Scouting the best contractor services for you

Latest News

GDPR for Contractors: What’s the Impact?

GDPR for Contractors: What’s the Impact?

After what seemed like years of build-up, the General Data Protection Regulation finally came into force on the 25th of May 2018.

As a result, businesses across the UK and much further afield are changing the way they collect, handle and use personal data from their customers or clients. But what many people forget to mention is the impact on contractors. Fortunately, Contracting Scout is here to help.


GDPR – An introduction


The General Data Protection Regulation (GDPR) is a new piece of legislation from the EU. As mentioned, it was implemented on 25th May and it applies to how data is collected, handled and used. Here’s a brief overview of what it entails:

  • In the UK, a new Data Protection Act is now in force, replacing the previous which had been in place since 1998.
  • GDPR applies to any business in the EU, or that trades with EU businesses or citizens.
  • It applies to personal data, which is anything that can be used to identify an individual – including social, cultural, economic or genetic information.
  • Non-compliance can result in a fine of up to €20 million or 4% of annual group income – whichever is greater.

Here are some of the ways GDPR is tightening data protection:

  • Companies must document explicit consent from consumers outlining exactly what data will be collected and how it will be used.
  • Only data with a specific purpose should be collected.
  • Consumers have a right to be forgotten, so businesses are obliged to delete their data when requested.
  • Businesses are liable for any data breach on their behalf, so they must make sure any external controllers and even software is compliant before using them.


Does GDPR apply to contractors?


No doubt the first question on every contractor’s mind will be whether GDPR applies to them. In short, yes it does. In fact, one of the key points with GDPR is that it applies to everyone who processes, stores or transmits personal data belonging to EU citizens.

To remain compliant, businesses will have to ensure contractors are aware of their GDPR processes and data handling obligations (which will differ from company to company). Failure to do so will leave the business liable for any data breach.

For most contractors, being compliant will simply mean acting responsibly when collecting, handling or using people’s personal data. In response to the new rules, contractors collecting data for their own business will need to make clear why that data is being collected, gain explicit consent to collect that data and delete any data they no longer need.


Data processors vs controllers – which are you?


One key point in GDPR is the difference between data controllers and data processers. Data controllers are the main handlers of data on behalf of a subject. That means they’re responsible for why and how data is used. They’re usually the company that the data is being collected by has in place

Processors, on the other hand, are contractors, such as third parties, who process data on behalf of controllers. They can’t change the purpose of the data, so they’re not responsible in that sense. However, they are responsible for adhering to any contractual obligations the controller has in place

More often than not, as a contractor working with a client on the client’s own systems/network you are not the business actually collecting the data and therefore are acting as a data processor. While this doesn’t reduce your obligations to follow GDPR rules, you will in fact follow the processes laid down by your client rather than write your own. It’s therefore important that if you’re handling client data, you review your obligations and if necessary have them written into your contract.


Legitimate interest vs consent


Another GDPR factor is that of legitimate interest vs explicit consent. This is outlined as one of the lawful reasons for processing data. It applies when data controllers can justify data processing where, based on the context, customers can reasonably expect that processing for a specific purpose may take place.

As an example, think of a recruitment company, who will hold your data. Using this data to contact you or passing it onto a client for recruitment purposes could be seen as within legitimate interest. Essentially, contractors would reasonably expect this process to take place when giving their data to recruitment companies.

However, a company might choose to gain your explicit consent (i.e. tick a box on a form) for them to send you newsletters. You will often find this type of consent on sign up forms. This is a much more heightened form of data collection under the GDPR rules as it enables a company to prove consent was given if challenged.

When choosing whether to use legitimate interest or explicit consent, it’s important to weigh up the reasonable expectation that you will collect relevant data in the course of performing a service, against your business desire to use that data in future.


GDPR will affect some contractors more than others


There are a few types of contractors for whom GDPR compliance will have more impact day to day namely, IT contractors & marketing consultants. With physical data storage, such as filing cabinets hugely problematic for data protection, IT & ongoing marketing systems are at the heart of GDPR compliance. As a result, any companies hiring IT contractors or marketing experts will want to know that they’re familiar with GDPR and how processes must comply with the regulation.

If you run your own consulting business and you store personal data, you will need to comply with GDPR as a controller. With GDPR still largely an unknown to most contractors it’s important that you are up to speed with it and follow the guidelines and policies put in place by your end client; don’t put your client at risk by failing to understand their obligations.

There is currently an increasing number of opportunities for IT contractors and these recent changes can only improve the situation for GDPR contractors. Now more than ever, companies will be looking to bring in IT contractors to implement new data collection and storage systems in line with GDPR.

Robert Half found that 64% of CIOs are in fact planning to hire temporary staff to cope with GDPR. It’s no surprise, then, that IT Jobs Watch found that prevalence of ‘GDPR’ has shot up as a key requirement in adverts for IT contract job vacancies.


Give yourself the GDPR edge


Depending on your circumstances, it could be hugely beneficial to gain GDPR certification, however it’s important to remember that there is no official body that provides GDPR qualifications. While many contractors will claim to be experts, businesses are looking for something they can depend upon. Essentially, certification allows you and the businesses engaging you to evidence your knowledge in the field.

Certification could also benefit other contractors, such as accountants or marketing specialists. Because they will typically collect and handle data on behalf of organisations, companies will again be looking for certification they can rely on. At a time when demand for GDPR-compliance is rising fast, it could set you apart from the competition and provide a constant stream of work.


Can we help?


At Contracting Scout, we understand the challenges of contract work – from legislative changes to securing a mortgage. That’s why we offer a wide range of expert contracting services to help you succeed as a contractor – and beyond. If you’re looking for practical and reliable information on any aspect of contracting, be sure to get in touch with our team, who will be happy to help. To speak to a member of our team call: 0203 603 1878.

Subscribe to Our Newsletter

I have read and accept the Privacy Policy*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.