- 20 May 2019
- 6 mins read
- Posted in
Accurate data is the lifeblood of any business. It helps make sense of events and supports decision-making. The same applies to your contingent workforce data, too. If you know who your organisation is already working with and the skills they have, then you’re in a better position to select the right person for a project. Or decide to search for someone new.
The problem is, managing a couple of freelancers is one thing. But 20, 100, 1,000? That’s a different matter – particularly if they’re located all over the world. Plus, if you’re dealing with freelancers based in the EU, you need to comply with the General Data Protection Regulation (GDPR).
GDPR – an overview
This EU-wide law came into effect on 25 May 2018 and is aimed at giving individuals more control over their personal and sensitive information. Every business should be compliant by now. However, according to IT Specialists Q2Q, “...40% of SMEs are still unsure about the rules and regulations surrounding GDPR.” That’s a worrying figure – particularly as organisations could risk huge fines of up to €20 million, or 4% of total worldwide annual company turnover (based on which is the higher figure).
At its core, the GDPR calls for organisations to be clear about the specific data they’re collecting, what it will be used for and who’s going to view it.
Essentially, it’s grounded on seven core principles: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality (i.e. security) and accountability.
The Information Commissioner’s Office (ICO), which is responsible for GDPR compliance in the UK, has some very good information on its website that’s fairly easy to digest. It’s worth taking a look if you haven’t already. There are also some handy tools and checklists – more details can be found at the end of this chapter.
However, at the most basic level, it breaks down like this. First, you need to decide if you’re handling personal data. Most organisations are on some level, regardless of size. Then you’ll need to work out whether you’re a controller, joint-controller or processor.
This will depend on your own situation but the ICO states, “Organisations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services.”
You need to define the lawful basis upon which you’re processing personal information too. Is it based on consent, contract, legal obligation, vital interest, public task or legitimate interest? At least one of these will apply. You should also document everything, along with your reasoning. The ICO is the best place to start, as it provides a lot of guidance to help you.
The bottom line is, that action can be taken if you misuse personal information, experience a data security breach, or are otherwise found not to comply with the regulations. However, if you’re organised, have everything well documented, store data in secure GDPR-compliant systems, regularly review the data, and have processes in place to deal with data requests, then you’re better placed to prove compliance.
As one might expect, there’s a great deal of detail in the legislation, so it’s always best to get legal advice for your own circumstances. However, on the plus side, ensuring freelancer data is GDPR-proof can have knock-on benefits for your organisation. But it needs to be viewed as a business-wide issue.
Don’t dump GDPR on HR
Freelancer data should be treated with the same due care as employee data – or any other individual’s personal data for that matter. This means GDPR isn’t just the domain of the HR department but the responsibility of everyone in the business. You can read more about why human capital is the responsibility of every department here.
That’s why it’s important to know who within the organisation is already working with freelancers and how they’re currently storing and processing that information. How they collate, retain and secure data is critical.
You’ll potentially need to reconsider and tighten up every aspect of your engagement with freelancers, from sourcing and hiring to the onboarding process and ongoing data management. It might also mean reviewing your contracts (think IR35 here too, What is IR35?)
Part of the process is also to make sure that all relevant persons in the business are educated on the importance of keeping freelancer contact details safe and secure – and giving them the means to do so.
Provide the right tools
A key part of compliance is ensuring the business has the right tools for the job. This means that freelancer data needs to be stored in a secure, encrypted system and not on a spreadsheet. The latter risks being copied to different computers, USB sticks or similar, shared via email or printed out, which could easily result in a data breach.
Whilst it’s possible to use your own database, you’d need to be confident that it was fully GDPR-compliant with security and privacy embedded at its core. Alternatively, a compliant professional Freelance Management System (FMS) might be the best way to go. Secure, password protected platforms should also provide controls over who can access the data so it doesn’t fall into the wrong hands.
Having a single centralised system – particularly a secure cloud-based system – also has the added benefit that it’s easier to share data with authorised individuals, wherever they’re based. No emailing spreadsheets or USB sticks involved. That means more control over the data and it significantly reduces financial and reputational risks.
Pro tip: whichever cloud service you use, you’ll need to check where the data is actually stored. If it’s in data centres outside the European Economic Area (EEA), make sure that the country in question has what’s known as an adequacy finding. If the company concerned is based in the US, are they certified under the Privacy Shield framework? If none of these apply then there are alternative safeguards as pointed out by business lawyer and GDPR expert, Suzanne Dibble, “The main existing way to safeguard personal data when it’s being transferred internationally and none of the above safeguards apply, is to enter into standard contractual clauses that have been pre-approved by the European Commission.”
Process and maintain data
With a robust FMS system in place, it’s easier to develop strict workflows and procedures to standardise the whole process, from the information being requested from freelancers to secure payment methods. This also includes ensuring that all documentation such as contracts and agreements are obtained in a timely manner.
In terms of GDPR rules, if a controller uses a processor (e.g. a client uses a freelancer) to process personal data (such as customer or prospect data), then according to the ICO '...there must be a written contract (or other legal act) in place'. An FMS system ensures that all documentation like this can be kept safely stored in one place.
Not only does this help with compliance, but it’s also very efficient. Plus, there’s the added benefit of access to up-to-date information that’s far easier to filter and search. Having the whole talent pool at your fingertips saves endless hours trying to find the right person with the right credentials. No more wasted time asking colleagues if they know of a good freelancer for your project.
And, if freelancers can also access their data via this password-protected system, they can make sure their details are accurate. Not only will this cut down data requests, but it also offers a way to collaborate and communicate with your flexible team. With the ability to always add new skill sets, it’s the perfect way to keep the relationship going as new projects emerge or evolve.
Data retention and removal
Under the GDPR rules, data should only be retained for as long as is necessary (unless it’s anonymised). An individual also has the right to have their data erased if you no longer need it (known as the ‘right to be forgotten’).
However, the latter only applies in certain circumstances - it doesn’t apply, for example, if there’s a legal obligation to keep the data or it’s needed to establish, exercise or defend a legal claim. You need to consider your other GDPR obligations when deciding if you should delete personal data.
The GDPR doesn’t state a time limit for how long the different data types can be kept; that’s been left to organisations. The key is that you’re able to justify the data you’re retaining, the time period, and how often you review it. A retention policy will help you do this. You can find more information on the ICO website.
Summary
GDPR may seem like a headache but it offers opportunities beyond compliance. Having control and oversight of all your freelancer data means you’ll spend less time finding the right person and more time getting projects completed, faster. Greater efficiency means there’s less drain on resources and more productivity overall.
On a deeper level, taking good care of freelancer data engenders trust and a high degree of professionalism. It demonstrates that you’re transparent, accountable and ethical in your data practices. And that means you’re more likely to attract and retain the best freelancers – as well as get the most from your talent pool.
Disclaimer: This chapter is for educational purposes only. The information contained within it does not constitute legal advice. Any use of this information is at your sole discretion. You are advised to obtain independent expert advice from a lawyer.
Useful Resources
Information Commissioner’s Office (ICO)
ICO data protection self-assessment toolkit
ICO lawful basis guidance tool
EU GDPR (official document)

