How to tackle cyber risks in the age of GDPR
For digital businesses across all industries and markets, there are a number of risks that freelancers and contractors may face as a result of the new GDPR regulations.
In this article, Janthantha Kaenprakhamroy, founder of on-demand insurer Tapoly explores what you need to consider when embarking on new projects, contracts and activities to ensure you not only protect yourself against any risks of regulation breaches, but remain an attractive candidate for future work.
The impact of GDPR
With new General Data Protection Regulations (GDPR) now in effect for all EU Member States, organisations and professionals all across the world have taken major steps to ensure all personal data they retain is secure and that the data owners are aware of how their information will be used. This significant legislative act imposes various obligations on “data controllers” and “data processors” – these can be people and organisations, including businesses, who handle the personal data of “data subjects”, meaning identified or identifiable individuals, living within the EU. This new legislation has highlighted the challenges facing those working in the digital space and the potential risks they now face with regards to cyber security and regulation breaches. For digital freelancers and contractors who aren’t protected by wider organisation policies and procedures, the risk is tenfold. As a result, while working in the digital space you need to be taking immediate steps to protect yourself from potential risks in terms of how you work, how you store and manage data and how you protect yourself should anything go wrong.
In simple terms, GDPR is about the explicit consent of data storage, giving people more control of their personal and sensitive data and simplifying these rules so they’re the same across the EU. Data covered is either personal data (anything that can identify someone, such as a physical address, email address or IP address) or sensitive personal data (anything an individual may want protecting, including genetic or medical data, political affiliations, or religious or sexual orientation). It’s important that you understand what information you should have access to, what you’re able to do with it and how you need to manage it
Non-compliance of GDPR rules can result in a fine of up to 4% of annual global turnover up to €20 million for breaches of controller or processor obligations. You can also be fined up to 2% of annual global turnover up to €10 million, for not having your records in order, not notifying the supervising authority and data subject about a breach, or not conducting proper impact assessments. As such you must ensure you handle data with care and you are aware of the policies and procedures of the companies you work with, especially since they and you might have access to data on a one-off basis.
The Definition of Personal Data
Due to the nature of working externally, freelancers tend to acquire and retain a large amount of personal data and contact details. According to GDPR guidelines, personal data must be processed in a manner ensuring an appropriate level of security. This means that if this personal data is not stored correctly you could be putting yourself at risk of data breaches, and will be breaking GDPR guidelines. Freelancers and contractors aren’t generally covered by the same processes that traditional employees are when it comes to data protection regulations and are more exposed to a number of risks in terms of how they are protecting data.
Here are a few steps to making sure you as a freelancer or contractor are GDPR compliant:
- Document all the data you hold, including where you got it from and who has access to it.
- Read up on the ICO’s ‘Privacy Impact Assessments’.
- Review privacy notices you issue when collecting data – this may include email signatures or statements read out over the phone.
- Write up a document showing how you’ll lawfully use data – this can be published on your website for full visibility.
- Review how you acquire, record and manage consent to take data.
- Consider a system for parental/guardian consent for data involving children.
- Have an action plan to react to a data breach, including cyber insurance.
- If you operate internationally, provide clarity about where you are based.
When embarking on new projects, contracts and activities, you must ensure any digital data that you retain is stored in a secure, private and preferably encrypted folder, either online or offline. Any physical data should be stored in a locked cabinet, drawer or other storage facility that can’t be easily accessed by others. You should also be aware of any Bring Your Own Device (BYOD) guidelines that employers and organisations may have in place, and ensure you don’t breach someone else’s data protection policy through use of your own devices.
Further Issues to Consider
Alongside your GDPR plans, you should make sure you minimise the risks to you as a business from every angle possible by taking proper care throughout each and every project you undertake. This will serve to not only keep you compliant, but also make you a more attractive candidate for other organisations and projects in the future.
Some of the most common issues that freelancers can run into on a daily basis include:
Breaches of confidentiality – Knowing something about one client and inadvertently letting it slip to another client is a very real risk.
Negligence – Failing in your duty of care to your client, such as providing incorrect advice or making a mistake in your work. You can still be liable for this even if you deny any wrongdoing.
Intellectual property disputes – This occurs when inspiration may be perceived as too closely influenced by something else on the market, or even copied directly from it.
Defamation – Given that information can be published online with such ease, freelancers are increasingly aware of what they say when it comes to competitors or even celebrities to make sure they aren’t sued for defamation.
Insuring against disaster: What to consider
Whilst working in the digital sector, you should invest in insurance to help protect yourself in the event that a breach does occur, that you are not able to perform the job or that your relationship with a client turns sour.
It’s recommended that freelancers consider professional indemnity Insurance. This protects you against being sued by clients or former clients claiming that the writing, product or service you supplied was somehow negligent due to an error or accidental omission. Look for professional indemnity that also includes cyber liability, which is essential in order to mitigate the risks of GDPR non-compliance.
Digital freelancers should consider insurance as a protection against defamation and libel suits. While professionals will no doubt take care with the work they produce in regards to defamation laws, mistakes can be made. Content can be easily shared and incorrect statements can quickly spread, so you need to be protected should you fall foul of any regulations. This is especially relevant when working in or with editorial fields.
It’s also important to remember that older insurance policies won’t yet have been updated to meet more technologically modern needs and may not be entirely fit for current needs and requirements following the introduction of GDPR. Because of this, it’s essential that you check exactly what your insurances cover and that you flag anything you don’t believe will cover modern data protection regulations.
Annual Policies vs On-Demand Insurance
On-demand insurance is commonplace in some areas, such as temporary car insurance, but is a relatively new concept in the freelance and contractor space. Its introduction is likely to make it far easier and more convenient for you to remain protected during temporary projects as you only have to pay for insurance as and when you need it.
What’s more, as larger organisations will require their suppliers to adhere to more stringent rules and procedures following GDPR, having insurance in place may well become an essential requirement in the selection process, and could mean the difference between winning and losing contracts in the future. Many companies and organisations are already required to have insurance in place for themselves and some also require the freelancers and contractors they use to have their own professional indemnity and public liability insurance.
With GDPR placing a greater emphasis on protection against potential risks, particularly in the cyber-world, freelancers and contractors will need to move quickly to ensure they not only remain compliant, but are attractive candidates for future projects. The continued advancement of on-demand insurance for the sector will help ensure you can continue to survive and thrive in a new and challenging working environment.