Contractors’ Questions: Does GDPR require contractors to register?
Contractor's Question: As freelance contractors, do we have to register under the GDPR? There are many examples of organisations which have to comply with GDPR, but very few of these relate to sole-person businesses, such as sole traders or limited companies.
I keep my ‘personal data’ in a single Excel file. It's data on past and present clients, added chronologically, containing client/business names, addresses, contact details, payment terms and any specific client requirements. I’m sure GDPR is not really aimed at people like me and situations like mine, but that doesn't necessarily mean that I don't have to register, does it?
Expert’s Answer: The EU General Data Protection Regulation (GDPR) is aimed at all organisations or individuals who hold or use personal data for business or other organisational activities, regardless of their size or structure.
So, as a freelancer who holds personal data relating to your clients, the GDPR as a whole will apply to you. You will have similar obligations whether you are a sole trader or a limited company. The GDPR applies from Friday May 25th 2018 -- exactly one month yesterday!
General GDPR requirements include using personal data fairly; identifying the purposes for which you hold it, letting individuals know what you do with their data, not holding more data than you need, deleting it when you no longer need it, and keeping data up-to-date and secure. Registration requirements are, however, a separate consideration, which I have outlined below.
Based on what you have listed, your GDPR obligations and associated compliance risks may not be as extensive as some other organisations, who may, for example, hold larger quantities of data, more sensitive types of data, or use personal data in more privacy-intrusive ways. But that does not mean that you have no compliance risks, and you will still need to identify your uses of personal data, and apply GDPR requirements to these activities.
It is worth adding that, to the extent you assist your clients with their own data-processing activities, or otherwise hold or use personal data on behalf of your clients, you will have additional responsibilities under the GDPR, as well as contractual obligations to your clients.
In relation to registration, the GDPR itself does not require a general data protection registration for any business or organisation (although does require consultation with authorities in some situations). However, in the UK, there will be a requirement for some organisations to pay annual data protection charges, and provide basic information, in accordance with the Data Protection (Charges and Information) Regulations 2018.
The annual fees must be paid to the UK data protection regulator (the Information Commissioner's Office), and are tiered between £40 and £2,900 depending on the number of staff and turnover of a business. There are several exemptions to this requirement, including where a business only uses personal data to keep internal records of sales, purchases and other transactions. Based on what you have listed, you may well fall within an exemption and not be required to register (but you should check this).
However, importantly, exemption from the requirement to pay annual fees does not exempt you from any of the general GDPR obligations, as described above. So you will still need to take action to comply with the GDPR in time for May 25th 2018.
The expert was Olivia Whitcroft, a solicitor and principal at OBEP, a law firm specialising in data protection and technology laws.