What’s the difference between a big business and a freelancer? When it comes to GDPR – not a lot.
That’s right – as freelancers, sole traders or small business owners, the expectations of compliancy are the same as if we were a large corporation in terms of compliance under GDPR.
The problem is, we’re not the same. When a new piece of legislation or regulation is introduced, we can’t rely on a helpful marketing department issuing us with a handy guide, or nip up to legal for a spot of advice. We’re on our own. Sitting in our home offices, trying to grapple singlehandedly with one of the biggest pieces of legislation in data control that’s ever been seen.
There are around 2 million freelancers in the UK and 5.4 million microbusinesses, accounting for 96% of all businesses. It seems that GDPR puts a disproportionate level of pressure on these businesses, given we’re not able to hire additional resources and there’s a huge potential impact on lead generation thanks to the rules around the use of email marketing.
As freelancers ourselves, we’ve compiled some information from trusty channels and added some thoughts of our own. We’re not lawyers though, so always consult with a legal professional if you’re not sure.
But first, just in case you’ve taken a head-in-the-sand approach to GDPR so far, here’s the low-down on what it means.
GDPR stands for General Data Protection Regulation and it’s part of the Data Protection Act being rolled out across the EU (yes, despite Brexit), with a compliancy deadline of 25th May 2018. It’s a good thing. It protects all of us from misuse of our personal data and this is especially important for vulnerable people and children. It will make organisations and businesses think carefully about, and respect, the data they are allowed to have; using data only for legitimate purposes, not commercial gain, political manipulation or to sell onto other companies. And thanks to the consent aspect, it ensures our data is only held by who we agree for it to be held by, for as long as we want it to be held by them. The data in question includes names, email addresses, postal addresses, phone numbers, biometric data and any other personal details.
The big questions for freelancers, sole traders and microbusinesses are these;
What do we have to do?
How do we do it?
What impact will it have on our business?
We recommend that you start with asking yourself the following questions;
- Whose data do I hold? Likely answer – previous and existing clients, contacts made through networking, or prospects built up through research.
- Why do I hold their data/how do they benefit? Likely answer – mainly hold the data for the purpose of updating existing or potential clients, staying in touch, keeping them as a warm lead, communicating new products, services, availability and to share mutually beneficial industry information.
- Have these contacts expressly ever given their consent for me to do this in writing? Likely – answer – probably not. How many clients have written to you saying ‘please let me know when you have any new products or services or when you are free to do some work for me’. If they have, and you can produce this evidence, you’re home and dry. If you haven’t, you’ll need to implement a process.
- Where do I store this data and is it safe and able to be produced at short notice? Answer – for some freelancers or small businesses heavily reliant on email marketing, you may have data organised and in one place. But security is likely to differ widely.
And now….drum roll please….what to do and how to do it.
Working on the basis of the questions raised above, certain actions need to be taken.
1. Time for a spring clean. Emails, documents, lists. Do you have old client contact details sitting on a spreadsheet somewhere that you’ll never need again? Now’s a great time to review the data you have and delete what you don’t need, or can’t justify keeping. It’ll be a beneficial and therapeutic process, one which you’ve probably always intended to do but not got around to.
2. Have a good think about what you need data for and how holding this data benefits your contacts as well as you and your business. Perhaps even write up a few notes that can form a case for keeping the data – this will help focus your mind on the correct purpose for data keeping. If you don’t truly need the personal data, don’t request it or keep it.
3. Have those whose data you hold ever expressly given written consent that you can produce? If they have, keep the consent safe. If they haven’t, you’ll need to gather consent. This is where an area that can only be described as ‘grey’ emerges. You will need to email or write to anyone you wish to hold data for and request their permission to do so. You are not supposed to lump everything in together (if you want to receive information about your order you’ll need to consent to marketing emails) – big no no. Pre-ticked consent boxes needing to be unticked – also a big no no. Assumed consent based on ‘if you no longer wish to receive emails click here, otherwise we’ll assume you’re happy to continue receiving them’…..this is where the waters get murky. The official line would appear not to support this strategy. But many businesses are interpreting this as acceptable and making this their strategy. Assuming consent where a client has worked with you previously and given you their business card would also appear to be deemed acceptable by some, but interpreted as not acceptable by others. The official and bottom line is, there’s no such thing as assumed consent – anyone for whom you hold data needs to give permission via a clear opt-in process.
Specialist email marketing companies like Mailchimp have ensured they are compliant with GDPR through enhancing mechanisms for consent and withdrawal of consent and other initiatives. So if you’re using this or another GDPR compliant third-party system, you’ll have peace of mind that you’re adopting best practice.
4. Review and upgrade your security. Introduce passwords on spreadsheets of data, robust passwords on computers, laptops and devices, backing everything up to a secure cloud and encrypting data where possible. These are all crucially important in ensuring that you are compliant in protecting your clients and contacts’ data, aren’t susceptible to breaches (however unlikely it may seem) and are taking your responsibilities seriously.
5. Communicate. Best practice under GDPR dictates that you’ll need to explain and justify your need for data; the purpose of the data; give assurances about the security of the data and explain your clients’ or prospects’ rights around their data. This would most advisably be done in the email you send seeking out opt-in consent.
Impact on business
Well there’s no question that any freelancer, sole trader or microbusiness will see an impact on their business as a result of GDPR. It will require some investment of time and many of us don’t have much of this spare.
But crucially it may impact our lead generation capability if contacts do not opt-in to receive our communications; not through hostility, but through apathy – not having the time to respond to emails or having low interest at that time in our product or service when at some point it may become relevant – but by then the contact is lost.
On the plus side, marketing efforts may be become more effective, as the opt-in list becomes a highly engaged, clean, targeted database of prospects and clients keen to receive our communications.
Government department overseeing GDPR – the Information Commissioners Office
The Federation of Small Businesses for handy checklists
About the authors:
Elizabeth Hibbert is a freelance copywriter, blogger and marketing strategist specialising in working with web designers, marketing agencies and small businesses on creating engaging content.
Posy Brewer is a Voice Over Artist and Actor with her own broadcast studio with ISDN, Source Connect Pro, SCNow and Skype facilities. Providing voices and voiceovers for TV & Radio Commercials, promos, online and presentation videos, telephone on hold messages, video games, animation, Voice of God and much more.