Getting ready for GDPR as a freelancer, Part 1
Before I say anything, I’ll say the following: this is no legal advice. All that follows is merely what I’ve done in order to prepare my business of one for the GDPR.
Generally speaking, freelancers are most likely not the target. However, I do believe we should work to comply as best we can. Not only because of the information you store and process in order to run your business, but also to make sure the way you process data on behalf of your clients for them to be able to work with you.
As an EU citizen myself, and having read a fair amount of what GDPR means, I am excited about it and grateful to be living under the law of the EU that puts us as consumers first and before the profits of businesses. As a solopreneur, I am grateful to get a kick in my bum to finally think about how I run my business and implement proper processes. Additionally, it gave me an incredibly good reason to get in touch with all of the people I met in the past.
From what I understood, there are different requirements to how one handles data based on whether one is a processor or a controller. As a freelancer, you’re most likely both, given you process your clients’ data and they will have to make sure you and your business are compliant with the GDPR law enforcements. In some industries, you might have less touch points with personal data you process on behalf of your clients. As a community strategist, I mostly deal with personal information of people and thus it’s important I make sure I do it in a way people feel comfortable with.
One more thing before I dive into my processes; you should note that in the following paragraphs, I talk about clients and customers and that a client or/and a customer is anyone I hold any sort of information about, regardless of whether there has been a monetary transaction between me and them or not.
This article summarizes what I have done and how I have prepared. I hope it’s helpful to you and your freelance business. The process is most likely not over just yet, given that many companies have only updated their privacy data policy and their terms and conditions in the past couple of days.
First of all, what does GDPR mean and what are you required to consider. There are several rights for EU citizens you must comply.
Right to be forgotten, which means that if someone emails you, they’d like for you to delete all information you have on them you must do so within 30 days. This most likely excludes people you had a business transaction with, given it’s mandatory to preserve tax related information for a certain number of years. (It’s seven years in Austria.)
Right to object, which means they can object companies process of any personal data concerning them, which also includes profiling based on those provisions.
Right to rectification, which means that they have the right to request changes of their data to make sure it’s correct.
Right of access, which means your customers (whether they paid you or not) must be able to access all information you hold about them.
Right of portability, which means you must give your customers all data you hold about them if they request to receive it, be it to work with someone else or store their data somewhere else.
Here is what I have done in the past seven days to prepare for GDPR. I’d appreciate if you’d send me an email if you notice something I forgot or where my process is not according to the rules. Any tips, help, and feedback are welcome:
Structure your data
Before I started doing anything about any sort of services or data, I decided to go through all my documents and sort them out. Delete anything and everything I didn’t need anymore. I made a folder structure and sorted all information accordingly. Now I have a structured folder for each client sorted by year. It simply feels amazing, even though the five days I spent doing all this really didn’t.
Given I had all my documents spread across Google Sheets and my Dropbox, I decided to use Dropbox as the only storage space where I keep documents. I decided to download all the documents I had in my Google Sheets and do so with all documents once my work in them is complete. While I’ll continue using Google Sheets for Work In Progress, I’ll be storing all finished documents for seven years in my Dropbox.
Excel sheets with contact details
Among the documents I stored, I found a number of excel sheets I used to collect email addresses and contact details of people. Most of the time when I worked on behalf of a client, I was responsible for the outreach and thus generated many leads and contacts. I used to save these email addresses in Excel Sheets because you never know when you might need someone’s contact again in the future. Often, people email me asking for contacts of people to help them with something and I am usually able to think of someone, which is why keeping people’s contact details has always been important to me.
From what I found out, it’s okay to keep lists with contact details of media people. It’s usually business emails and thus it’s B2B anyway. I looked through all these lists and made sure I only have their name, their email address, and the name of the publication they write for. I named these Excel Sheets based on the type of content these journalists write about and made a dedicated folder on my Dropbox to store them.
I then took all the other contact lists and wrote them one last email to inform them that I’m deleting their contact details and that I’d like to connect with them on LinkedIn where it’s more equal for us to decide whether we want to be on the platform or not. Most people of course ignored my message. I guess everyone has received more than enough emails in the past couple of days and thus my email might have slipped people’s attention. Which is fine. From time to time, it’s good to make a clean cut.
