GDPR and Working with Freelancers / Contractors

Transcript of the Video

Good evening to you all. Suzanne Dibble here, data protection law expert, coming to you raw and uncut from Singapore. Hot, humid, sweaty Singapore, so if I look a little bit less ... well, that's not true, is it? Because I don't look glamorous at the best of times, but if I look even less glamorous and a little bit more sweaty, that's why it is. It's about ... well, it was 34 degrees today. It's obvious now a little bit cooler, but still quite humid.

Anyway, I'm just going to do a very quick video tonight, because I didn't get any sleep on the plane last night, but I just saw a really interesting question in the group, so thank you for that. And the question was about somebody who ... well, it was somebody who had a ... she was a therapist and she had a mixture of employed therapists working for her, and self-employed therapists working for her, so contractors. Presumably, people that she got in on a more of a temporary basis. Sorry about the noise in the background there. And she said, "I assume that GDPR applies to those freelancers," those contractors, whatever you want to call them, "in the same way as it does to our employees."

Now my view on this, and it is an area that you won't find ... if you Google it, there isn't that much commentary on this area, but my view is very much that if you are working with contractors and people where you're not paying their tax for them at source, they're paying their own tax and they're registered with the revenue themselves, then, in that case, they are a separate legal entity to you. And if they are processing data, personal data, under your instructions, then they are a data processor, and officially, you should have a data processor agreement in place with them. You should have done your due diligence to make sure that they will be GDPR compliant and have adequate security measures, etcetera, etcetera. They are treated differently to your employees who are obviously within your organization and you don't have to put processor agreements in place with.

I've actually been considering this in the context of the multinational that I'm consulting with at the moment because they have a large, a huge number of contractors. They have a huge, huge, huge number. I don't know, they've got something like 140,000 employees worldwide, but they also have a huge number of what they call contingent workers. And until I started thinking about this issue, I think they too had been proceeding on the basis that it would be exactly the same for the employees and for the contracted staff. I said to them, "Well, no. I don't think that is the case."

As we've looked into it further, you know, it raises a lot of issues because, certainly for companies that do have a large number of contingent workers, it means going out to each of them individually, getting them to sign processor agreements, and making it clear to them that, as processors for example ... Now, don't get me wrong. Not every contractor is going to be a processor, okay. Many contractors will not deal with personal data, at all, but for those that do and where they're a processor, then those processors, those contractors, need to be aware of their liability as a processor. And as we know, you know, I've done a separate video on the liability of processors under GDPR.

So I think it is, it's an issue. And I think, with the strict interpretation of the law, if you have a freelancer or a contractor, and they are processing personal data under your instructions, then you need a processor agreement with them, and you need to make sure they're GDPR compliant and all the rest of it.

So in answer to the question that was in the group, I replied, saying no, those freelancers are not treated the same as employees. You need to think about what role they have with you. Are they processing data under your instructions or, occasionally, they might be a data controller in their own right, or they might be both. It's quite possible to be both, but you need to think about that, and I think for the larger organizations that have hundreds and hundreds, if not thousands, tens of thousands, hundreds of thousands of contingent workers, contractors, freelancers, whatever you want to call them, it's going to be a real issue. So I'll be really interested to follow this area and know what the practical solution is. I'll let you know because as part of the work, the consultancy that I'm doing, this is something that we as a project team are now turning our attention to.

So, yeah, it's not quite that straightforward, unfortunately, as just treat them all as employees. So that's all I want to say this evening. If you have got a mixture of employees and freelancers, just note that there is that distinction. Think about whether your freelancer is a processor, and then obviously go and watch my video on processors and how you need to deal with processors. Are they a data controller in their own right? And then, obviously, they need to be thinking about their own compliance with GDPR, and they might be a processor at the same time. So it's an interesting one.

So love to know your comments on that. Do you hire lots of freelancers or contingent workers? Have you thought about that before? Is this a new area that you're thinking, oh my goodness, I've now got to go and put in processor agreements with these people? Let me know your thoughts on that. But with that ...

I should just say, as I finish off, thank you for all of your orders for my pack. Honestly, it's been going absolutely crazy here because we've got this price rise at midnight tonight. You know, thank you. Thank you for trusting me with helping with your GDPR compliance. But the price is going up at midnight. Midnight UK time, not Singapore time, so you have got a few more hours to go and buy the pack if you haven't already. After that, it goes up to £147. And the reason is just to get you to start taking some action because now is the time. You've got two months to go. You need to start getting your house in order and taking some really positive steps to compliance.

So well done on those of you who've already done it and are well on ... I know from the comments in the group, some of you are, you know, I was going to say well on the way. Some of you, you've done it all. You've been brilliant. So for those of you who haven't yet, then do go and grab the GDPR pack before midnight UK time tonight, before the price goes up. The link for that is in the pinned post. If you've got problems with paying, just drop us a message and we will sort you out. We'll make sure that you get the pack at the £97 introductory price if you get in touch with us before midnight tonight and there's some reason why you've got a problem with payment. We will sort that out for you, so don't panic.

So I think that's it. Thank you very much, as ever. Thanks for, again, all the ... Honestly, my brain has not had such a workout ever, I don't think. You're asking some brilliant, brilliant questions and it's just ... my only regret is that I just can't get round to answer all of them. There are so many great questions, but I just can't do it. But keep them coming because even if I can't answer them, I think people are so well versed on ... from my training and from having watched my videos, that they're giving good answers. I do keep an eye on them, and if there's one that I notice is wrong, I will correct it, so, yeah. Anyway, thank you very much, guys, and I will catch you soon.