What the GDPR means for the self-employed
If you are self-employed and want to ensure that you comply with the GDPR, the Digital department of DSM Avocats à la Cour outlines a few steps to be completed to achieve proficiency in data protection.
Since its entry into force in 2018, there has been much discussion of the General Data Protection Regulation (GDPR) and the general public is starting to become aware of the principles of data protection. The GDPR is a European Regulation that aims to protect the personal data of residents of the European Union. It aims to safeguard the private lives of European citizens by giving them greater rights and offering a frame of reference for the use that companies make of their personal data.
Does this apply to me?
The scope of application of the GDPR is extremely broad. It applies to any organisation that collects and processes personal data. It therefore concerns all companies, whatever their size or business sector. This means that as a self-employed person, you are also subject to and must comply with data protection requirements!
If you process personal data as part of your business, the GDPR applies to you.
Whatever your status – sole proprietorship or small company – if you process personal data as part of your business, the GDPR applies to you. But don’t panic, if personal data does not form the core of your business, the measures that you must take to comply are not necessarily very onerous.
How can you ensure compliance?
There are several steps required for compliance. The most important first step is to be aware of the extent of data processing so that you can identify, sort and protect the data, and enable data subjects to exercise their rights. These are the four main steps involved in compliance.
The obligations derived from the GDPR are split into two categories: firstly, the principles of data protection, which represent the foundations of the Regulation, and secondly, the best practices to be adopted.
What are the main principles of data protection?
-
- Lawfulness, fairness and transparency. When you collect personal data, you must do this lawfully (i.e. applying one of the six legal bases proscribed by the GDPR), fairly and transparently. The data controller must always act in good faith. The principle of transparency covers the information on data subjects and, in particular, their acquired and future rights under the GDPR with regards to their personal data.
-
- Purpose limitation. When you collect personal data, this must be for specified, explicit and legitimate purposes. Data must not be processed in a manner that is incompatible with those purposes (for example, subsequent use for a different purpose).
When you collect personal data, this must be for specified, explicit and legitimate purposes.
-
- Data minimisation and accuracy. When you collect personal data, you must ensure that they are strictly necessary for the purposes for which they are processed. The data collected must also be relevant, i.e. they must be a proper reflection of reality. This means that they must always be kept up to date.
-
- Storage limitation. When you collect personal data, you must ensure that they are not stored for an unlimited period. Data must not be held for longer than is necessary and the storage period varies depending on the purposes for which the data was collected.
-
- Integrity and confidentiality. When you collect personal data, you must be able to guarantee an appropriate level of processing security. Security is ensured by appropriate technical and organisational measures (such as pseudonymisation, encryption, regular data backups, data access restrictions, etc.).
How can you ensure that the rights of data subjects are upheld?
The rights of data subjects are at the heart of the GDPR – you must be able to respect these rights and implement their guarantees.
Firstly, you must be in a position to provide full information to the data subject regarding the planned processing of their data. This information must be comprehensible and easily accessible. This the right to information.
Secondly, the controller, i.e. the person instigating the processing, must be able to respond to requests to exercise their rights from data subjects whose data they are processing. These rights include the right of access, the right to rectification, the right to erasure, etc.
These rights all aim to give data subjects control over their personal data. The GDPR reasserts the rights of data subjects to control their data.
What good habits should you adopt?
Firstly, you should draw up a record of processing activity. The record is a centralised document listing all processing of personal data carried out in connection with the company’s business. It documents the key information regarding processing (purposes, category of data collected, time limits for holding the data etc.). It also makes it easier to deal with the requests of data subjects to exercise their rights, and to have an overview of the processing carried out within the organisation. It will be used to illustrate the compliance of any processing carried out in the event of a control.
Secondly, you should be able to identify the legal basis for the processing. The GDPR has six of these, the best known is undoubtedly consent. This legal basis may only be used in the absence of one of the other legal bases (e.g. performance of a contract). In addition, consent must be given for each purpose that is defined, and may be withdrawn at any time by the data subject.
The data protection authorities recommend appointing a Data Protection Officer (DPO) if you regularly process personal data.
You must also analyse whether it is necessary to appoint a Data Protection Officer (DPO). The appointment of a DPO is only compulsory in certain cases, but it is always useful to consider whether it would be appropriate. The data protection authorities recommend appointing a Data Protection Officer (DPO) if you regularly process personal data. Based on your business, appointment of a DPO may be compulsory, necessary or secondary. It is worth bearing in mind that the costs associated with this appointment may be reduced if you share a DPO with other self-employed persons.
The DPO coordinates data management. They inform, monitor and train anyone required to process data so that this is carried out in accordance with data protection principles. The DPO has a purely advisory role, so you remain personally liable for your compliance with the GDPR!
What are the advantages of compliance?
GDPR compliance is obligatory, but it also offers the opportunity to consider your approach to data and digital transformation. There are several reasons to approach compliance as an opportunity.
The GDPR asserts the rights of data subjects and promulgates principles such as transparency, and therefore – first and foremost – it helps to enhance your brand image. The image of a company that respects data protection rules is one of a serious and responsible entity that is a trustworthy partner.
Secondly, the GDPR promotes more rigorous data management and thus enhances productivity. Better management of your company may help you to optimise investments by asking yourself the right questions.
Lastly, respecting the rules imposed by the GDPR provides reassurance for existing and prospective clients, which may represent a competitive advantage. The people you work with will be more willing to cooperate if they are sure that their data is subject to rigorous security measures.
Non-compliance with the GDPR is sanctionable. The risk is as high for a self-employed person as for a major company.
Lastly, please remember that non-compliance with the GDPR is sanctionable. The risk is as high for a self-employed person as for a major company. Fines may be up to EUR 20 million or 4% of turnover, as well as severe reputational damage to your business. Compliance checks may be ad hoc or based on whistle blowing by disgruntled former employees or competitors who believe that your non-compliance gives you a competitive advantage.
If you are self-employed, you now know how to ensure compliance with the GDPR. If you need help with measures to ensure compliance or have specific questions, get in touch with a lawyer specialised in the GDPR.
This article was prepared by the Digital department of DSM Avocats à la Cour*.
* Article translated from French by a BIL service provider