Mailchimp, which is the service I use for my newsletters, has introduced extended data protection features and given one needed to actively opt in to comply, I decided to have everyone who still wanted to hear from me sign up to a new list. I knew I’d lose many of my past contacts and people who wanted to hear from me, however, I also knew those who would choose to opt in once more would actually really want to hear from me.
This is how Mailchimp suggests one deals with the changes of data protection:
However, I felt like a new beginning would kind of make sense, so I created two new mailing lists. One for other freelancers where I’d share learnings about freelancing, and another one more client and work related for me to share case studies and work processes that I thought others could benefit from knowing. In recent years, I haven’t published that many case studies as I used to and I wanted to have a dedicated outlet for me to position not just my books for freelancers, but also my work as a community strategist. From what I’ve realized, most people don’t really understand what I do and it’s about time for me to change that. :)
Give away in exchange for data
Just like everyone who works in marketing or wants to sell their products, I used to have newsletter pop-ups on my website and also collect email addresses in exchange for the digital files of my books. According to GDPR, that’s not legal and thus I decided to cancel my SumoMe account, which is how I collected people’s email addresses.
Additionally, I needed to go through my website and make sure that I change all the copy that suggests to sign up to receive the files in exchange. Not just on the static pages of my website, but also in all my blog posts. As you can imagine, a lot of work.
Decide what information you collect via your website
My website is hosted on Squarespace and thus the moment they released their latest GDPR compliant updates, I’ve reviewed all functionalities and decided to remove the Activity Log and also disable Analytics cookies. Given my website’s purpose is to simply represent who I am and what I do, I don’t think it’s actually necessary to collect any of that information, given I don’t process them in any valuable way. Instead of helping the frightful five collect more information about people interested in my work, I decided not to do that at all. At the end of the day, the core of my business is to deliver value to my clients, not to help others use their data to sell them more.
On these terms, I’ve also decided to disable the comment function on my blog. People are still able to send me an email anytime, but the commenting culture is not as active as it used to be just seven years ago. The way we interact online has changed and thus I don’t think this is such a big deal.
Update your terms and conditions and your data protection policy
For decades, it’s been required for all businesses based in the EU to disclose various information about the company publicly and have easily accessible imprint. Impressum in German. Nevertheless, and given the rules for what must be included have slightly changed, it makes sense to review one’s terms and conditions.
As a solopreneur, it’s not very likely you’ll get a custom one from a lawyer and thus you might want to look for a generator that will help you create one. For Austria, I found an Impressum Generator on Firmenwebseiten. They also offer one to help you generate a data protection policy. However, and given I only found this one after I paid for this one, I’ve opted in for a paid service.
Audit what software you use
Most of all, review how and if you want to use it in the future.
So this step should probably be done right at the start of all your efforts. However, it’s so much work that I’ve done everything else before I finally started dealing with this task.
You’ll need to write down all software you use to process and manage data and make sure you have their DPA. I’ve decided to review the DPA of all the services I use, print it out, and store it in my documents with a remark of the date I’ve downloaded it.
Here is the list of the software and third party services I use:
As my website host. I’ve mentioned above what changes I have made. I use Squarespace to represent my business and collect email addresses to send promotional emails about my services and products.
Here is their DPA: https://www.squarespace.com/dpa/
Is the software I use to send promotional emails about my services. I keep two lists. One is addressed to fellow freelancers and the other one I use to send out case studies and information relevant to my past clients and the people who one day might want to become my clients.
I only request people’s name and their email address, and the simple opt out Mailchimp offers feels like the most fair solution for people to unsubscribe with just one click. Mailchimp is also one of the two places where I keep and am planning to keep personal detail of people in the future. The other one is Freshbooks, which again, is business information.
Here is their DPA: https://mailchimp.com/legal/privacy/
I use Google Docs for projects I work on actively and collaboratively. I share documents with people I work with on other teams. Once I finalize working on a document, I file it in the archives on my Dropbox and delete the original Google Doc. I no longer use Google Docs to process people’s contact details for projects for which I research press contacts.