Floris ten Nijenhuis
Speak to us to find out how we can help you pay your contractors more efficiently
Related articles

Employee vs Contractor: Determine the Difference?
Contents What are the differences between contractors and employees? Classifying contractors and employees for legal compliance Checklist to determine the difference between contractors and employees Making worker classification seamless

Employer of Record (EOR) Guide - Benefits & Risks
What is an EOR? A Guide to Employer of Record
Contents: 1. Intro Section 2.EOR meaning 3. Importance of EOR 4. How an employer of record benefits businesses 5. Are there any risks associated with EORs? 6. How much does it cost? 7. TalentDesk EOR services A little over three years ago, the world went into global lockdowns due to a pandemic...

Why AI Can't Replace Freelancers and Take Over Jobs
Why AI Can't Replace Freelancers and Take Over Jobs
When we last wrote about how automation & AI will change the way businesses work with talent, I don’t think we expected the levels of automation that we are currently experiencing with the likes of GPT-4.

Checklist for Onboarding Contractors
Checklist for Onboarding Contractors
This blog was last updated: 10th of May 2023 Welcome packages, tech kits, buddy systems, leadership sessions – when it comes to onboarding employees, companies have really gone above and beyond to create an enhanced experience for new hires. But when it comes to welcoming contractors on the team,...

How to Seamlessly Transition From Recruitment to Onboarding
How to Seamlessly Transition From Recruitment to Onboarding
Content: Re-thinking the Traditional Recruitment Hand-Off 5 Tips to Create a Seamless and Modern Recruitment and Onboarding System for the Gig Economy Identify recruitment trends and prepare for periods of high turnover Source candidates better with recruitment CRM Personalize outreach for each...

IR35: Everything Contractors & Businesses Need to Know
IR35: Everything Contractors & Businesses Need to Know
Updated on the 21st of April 2023 Content: What is IR35? Know the rules What are the changes in IR35? Do you need to worry about IR35? What does "Inside IR35" mean? What does "Outside IR35" mean? How does IR35 apply to limited companies? IR35 checklist What businesses need to keep in mind as they...

AOR vs. EOR: Everything You Need To Know
Everything you need to know about AOR vs EOR
Blog post updated 19th of April 2023 Content: What's an example of misclassified workers? So how could AOR/EOR help? What is an Agent of Record (AOR)? AOR area of responsibility What is an Employer of Record (EOR)? AOR vs. EOR: the key differences AOR and EOR Services at TalentDesk What's an...

How to hire and manage freelance writers
How to hire and manage freelance writers
If there were any doubts about the importance of having a strong brand presence online, the last few years have dispelled them once and for all. Now, it’s not only imperative to go digital, it is also important to be unique, engaging and above all, discoverable.

Virtual Team Building Activities Your Team Will Love
Virtual Team Building Activities Your Team Will Love
Remote working has become the new normal over the last few years, but what actually is a virtual team? If your company works with multiple people who are all based in different locations, have different skill sets, and report to different people — but are all working towards a common goal, then...


What is a Contractor Management System: How Does it Work?
Updated 23rd of May 2023 If you are an employer in 2023, chances are that you are either already working with freelancers and contractors – or are thinking of doing so soon. But have you perfected your contractor management strategy? Simply working with contractors is not the same thing as managing...
