I hated writing this article and you’ll hate reading it but at least we can make this a little fun, huh? To make you feel better, check out the pic above of a fun-looking rollercoaster.
GDPR is one of those annoying things in the back of everyone’s mind, that no one really wants to bother with. But at the same time, we are all forced to deal with it.
In this article, we’ll talk about freelancer GDPR and how it affects your freelance business both in terms of client projects, and if you have a website that potential clients might visit.
My goal is to provide you with a quick overview and a way to sort it out quickly. Keep in mind that I am not a lawyer and you shouldn’t take this advice is perfect. Speak with a lawyer if you are in doubt.
After writing this article, I went through the steps for my own business in about 20 minutes and it was fairly painless.
With that out of the way, let’s jump into the quick and dirty essentials.
The quick and dirty overview
The overarching idea is that you need to get someone’s consent before collecting their data and handle it with respect.
The simplest way to remember this is to treat data like you would want someone else to treat yours.
If you hate getting emails about Russian mail order brides waiting for you, don’t share someone else’s email either. Not really rocket science, huh?
For now, that is only for data from Europeans but if you’ve been following the blog, you’ll know that focus and big wins are important.
For most of us freelancers, it isn’t worth it to separate non-Europeans from Europeans on our website because our gains will be too small.
We are in a relationship-based business so it is unlikely that you’ll lose much by not treating all of your data according to GDPR, whether that person is European or not European. You’ll probably be operating at a higher ethical standard point than GDPR anyway.
As a freelancer, you’ll likely be handling data from client projects (most of the time that means you are a data processor in fancy GDPR-terms) and data from client leads on your website (called a data controller)
If you don’t have a website, it’s a bit easier (another great reason not to create a website for your freelance business until you absolutely need it).
Because this is an article about getting yourself sorted out quickly, let’s get right down to business.
How to be freelancer GDPR compliant (steal my template)
All the resources I could find basically said the same few things. It might not be the full picture but it is a good start for now. Keep your hands close to your body because this rollercoaster is gonna go fast!
The first step is to fire up Google sheets or steal my template (click file > make a copy), and list what software you are using in your freelance business that stores data (e.g. Google Analytics).
Next, you’ll need to list out who has access to what software – that could for example be partners or clients (yeah, this is fun — I know!).
The third step is to map out what kind of permission you have to store the data (e.g. did your email list allow you to email them and signed up with double opt-in?).
Next, you’ll have to list where the servers of the software you use are located. If you don’t know (who does!?), a place to begin is by googling the name of the software + GDPR since most software has a GDPR-page nowadays.
Save that in your sheet. Another option is saving something called the Data Processing Addendum (DPA for short), which is a document describing how each business handles data.
I’ve added a bunch of them to the spreadsheet template, so you can delete those you don’t need and add the rest (if any).
The fifth step is to consider how you access your software (e.g. don’t use a public pc at the library).
Encrypt your devices so they aren’t easy to access for strangers (you should do this for yourself anyway).
Speaking of encryption, maybe it’s time to create different passwords for different sites going forward?
At one point, I met a guy who had a hacker almost steal a ton of money.
It turned out that the hacker had been secretly emailing the bank from his account for weeks to set the gig up. He (yeah, I’ll assume it’s a he) claimed that someone in the family died and they needed to transfer money for the funeral.
The bank almost did it but ultimately called another family member and that’s how they discovered it.
I like Dashlane because it stores your passwords in one safe place and all you need to do is remember one master password.
It can also help you create passwords you can’t remember (that’s how you know they are safe!), like sjkcvbnfd491!!$#@#. You can easily use it when you create a new account somewhere and it can store the logins safely and sync between your phone and computer.
It also has a VPN service built-in which you should be using when you visit a cafe in public, anyway.
I’ve played around with a few different options and found Dashlane to have the best balance between being safe and easy to use day-to-day (email me if you are interested and I’ll see if I can get you a discount).
Oh, and protect your (client) stuff against malware and virus. This shouldn’t be anything new. There are a bunch of great free options out there. I’ve been happy with AVG antivirus but I’m sure there are many other great options as well.
The eighth step (I think?) is to back up your shit! When I moved abroad I created this little mini-system I’ve been happy with. It isn’t for everyone but you might enjoy it if you like simplicity.
The rule of thumb in the system is not to store anything on your computer. A great side effect is that I can get a lot done on the fly (e.g via my phone) because I’ve set everything up to sync instantly.
I began doing it because I didn’t want to lose anything in case my computer got stolen but it seems like it is a great fit with GDPR, too.
Basically, I store everything in my Google Drive, so files are only on my computer if I’m working on them but even so they usually aren’t (e.g. with Google sheets, it isn’t stored locally on my computer). And if I’ve been working on a file I upload it to Drive right after.
For fun, GDPR also requires that our cloud storage needs to be in a country that the EU designates as having the right regulations.
That is all of the EU/EEA. USA is only OK with the addition of the US Data Privacy Shield (we both know that you’ll never click that link and I don’t blame you, it’s boring as hell).
You need to let people know if their data is leaving the EU/EEA but it doesn’t seem to be prohibited if it is transparent.
Here’s a sample sentence you can use: hey client, just wanted to let you know that the data you trusted me with have been sent to the Mexican drug cartel – enjoy your day.
The last step applies mostly if you have a website but consider it for your client’s information like their email address as well.
When people signed up for your email list, did they sign up via a double opt-in? You’ll want to use those either way because you’ll benefit from an email list of high quality rather than a lot of subscribers.
Double opt-in simply means that if someone signs up for your email newsletter, they will get an email where they have to click confirm to allow your emails.
If you have a tick-box, is it pre-ticked? That isn’t allowed – people have to tick it themselves. It also can’t say something like “tick to opt-out”. They can’t be opted in automatically.
It is also important to be specific about what people sign up for in terms of communication. Apparently, we have to tell them how often we’ll be emailing or contacting them (which can be difficult if we don’t even know ourselves and it might change as your business evolves).
And of course, it has to be easy to unsubscribe (I’m looking at you, SEMrush!)… But why stop here when we are having so much fun?
Last, set something up that asks the website visitor if cookies are cool with them (no, not your moms’ cookies! Web cookies).
Here’s a plugin for WordPress that seems to do the trick.
The bonus step (I’m kidding, it’s actually mandatory) is to update your privacy policy. Here’s a sample template you can almost copy-paste.
All the other articles I could find on the topic was either as shitty as this one or boring as hell. One that seemed OK was this checklist.
If “they” ever call you about GDPR for your freelance business, at least you have a sheet showing that you’ve been trying to do something about it. Some of the information we are required to find is pretty damn difficult to get.
Leave a Reply