7. Appropriate technical and organisational measures are taken against unauthorised or unlawful processing of data, and against accidental loss, destruction and damage
The most important thing here is to make sure that you keep your clients’ data safe and secure with the most up-to-date software and hardware solutions possible. You should also educate yourself about the latest trends in privacy threats and protection. Here are some best practices:
- Stay in the know by regularly reading publications written by experts on privacy security
- Update your devices and software regularly to decrease the chances of security vulnerabilities
- Make sure you have advanced, regularly updated antivirus software installed on all the computers that handle customer data to keep hackers, viruses, malware, keyloggers etc., away from your files
- Encrypt your customers’ data with on-the-fly encryption software that lets you work with the encrypted files as if they were in plain text format
- If you access your customer database from other devices, such as tablets or smartphones, make sure those devices are protected
- Backup your customer database in case the computer that store it gets damaged, lost, or stolen
- Create a data breach response plan for dealing with the consequences of a possible breach
8. Data must not be transferred outside the UK without proper protection
If you need to transfer your clients’ data into countries outside of the EEA, it is your responsibility to arrange proper protection for that data, especially if that country does not maintain the level of data protection the Act requires. Let’s say you have a business partner in a country outside of the EEA. Assigning jobs to him requires you to send him contracts in emails that contain details of your customers. If that country does not have the same level of data legislation in place that the DPA requires, it is your sole responsibility to make sure that customer data sent to your foreign partner is properly protected during communications.
Hope this article managed to sum up what your responsibilities are as data controller and is going to help you comply with the principles required by the Act.
Adam Csorghe is Communications Manager at East-Tec, an award-winning company producing privacy and security products and solutions since 1997.