Wednesday, 12th December 2018

GDPR and mitigating cyber-risk

For digital businesses across all industries and markets, there are a number of risks which freelancers and contractors may face as a result of the new regulations. Here, Janthana Kaenprakhamroy, founder of on-demand insurance provider Tapoly, discusses the ins and outs of GDPR and the risks cybersecurity breaches can pose to freelance and contract workers in the digital age.

What is GDPR?

The General Data Protection Regulation (GDPR), like any other EU regulation, ensures each EU member state is brought into line with the same law. This particular legislation governs the protection and use of data. The regulation outlines certain steps that must be taken by anyone who handles data (‘controllers’ or ‘processors’), whether a government body, organisation or professional, to ensure data is kept secure and the owners of the data, usually those it is about (the ‘subjects’), know how it will be used. If any of these parties reside within the EU, then that data will be covered by GDPR. In a world where we are increasingly digitising and using the cloud, even if a company or individual is based outside the EU, GDPR could still apply.

GDPR aims to give people more control over their ‘personal data’, such as name and address, and ‘sensitive personal data’, which is any information they may want protected, like religion or sexual orientation. The latter may differ from person to person, so it’s important to be aware of what kind of data you possess and what the subject will allow you to do with it. GDPR states the appropriate amount of security must be used by controllers and processors to protect against accidental loss, destruction or damage, or unauthorised processing of data.

 

What does it mean to you?

As of 25th May 2018, the ‘GDPR deadline’, those who deal with technology and in particular those who are self-employed must now be even more wary of cyber security and compliance. For example, while any given organisation will have updated its policy in line with GDPR, it’s likely that digital freelancers and contractors aren’t covered by that policy. It’s therefore necessary for freelance and contract workers to take a look at the data we possess, whether we are managing it compliantly, and how we might be indemnified in case anything happens to that data and we are left liable.

Anyone not complying with GDPR legislation can be fined up to 4% of global revenue – this doesn’t just apply to big corporations but also to SMEs, freelancers, contractors and anyone responsible for personal data. Fines of up to 2% of global revenue come into force if records of data are not kept in order, if the authorities and the subject aren’t immediately notified of a data breach, or if proper impact assessments are not conducted.

Personal data isn’t just given to you directly by the subject. You may also impact data held by the companies you work with, as they will have been given certain permission and will have their own policies as mentioned above. Freelancers often obtain lots of personal information, such as contact details, for many clients and companies they work with. As an external party, a freelance or contract worker isn’t covered by the same processes as an employee and may be exposed to more legal risk.

 

What are the risks for freelancers?

It’s important to be aware of the risks faced, in particular as a freelancer. From image usage rights to making sure information you publish is factually correct, breaches can occur more often than you might realise. It is important that any data you store as part of a project is secure and preferably encrypted – that means storing hard copies safely too. Another common risk factor is BYOD (bring your own device) which can increase data risk, and the company you work with may have a policy on this which you need to be aware of.

 

Steps to take

To ensure you’re fully compliant, it is important to keep records of what data you possess, where it came from and who can access it, and conduct a privacy impact assessment (as outlined by the ICO). It’s also important to ensure privacy notices you issue are up to date and share an article showing how you will use data you hold. You should also review your processes, how you gain, record and manage consent to take personal data, including the consent of parents/guardians for data involving children.  If you operate in multiple locations, it’s important to make it clear where you are based (for example, whether you’re based in the EU or outside the EU). It is also important to have a clear plan in place for what you will do in the event of a data breach (e.g. informing relevant parties) and to consider taking out cyber insurance.

Freelancers should also note GDPR isn’t the be-all and end-all. There are many risks to compliance and good relations involved in every project. Some other issues to consider are confidentiality breaches; negligence (e.g. making a mistake which may lead to non-payment or legal action); intellectual property disputes (e.g. accidental plagiarism); defamation; or social media breaches like hacked Facebook messages. 

This sounds like a lot to consider, but if you don’t feel properly prepared there’s no need to grind to a halt. Establish a compliance plan as soon as possible and take care of your data as best you can until your new policy is implemented. These risks shouldn’t put you off your work but should warn you to protect yourself. One way to deal with the potential cost of these risks is by taking out insurance.

Insurance

Freelancers should consider professional indemnity insurance,, which basically protects you against legal action by clients and affords you limited liability for risks related to your work, such as defamation suits. No matter how careful you are, mistakes can be made and in the digital age, particularly for editors or authors, problematic content can spread like wildfire. It’s also likely that in a more compliant age, larger companies will actually require their contracted or freelance workers to be insured. If you already have insurance, it’s important to make sure older policies are up to date and include the latest technology platforms and modern data regulations like GDPR.

The ins and outs

 

Insuring yourself may seem lengthy and costly, but insurance can now be purchased as and when needed through on-demand offerings. This means you can take out the exact type and level of insurance as required for a given project. On-demand insurance has been commonly used in the travel and car insurance spaces for some time, and its continued advancement will help ensure you can get on with your job and succeed in a highly regulated environment.

 

ENDS

 

About the Author

Janthana Kaenprakhamroy is founder of Tapoly, the first on-demand insurance provider for the gig economy in Europe and a Top 100 European Fintech Award winner in 2017.  A former investment banking professional and chartered accountant, Janthana has worked for a number of top-tier investment banks and is one of the authors of The InsurTECH Book.

Through her own experience of trying to purchase the right insurance easily and affordably when letting out her spare room through Airbnb, it highlighted the need for change within the insurance sector. Nothing appeared to be tailored to the sharing economy.

Tapoly was created from Janthana’s vision to make sure that everyone in the sharing economy can get access to a comprehensive insurance solution at a fair price.

For more information, visit www.tapoly.com

 

 

 

The role of a chief data officer (CDO) has changed significantly over the past decade. Ten years ago...
It has been a tumultuous year for cybersecurity, with endless security breaches hitting the headline...
By Ian Kilpatrick, EVP Cyber Security, Nuvias Group.
The main issues we see arise with cybersecurity strategies seem to link to efforts that arise when b...
What makes a DDoS successful? I asked myself that question at the end of August when the central ban...
By Mark Baker, Field Product Manager, Canonical.
By Andrew Lintell, Tufin.