Here is their DPA: https://services.google.com/fh/files/misc/gdprwhitepaperenglish.pdf
Everyone who’s been in a monetary exchange with me has a record in my Freshbooks account. By the Austrian law, I am required to store all tax related information for seven years. Freshbooks is a Canadian company and given this is where I store the most sensitive data, it’s also important to me they process my clients’ data in a sensitive way.
I really love Freshbooks because it helps me keep organized like no other software out there. Given my usual data mess, using Freshbooks has been revolutionary.
Here is their DPA statement: https://www.freshbooks.com/policies/security-safeguards
Given I am not naturally the most organized person, I use all the help I can get to help me. My accounting is done by Loydolt&Partner. Even though I sometimes send them tough emails, they’ve really been a great tax accountancy to work with.
Here is their DPA statement: https://www.schweitzer-partner.at/datenschutz
I use Mention to track news, updates, and mentions about my name and my projects. I don’t process and store any customer information on their service besides having them track my name.
While I upload classes to Skillshare, I don’t own the platform or any sort of details about the people who have subscribed to my classes. The team at Skillshare has done an amazing job promoting my classes to their community and thus I’m happy with the service as it is. I don’t store or process any sort of personal data.
Nevertheless, and given I receive money from Skillshare each and every month, I keep their data for tax reasons.
As we all know, LinkedIn is probably the biggest data mine out there where people publicly display more private information than they do on Facebook or Instagram. Nevertheless, it’s a professional network and thus all who decide to connect with me there do so on professional terms. I don’t save any people’s information I find on LinkedIn and thus can only access what people decide to publicly display on their profiles at any given time.
Here is their DPA: https://www.linkedin.com/legal/privacy-policy
Here is their DPA: https://www.linkedin.com/legal/privacy-policy
I use Issuu as an archive for the preview pages of my books. Unfortunately, they have not published their GDPR compliance statement just yet. Fingers crossed they’ll do so soon.
I used to have a pinned tweet in which I asked people to sign up to my mailing list in exchange for their contact details. I needed to delete that tweet. While on it, and given I don’t really give a crap about my Klout Score, I’ve also decided to delete all my past tweets. Theoretically, I am still keeping my liked tweets. If their compilers decide to delete them, I will lose access to them as well.
There are free services that allow you to delete your latest 3,200 tweets in one go. I decided to use the app https://www.gocardigan.com/. It will take a couple of days to get a clean account, but given I’ve already previously tried to get rid of my past tweets, it’s pretty good to now actually do that. I don’t know what normal people would do with my Twitter history, so the people who care about it are probably people who are not necessarily up for any good.
Last but not least, I used this opportunity to revoke access to all the various apps accessing my Twitter profile. You can do so here: https://twitter.com/settings/applications
Given I link to my Twitter profile through a social widget on my website, I have a paragraph about Twitter in my terms and conditions, as I have a plug-in on my website too. I don’t save any people’s information I find on Twitter and thus can only access what people decide to publicly display on their profiles at any given time.
If you want to read Twitter DPA, it’s here: https://twitter.com/privacy
I’ve not really been fan of having a business presence on Facebook for a long time. I remember the time I worked for an agency and we first persuaded our clients to run ads so that people become their fans on Facebook because it would be cheaper. Then, not even six months later, we had to go back to these exact clients and ask them for budget to then reach the fans on Facebook they have already paid for.
I deleted all my Facebook pages. I only have a personal profile on Facebook which I don’t use for any business related data exchanges. Additionally, I’ve also enabled two factor authentication when logging in.
Those who follow me on Instagram know it’s one of the platforms that’s significant to me online. I have been an active user since early 2011 and thus have seen the platform grow and evolve from the start. I don’t just share pictures on Instagram; I also embed them on my website through a direct feature Squarespace offers. I don’t store anyone’s information people publish on Instagram but my own.
The platform’s changed the direction significantly in recent years and I’m currently just observing how I want to use the platform in the future. I’m grateful they must now allow me to export all my information whenever I request in case I’ll want to use a different photo sharing platform in the future. I’ve also enabled two factor authentication.
