Longer Reads

Complying with data laws when engaging with freelancers

Businesses must ensure contracts have all the relevant clauses relating to data protection when enlisting independent workers.

Originally published on People Management.

2 minute read

Published 1 July 2021

Authors

Share

Key information

With the gig economy’s rapid expansion, the implications of engaging freelancers have become a regular news item – from the Supreme Court’s recent ruling regarding Uber’s classification of its workforce to the government’s support for businesses reliant on independent consultants during the current pandemic.

Less discussed, but equally important for businesses, are the data protection implications to consider where freelancers are given access to any personal data controlled by the hiring business. This might include contact details of its customers or the names of its staff members.

Unlike employees, freelancers are third parties who will likely constitute ‘processors’ of the personal data controlled by the hiring business. In that situation, both the hiring business and the freelancer share the responsibility for entering into a set of mandatory contractual clauses concerning data protection. These should ideally form part of the contract under which freelancers are engaged.

Although many such agreements omit these clauses, failure to include them carries significant risk, potentially resulting in fines up to £8.7m or 2 per cent of worldwide turnover (whichever is greater) by the Information Commissioner’s Office (ICO).

The mandatory clauses are required under UK GDPR. Specifically, the contractual provisions must detail what personal data the relevant freelancer will process on behalf of the hiring business, which groups of individuals the personal data relates to, how long it will be processed for, and what the nature of the processing is.

  • The agreement must also include obligations on the freelancer to:
  • Process the relevant personal data only on the basis of the hiring business’s written instructions;
  • Commit to confidentiality obligations regarding the personal data and implement appropriate security measures to protect that data;
  • Assist the hiring business in its data protection compliance;
  • Delete or return the personal data to the business at the end of the engagement;
  • Not engage anyone else to process the personal data without the hiring business’s prior consent; and
  • Permit audits and inspections by the hiring business or its auditors.

Simply requiring freelancers to abide by a business’s own internal privacy policies – while certainly good practice – will not in itself meet the statutory obligation of having in place the contractual clauses detailed above.

Tempting though it may be simply to copy and paste the relevant provisions from the UK GDPR into freelancer agreements, this will be insufficient. Recent guidance states that the agreement must elaborate on what specific measures the freelancer will have in place to ensure an adequate level of data security. It should also require a regular review of the effectiveness of these measures and prevent the freelancer from making any changes to them without the hiring business’s approval.

It is additionally worthwhile stipulating that transfers of personal data outside of the UK must only be undertaken in compliance with the UK GDPR, since this is currently a hot topic on the ICO’s enforcement agenda.

Not all independent contractors will constitute ‘processors’. For example, professional service providers such as lawyers or accountants will likely be data controllers in their own right. In that scenario, there is no statutory obligation to include particular clauses in the agreement with such contractors.

In most situations, however, individual freelance consultants engaged by a business will likely be processors and will therefore need to enter into agreements containing the mandatory clauses. While this may complicate the engagement process, it will also help to protect your business by ensuring that every freelancer engaged is sufficiently trustworthy  and has the measures and resources in place to minimise the significant financial and reputational risks to a business of a personal data breach.

Message us with any questions

Related latest updates
PREV NEXT

Related content

Arrow Back to Insights

Longer Reads

Complying with data laws when engaging with freelancers

Businesses must ensure contracts have all the relevant clauses relating to data protection when enlisting independent workers.

Originally published on People Management.

Published 1 July 2021

Associated sectors / services

Authors

With the gig economy’s rapid expansion, the implications of engaging freelancers have become a regular news item – from the Supreme Court’s recent ruling regarding Uber’s classification of its workforce to the government’s support for businesses reliant on independent consultants during the current pandemic.

Less discussed, but equally important for businesses, are the data protection implications to consider where freelancers are given access to any personal data controlled by the hiring business. This might include contact details of its customers or the names of its staff members.

Unlike employees, freelancers are third parties who will likely constitute ‘processors’ of the personal data controlled by the hiring business. In that situation, both the hiring business and the freelancer share the responsibility for entering into a set of mandatory contractual clauses concerning data protection. These should ideally form part of the contract under which freelancers are engaged.

Although many such agreements omit these clauses, failure to include them carries significant risk, potentially resulting in fines up to £8.7m or 2 per cent of worldwide turnover (whichever is greater) by the Information Commissioner’s Office (ICO).

The mandatory clauses are required under UK GDPR. Specifically, the contractual provisions must detail what personal data the relevant freelancer will process on behalf of the hiring business, which groups of individuals the personal data relates to, how long it will be processed for, and what the nature of the processing is.

  • The agreement must also include obligations on the freelancer to:
  • Process the relevant personal data only on the basis of the hiring business’s written instructions;
  • Commit to confidentiality obligations regarding the personal data and implement appropriate security measures to protect that data;
  • Assist the hiring business in its data protection compliance;
  • Delete or return the personal data to the business at the end of the engagement;
  • Not engage anyone else to process the personal data without the hiring business’s prior consent; and
  • Permit audits and inspections by the hiring business or its auditors.

Simply requiring freelancers to abide by a business’s own internal privacy policies – while certainly good practice – will not in itself meet the statutory obligation of having in place the contractual clauses detailed above.

Tempting though it may be simply to copy and paste the relevant provisions from the UK GDPR into freelancer agreements, this will be insufficient. Recent guidance states that the agreement must elaborate on what specific measures the freelancer will have in place to ensure an adequate level of data security. It should also require a regular review of the effectiveness of these measures and prevent the freelancer from making any changes to them without the hiring business’s approval.

It is additionally worthwhile stipulating that transfers of personal data outside of the UK must only be undertaken in compliance with the UK GDPR, since this is currently a hot topic on the ICO’s enforcement agenda.

Not all independent contractors will constitute ‘processors’. For example, professional service providers such as lawyers or accountants will likely be data controllers in their own right. In that scenario, there is no statutory obligation to include particular clauses in the agreement with such contractors.

In most situations, however, individual freelance consultants engaged by a business will likely be processors and will therefore need to enter into agreements containing the mandatory clauses. While this may complicate the engagement process, it will also help to protect your business by ensuring that every freelancer engaged is sufficiently trustworthy  and has the measures and resources in place to minimise the significant financial and reputational risks to a business of a personal data breach.

Associated sectors / services

Authors

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):

    Article contributor

    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp (calling not available)

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up
    ExpandNeed some help?Toggle

    Get in touch

    Get in touch using our form below.