Collyer Bristow logo

LONGER READ

Data Protection

Complying with data laws when engaging with freelancers

Businesses must ensure contracts have all the relevant clauses relating to data protection when enlisting independent workers.

Originally published on People Management.

SHARE

Authors

With the gig economy’s rapid expansion, the implications of engaging freelancers have become a regular news item – from the Supreme Court’s recent ruling regarding Uber’s classification of its workforce to the government’s support for businesses reliant on independent consultants during the current pandemic.

Less discussed, but equally important for businesses, are the data protection implications to consider where freelancers are given access to any personal data controlled by the hiring business. This might include contact details of its customers or the names of its staff members.

Unlike employees, freelancers are third parties who will likely constitute ‘processors’ of the personal data controlled by the hiring business. In that situation, both the hiring business and the freelancer share the responsibility for entering into a set of mandatory contractual clauses concerning data protection. These should ideally form part of the contract under which freelancers are engaged.

Although many such agreements omit these clauses, failure to include them carries significant risk, potentially resulting in fines up to £8.7m or 2 per cent of worldwide turnover (whichever is greater) by the Information Commissioner’s Office (ICO).

The mandatory clauses are required under UK GDPR. Specifically, the contractual provisions must detail what personal data the relevant freelancer will process on behalf of the hiring business, which groups of individuals the personal data relates to, how long it will be processed for, and what the nature of the processing is.

  • The agreement must also include obligations on the freelancer to:
  • Process the relevant personal data only on the basis of the hiring business’s written instructions;
  • Commit to confidentiality obligations regarding the personal data and implement appropriate security measures to protect that data;
  • Assist the hiring business in its data protection compliance;
  • Delete or return the personal data to the business at the end of the engagement;
  • Not engage anyone else to process the personal data without the hiring business’s prior consent; and
  • Permit audits and inspections by the hiring business or its auditors.

Simply requiring freelancers to abide by a business’s own internal privacy policies – while certainly good practice – will not in itself meet the statutory obligation of having in place the contractual clauses detailed above.

Tempting though it may be simply to copy and paste the relevant provisions from the UK GDPR into freelancer agreements, this will be insufficient. Recent guidance states that the agreement must elaborate on what specific measures the freelancer will have in place to ensure an adequate level of data security. It should also require a regular review of the effectiveness of these measures and prevent the freelancer from making any changes to them without the hiring business’s approval.

It is additionally worthwhile stipulating that transfers of personal data outside of the UK must only be undertaken in compliance with the UK GDPR, since this is currently a hot topic on the ICO’s enforcement agenda.

Not all independent contractors will constitute ‘processors’. For example, professional service providers such as lawyers or accountants will likely be data controllers in their own right. In that scenario, there is no statutory obligation to include particular clauses in the agreement with such contractors.

In most situations, however, individual freelance consultants engaged by a business will likely be processors and will therefore need to enter into agreements containing the mandatory clauses. While this may complicate the engagement process, it will also help to protect your business by ensuring that every freelancer engaged is sufficiently trustworthy  and has the measures and resources in place to minimise the significant financial and reputational risks to a business of a personal data breach.

Authors

Latestfromtheteam

You are contacting

Raj Shah

Senior Associate

raj.shah@collyerbristow.com



    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):

    Article contributor

    FINDING OUR ARTICLES OF INTEREST? SUBSCRIBE TO RECEIVE THE LATEST CONTENT DIRECT TO YOUR INBOX

    Subscribe now
    ExpandNeed some help?Toggle

    Get in touch

    Get in touch using our form below.