Here is their DPA statement: https://help.instagram.com/519522125107875
A wonderful stock image seller. I regularly upload pictures and receive royalties in return. While I upload a decent amount of pictures to this platform, I don’t actively participate in its community and thus the only data I store is the data that allows me to process EyeEm’s payment to comply with the Austrian tax law.
I love Foursquare and Swarm, however, and given it’s been impossible for me to find how to best include something about their service in my data protection policy, I’ve removed all social widgets from my website. I don’t use the platform to store or process any personal information.
I have a landing page on LaunchRock which I have been trying to get deleted. I’ve gotten in touch with their customer support because it’s impossible for me to login and do anything about that page unfortunately.
I use Trello for all of my personal project management and to coordinate with teams. Given Trello’s servers are in the US, I’ve reviewed all my boards and cards to make sure they don’t contain of any personal information. Additionally, I’ve archived boards I no longer need and left the ones I no longer need to be a part of. I’ve also enabled two factor authentication.
Here is Trello’s DPA: https://trello.com/privacy
Another software I use in my day-to-day as a freelancer is Slack. Let’s face it, every team needs a place to share gifs. Personally, I haven’t connected Slack to any other software. It’s a work in progress kind of place where if anything, one might share drafts of copy or links to Google Docs that would still require the ownership of login details. Additionally, Slack messages are deleted after one has reached the limit of 10K.
Here is their DPA statement: https://slack.com/intl/de-de/gdpr
First of all, I pay for my Google Services. Google claims that their G Suite Services are fully compliant with GDPR. Email is of course tricky because we send and receive so much data and also a great amount of various files and thus I feel like one should mostly make sure how one accesses their emails is secured. I’ll talk more about it below.
You can read more about it here: https://cloud.google.com/security/gdpr/
For years I used the calendar of my private Google account, however, I am switching my calendar to my business email address to make sure it complies with the GDPR requirements.
Last but not least, I use Dropbox. Based on my research, Dropbox is one of the organizations certified as compliant with the new ISO27018 code of practice for protection of personally identifiable information (PII) in public clouds. I use Dropbox to store all my clients and customers data in order for me to be able to be transparent about what I store. I want to make it easy to transmit information or delete it if needed. Additionally, I have enabled two factor authentication to access my Dropbox account.
Here is Dropbox’ DPA statement: https://www.dropbox.com/de/help/security/general-data-protection-regulation
Install a VPN service
If you haven’t done so already, you should install a VPN service. Whenever you log into a Wifi outside your home (and even in your home), it might be pretty easy for hackers to steal data you store and process, be it your customers’ data, your credit card details, or even the access to your online banking. No one wants that and thus, using a VPN service is inevitable. Your client will be grateful you’ve taken precocious measures and made sure all data you process is safe. If you need more reasons to finally opt in for a VPN service, you might want to read Tobias van Schneider’s article on data security.
The next challenge of course is choosing what VPN service to go for. Tobias’ suggestion was Tunnel Bear, however, they got acquired by a US-based company just a few months ago and thus I decided it wouldn’t be such a smart choice. I’ve asked my friends and then went with Zenmate. It’s a German company and knowing how cautious the Germans are when it comes to data, it felt like a good choice.
Use a password manager
This is another thing on my “yes, I should probably do that” list of things I’ve been putting up for years and simply never took the time to deal with. I’ve now finally signed up for an account with 1Password. Given I run an online business, I would say I consider this a must, but you know how it goes with going out of one’s comfort zone. It simply took some time to actually follow through. And so, here you go, I’m finally a one-password customer.
Securing your hardware
Last but not least for this post, I’d like to nudge you to secure and encrypt all the hard drive you use. You can find a detailed report here: https://www.apple.com/business/docs/iOS_Security_Guide.pdf
You’ve reached the end of the first part of my report on all the measures I took to make sure my business is GDPR compliant. If you have any comments or see something I could do better, please don’t hesitate and send me an email. I’m currently working through the following list: https://www.linkedin.com/pulse/gdpr-plan-do-you-have-yours-liz-henderson/
How have you been dealing with GDPR? I cannot wait to hear some encouraging stories. I feel like this should make us found an online “book” club to discuss our experiences.