[reblog from Christina, co-founder, Museum Freelance Network]
I hosted a Twitter chat on the Museum Freelance account about the upcoming GDPR (General Data Protection Regulation) legislation that comes into force on 25 May 2018 (search for #museumfreelance).
The legislation was “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy” (www.eugdpr.org).
I’ve got to admit, it’s at times like these that I wish I was back in an organisation where someone else could take responsibility for trawling through the details, breaking it down into something meaningful and relevant for the organisation and where the workload for implementation was shared with colleagues. But I’m not, so I can’t – the buck stops with me! And really embracing it is the way forward – seeing it as an opportunity to tidy up, question what you are doing and why, and plan your approach going forward.
Many freelancers I’ve spoken to have been concerned, baffled or intimidated (or head-in-sanding) about the new legislation and its impact on how they run their business. And also it’s clear that the legislation is being interpreted in many different ways. So having been recommended a GDPR expert in the Facebook group GDPR – Shared Resources, I set up a Twitter chat to tackle questions specifically about GDPR and freelancers. A big thank you to Annabel Kaye, founder of Irenicon (a specialist HR and employment law consultancy) for joining us and answering our questions. Annabel has spent the last 18 months helping micropreneurs get ready for GDPR and runs a number of dedicated GDPR support groups you can join.
My main takeaways from the session were:
- don’t delay, get prepared
- start with an audit
- what you do needs to be relevant to your business – templates or a one-size-all approach isn’t what it’s about (although they might be a helpful starting point)
- it’s something you will need to revisit and work on as your business evolves
- the 3Ss: “Seek only what you really need. Secure it and don’t share it unless people know you are.”
- “Treat people’s data with respect, secure it and don’t abuse it.”
- “It’s a mindset, not a checklist at the end of the day.”
Below are the questions we put to Annabel and her answers. Please bear in mind this is general guidance and Annabel doesn’t know your individual situations, so we do not accept any liability for any reliance you place on the guidance. At the end are some links to additional resources you might find useful.
What are your top tips for freelancers who don’t know where to start and/or feel overwhelmed by GDPR?
“Just start with working out what information you hold where – it is called a map or audit but it doesn’t have to be tricky.”
Are there resources that take you through a step-by-step guide of what businesses need to do in order to be GDPR-compliant that you recommend?
“We have a free checklist aimed a micropreneurs, solopreneurs and freelancers. It comes free if you sign up via https://koffeeklatch.co.uk/gdpr there is a pop up. You can unsubscribe after if you want to.”
The ICO documents and advice feels very ‘large scale’ business focused – e.g. freelancers aren’t going to employ a data protection officer. How can sole traders best distil it down to something manageable and relevant?
“Remember 3 Ss. Seek only what you really need. Secure it and don’t share it unless people know you are. Treat people’s data with respect, secure it and don’t abuse it. It’s a mindset change not a hundred policies and checklists.”
What’s ‘reasonable’ when it comes to making sure that freelancers are compliant with sufficient measures in place? Is there a minimum ‘line’? Are there real risks of being fined?
“ICO has said year 1 they will be advising rather than fining. Like speeding tickets, you may find you don’t get a ticket ever or you could be the poor person that gets one. It won’t be instant.”
Do freelancers need some kind of privacy statement on their websites and email footers? If so, where can we go for guidance on this?
“You can write your own or buy one but be careful some are way too complicated for solopreneurs. We work with our GDPR groups to create ones that reflect how a particular industry works.”
“ICO guidance is really aimed at complex organisations with lots of data collection. Over the top for many tiny solopreneurs.”
“Privacy statements are needed but they don’t have to be long complicated documents.”
Do I need to encrypt my laptops or at least set up a password for particular folders that contain any personal data that I have e.g. from market research?
“Advise you to encrypt laptop and to set up separate spaces for personal work related data and your own personal use.”
“We did a free webinar on encryption a while ago. https://events.genndi.com/register/169105139238438867/662c02f066”
“Templates are not sticking plasters they have to reflect what you are doing and how you are doing it. In our groups we work together to create appropriate ones. But they don’t suit all ways of working. https://koffeeklatch.co.uk/gdpr”
Does my cloud storage need to have its servers in the UK and if so which clouds are acceptable (someone has suggested that Dropbox is not?) And linked to this: a freelancer has been advised that their online survey tools should have their servers in the UK, is this correct? In which case they’ve been told SurveyMonkey is not ok?
“Your cloud storage needs to be in a country the EU designate as having adequate regulation. This is all of EU/EEA. USA is only OK with the addition of the US Data Privacy Shield. You need to let people know if their data is leaving the EU/EEA but not prohibited if transparent.”
“Dropbox have Data Privacy Shield and now agree all packages will be secure. You still need to let people know if you are exporting their data and sometimes you need specific consent.”
“Servers in other countries can be used if EU views country as having secure laws (there is a list) and if contract provides for security – again as long as individual knows before completing survey data is going outside EU/EEA.”
What key things should freelancers working in research and evaluation fields be mindful of? Especially when collecting personal data through surveys/how will prize draw rules be changing?
“Minimise, anonymise, secure should be your mantra.”
“The client is the ‘data controller’ and is responsible. You are the ‘data processor’ when doing research and are also responsible.”
“The client should design to minimise data privacy impact and anonymise. Unless it is your job to design in which case you should.”
“Prize draws already covered by lottery regulations and existing marketing rules (PECR) – often ignored!”
“Approach with caution and customise your request. ICO site has some samples but they are not very marketing friendly. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/”
Are there time limits for storing personal details from people who have booked onto an event or taken part in research, or how do we judge when to delete?
“Store data no longer than necessary. Some have fixed time limits – eg HMRC tax related data.”
“Sometimes your insurer requires you to keep for a particular time.”
“If the research builds up over years or decades you will need to keep it to enable the work to be completed.”
“Your ‘data retention’ period(s) should be decided in relation to your legal obligations, your contractual and insurance obligations and the natural cycle of your work. Don’t hoard stuff in case it comes in useful.”
“The more data you keep the more you have to secure, store, and sometimes update since you have an obligation to keep it accurate (probably not if doing historic research).”
Do freelancers need a written-down policy to show what measures they are taking to be #GDPR compliant?
“You should keep a record of your data audit/map and what you have done to secure your data, restrict it or otherwise comply with #gdpr. That is not a policy but a record.”
“A GDPR is a process not a policy. You will need to revisit your decisions and data map as your business changes and grows. It’s a mindset, not a checklist at the end of the day.”
Additional resources on GDPR that freelancers might find useful:
- The ICO (Information Commissioner’s Office) has a GDPR guide called Eight practical steps for micro business owners and small traders which is a useful starting point.
- The ICO also has a 12 step guide about preparing for GDPR and what to do now, as well as two handy checklists depending on whether you are processing personal data as a ‘controller’ or a ‘processor’ (a controller “determines the purposes and means of processing personal data” and a processor “is responsible for processing personal data on behalf of a controller” (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/). These are good places to start but the website has lots more information to trawl through to.
- AIM’s (the Association of Independent Museums) success guide on Successfully managing privacy and data regulations in small museums.
- The Market Research Society has some resources on GDPR that are worth a look if you undertake research.
- The Arts Marketing Association have a guide from The Audience Agency on GDPR (more relevant to marketers).
- If you use Mailchimp they have guides and tools on GDPR.
- The Institute of Fundraising’s information on GDPR.
- NCVO’s guide to GDPR might be useful if you work with charities and voluntary organisations.
If anyone else has any guides or tips they’d like to share that I can share with the Museum Freelance Network, please get in touch.