GDPR for Contractors: Think Beyond Your Employees

Do you consider GDPR for contractors when you lay out your data privacy strategy? If up until now, your compliance with the General Data Protection Regulation (GDPR) has had a narrow view, Forbes recommends that 2021 is the year organizations become more “deliberate in their interactions to make sure all their data’s competing interests are satisfied.” 

Ever since the regulations came into place back in 2018, organizations have been performing gap analysis assessments and investing in data security and privacy tools. However, many of these activities have been entirely employee-focused, and often organizations forget that freelancers, agencies and independent contractors also access their customers or employees’ PII (personally identifiable information) on a regular basis. As the number of breach notifications grows, with a cumulative €300 million  in fines during 2020, you can’t afford to have any gaps. Are your contractors a blind spot? 

Consider GDPR for contractors when designing your data privacy assessment 

It can be easy to disregard your freelancers from responsibility when it comes to setting up processes and protocols. After all, they aren’t your employees – what control do you really have over their actions, and why do you need to impart time and effort on policing their activities?

Nice try, but unfortunately – that’s just not how GDPR works.

The law takes into account two categories. First – the data controller. This is any person or organization who “determines the purposes and means of the processing of personal information.” Simply put, this is anyone who decides what PII needs collecting, and why. 

The other category is the data processor. This person processes the data on behalf of the controller. 

Any worker, whether a full-time employee, an agency to which you outsource, or a single freelancer could be considered as a data processor or a data controller under the GDPR.  

In some cases, freelancers might pose an added risk to GDPR compliance. For example, they might have their own tools and processes that they use to do their job, and put your company or customer information through these systems without thinking twice about how this impacts your data privacy. It’s therefore essential to ensure that any contractors who are considered data controllers or processors are working in a compliant way, just as you would for your employees.  

Can my contractors be data controllers or data processors?

Before you do anything else, you need to work out the status of your contractor. In some cases, they might not be a data controller or a data processor. Let’s say for example you hire a designer to draft some business logos for your brand. This person is unlikely to be handling PII – and they don’t need to be considered in your data governance strategy. However, as soon as they touch personal information of either customers or employees – we’re in risky territory. 

Data controllers

First, consider whether your contractors are data controllers (usually joint controllers) of the data with which they are working. As we described above, this means that they have autonomy over what data is collected, and what is done with that data. One good example here would be an accountant or a lawyer who has their own company and is contracted by you for your business needs. 

As the data controller, you hand over the financial data of your clients to the contractor, but while they are processing personal data under your instruction, they also have autonomy to work according to their own professional obligations. In this situation, if they were to need additional information to complete their task, they act as a data controller, too. One example is how they might choose the PII that they need, and request it from you as a joint-controller or even directly from the end-customer. Another is how, if they were to find any signs of illegality, they would be obligated to report it to the correct professional body and would not need your permission to do so.

Data Processors 

Data controllers have a lot more responsibility when it comes to GDPR than data processors. If your freelancers are data processors – you’ll only need to show that they have performed their role in line with the direction of the data controller. 

Here are some questions that can help you to determine if your contractor is a data processor. If you answer yes to any of these questions – the chances are, your contractors are data processors on your behalf, and you remain the data controller in regards to their work.

  • Are they processing personal data under your instruction?
  • Do you have the ultimate say over what data is collected?
  • Do you decide the lawful basis under which that data can be accessed or used?
  • Are you responsible for how long the data is retained, and how it is processed and stored?
  • Does your contractor have no interest in the purpose or result of the data processing?

What is a data sub-processor?

One final definition that could be helpful to understand is the data sub-processor. This role occurs if the data processor, let’s say a marketing agency who you have hired to create your website, contracts out the work to their own freelancer. In this case, according to the GDPR, a processor needs written authorization from the controller to pass on data to a sub-processor, and the data processor will still retain responsibility for any data breach.

Tips for GDPR for contractors

As a result of these complexities, it’s really important to ensure that you consider all non-payroll workers, from agencies and contractors to gig workers of any kind as part of your ongoing GDPR strategy. Consider the following best-practices:

Pinpoint the status of your contractors from day one: Before you onboard a new worker, consider whether they are a data controller or a data processor, and make a note of this classification. While a processor will only need to comply directly with the data controller’s instructions, a data controller will be taking on a lot more responsibility and risk. Please note that if you define your contractor as a data controller, it impact on how you need to pay your contractor.

Sign them on a data protection agreement: As you complete the onboarding process, it can be useful to have your contractors sign a data protection agreement. Include what data they will be accessing under what lawful basis, your expectations around what data they will utilize, and what your own obligations are as the controller or joint controller.

Assess their tools and processes: You must ensure that your contractors and freelancers take data protection seriously and have implemented appropriate measures to meet the Regulation’s requirements. You need to ensure their tools and processes used to process your data meet the GDPR guidelines.

Use back-to-back contracts where necessary: If your third-parties are using a sub-processor arrangement, a back-to-back contract is needed, which will include the subject matter, purpose and nature of the personal data, the duration for which it will be processed and also reaffirm the processor’s obligations. This will be similar to your original contract with the data processor.

Enforce an off-boarding process: Often when freelancers and contractors stop working with a company, very little is done to shore up the security gaps they leave behind. If your contractors have credentials to shared working spaces, SaaS platforms or access to company information – they need an off-boarding process the same as any other employee.