Complying with data laws when engaging with freelancers

Businesses must ensure contracts have all the relevant clauses relating to data protection when enlisting independent workers, says Raj Shah 

With the gig economy’s rapid expansion, the implications of engaging freelancers have become a regular news item – from the Supreme Court’s recent ruling regarding Uber’s classification of its workforce to the government’s support for businesses reliant on independent consultants during the current pandemic.

Less discussed, but equally important for businesses, are the data protection implications to consider where freelancers are given access to any personal data controlled by the hiring business. This might include contact details of its customers or the names of its staff members.  

Unlike employees, freelancers are third parties who will likely constitute ‘processors’ of the personal data controlled by the hiring business. In that situation, both the hiring business and the freelancer share the responsibility for entering into a set of mandatory contractual clauses concerning data protection. These should ideally form part of the contract under which freelancers are engaged. 

Although many such agreements omit these clauses, failure to include them carries significant risk, potentially resulting in fines up to £8.7m or 2 per cent of worldwide turnover (whichever is greater) by the Information Commissioner’s Office (ICO).

The mandatory clauses are required under UK GDPR. Specifically, the contractual provisions must detail what personal data the relevant freelancer will process on behalf of the hiring business, which groups of individuals the personal data relates to, how long it will be processed for, and what the nature of the processing is. 

The agreement must also include obligations on the freelancer to:

  • Process the relevant personal data only on the basis of the hiring business’s written instructions;
  • Commit to confidentiality obligations regarding the personal data and implement appropriate security measures to protect that data;
  • Assist the hiring business in its data protection compliance;
  • Delete or return the personal data to the business at the end of the engagement;
  • Not engage anyone else to process the personal data without the hiring business’s prior consent; and
  • Permit audits and inspections by the hiring business or its auditors.

Simply requiring freelancers to abide by a business’s own internal privacy policies – while certainly good practice – will not in itself meet the statutory obligation of having in place the contractual clauses detailed above. 

Tempting though it may be simply to copy and paste the relevant provisions from the UK GDPR into freelancer agreements, this will be insufficient. Recent guidance states that the agreement must elaborate on what specific measures the freelancer will have in place to ensure an adequate level of data security. It should also require a regular review of the effectiveness of these measures and prevent the freelancer from making any changes to them without the hiring business’s approval. 

It is additionally worthwhile stipulating that transfers of personal data outside of the UK must only be undertaken in compliance with the UK GDPR, since this is currently a hot topic on the ICO’s enforcement agenda. 

Not all independent contractors will constitute ‘processors’. For example, professional service providers such as lawyers or accountants will likely be data controllers in their own right. In that scenario, there is no statutory obligation to include particular clauses in the agreement with such contractors. 

In most situations, however, individual freelance consultants engaged by a business will likely be processors and will therefore need to enter into agreements containing the mandatory clauses. While this may complicate the engagement process, it will also help to protect your business by ensuring that every freelancer engaged is sufficiently trustworthy and has the measures and resources in place to minimise the significant financial and reputational risks to a business of a personal data breach.

Raj Shah is an associate at law firm Collyer Bristow LLP