One of the biggest changes to the EU's approach on privacy is the fact that the GDPR applies to businesses of all sizes — including freelancers. While your responsibilities as a freelancer in Austria aren't quite as wide-ranging as they are for companies, you have a legal obligation to meet them.
In order to fully understand your responsibilities, it's important to understand what the GDPR is.
What is the GDPR?
The GDPR aims to standardise how privacy regulations are managed across the EU. Before, the rules relating to data protection differed slightly in member states. Now, however, all EU nations are subject to exactly the same rules.
But the biggest objective of the GDPR is to give individuals more control over their own personal data. Anything that can be used to identify an individual is regarded as personal data, which includes addresses, IP addresses, email addresses and shopping habits. The GDPR also regards personal issues such as religious beliefs, sexuality and relationships as private.
EU citizens now have the legal right to ask companies and freelancers for details of the personal data that is held on file. Moreover, every freelancer and business must provide the information without delay — and free of charge.
The GDPR went live on 25th May 2018, so your responsibilities in relation to consumer privacy must be upheld now. The largest companies could face fines of up to 20 million euros for failing to comply with the GDPR. While freelancers can expect a degree of leniency and time to comply, it's important to ensure that your processes are fully compliant. Technically, you could be fined for serious breaches.
Who needs to comply with the GDPR?
Businesses and sole operators (freelancers) that handle personal or sensitive data on EU citizens must comply with the GDPR. As a freelancer in Austria, you probably need to make a few changes to your own operations — even if you don't think you do. If you have addresses, client names, telephone numbers, social media profiles or any customer data in your business, you need to comply with the new rules.
Preparing your business for the GDPR
EU officials responsible for the GDPR have said that freelancers and small companies in particular will be given time and a degree of flexibility at first. That said, making the necessary changes to your own operations is essential. Repeat offenders — even freelancers — are likely to face fines for failure to comply.
The best thing you can do is read the GDPR in full. However, it's a very large document, so it's probably not something you can do in a day. To summarise, the new regulations demand more transparency with regard to personal data. Requests from consumers with regard to disclosure of their private data must be answered as soon as is practicably possible.
As a freelancer who holds the private details of others, you have to be more careful with it than before. It is your responsibility to protect it from falling into the wrong hands — and you certainly can't hand it over to third-parties without the permission of the individual.
How to stay on the right side of the law
In reality, complying with the GDPR isn't too difficult for a freelancer in Austria. Follow these four basic principles to ensure you're never prosecuted for a breach of the regulations.
Keep records of all data
It is vital that you keep a full record of every bit of personal data you collect during the course of doing business. If you can't provide data when you're asked for it, there's a reasonable chance you'll be fined. If you're accused of failing to disclose a person's data, you could be fined two percent of your annual turnover.
Secure all the data you hold
Once you have a person's data, it is your legal responsibility to keep it safe — from theft, fraudsters and damage or loss. The GDPR holds all freelancers accountable for data safety. Your data should be encrypted or stored safely behind passwords. But you not only have to pay attention on digital data. The GDPR also affects all letters and other confidential papers. To retain them safely while having them at hand in your working area, use a file cabinet that you can lock. If you're found to have been negligent with the personal data of someone else, there's a chance you could be fined.
Only collect the data you need to
The GDPR states that there must be a valid reason to collect personal data. For example, it is reasonable to collect and store data from a website contact form — as the consumers themselves submit the information. However, under the terms of the GDPR, you need to demonstrate the reason for collecting the information. Don't ask your clients for information you're never going to use.
Get consent for data collection
In order to collect and store data on an individual, you must have their consent — even if you're using cookies on your website to improve the user experience. What is different now is that opt-in nature of data collection. Your customers should be able to tick a consent box on a website; consent can never be assumed. You should also ensure that any consent boxes you use aren't pre-ticked.
Crucially, there is a retrospective element to the GDPR. Data that was collected prior to the May 25th launch cannot be used now if it was acquired in a way that contravenes the new regulations. You therefore might have to get consent for the data you already hold. To ensure you're compliant, reach out to all the people you hold data on, and ask for their continued permission.
These regulations are not about punishing freelancers and businesses — they're about protecting the public from unscrupulous operators who invade the privacy of people in the EU. As long as you're doing everything in your power to comply with the GDPR, you don't have anything to worry about.