A web freelancer in GDPR land: Down the rabbit-hole

As a person working and doing business on the web, I'm trying to grasp next year's favorite bureaucracy law and what it means to me and my little economic endeavor.

Now that we are already in the last quarter of the year (time flew, but not with AirBerlin) and some of us are lucky have the rest of the year booked solid. So attention shifts to 2018 and what it may bring. Well, for me at least moving office spaces (but that's a self-contained project and finished by January).

But there's another topic on the horizon. Without actively searching for it, I stumbled upon this topic on Twitter, while reading the net magazine and lately, in the current Piwik newsletter: EU's General Data Protection Regulation or short, GDPR. It is a regulation already in action but finally becoming universally valid on May 25, 2018. And "universally" is not that far of a stretch as it affects every organization and company worldwide who deals with personal data of EU citizens.

After some research I found some information what the GDPR means to me as a private person: Protection of my data against abusive use, unnecessary collection or the right to be informed of a data breach within 72 hours. That sounds good. But unfortunately I have to look at this topic through my freelancer glasses as well: what does it mean for businesses? Spoiler: I won't be able to supply an answer to this question at the end of the article. But hopefully I phrased the right questions by then.

What the... GDPR?

So I extended the research and found some articles on how to comply with the law when dealing with customer's data. Unfortunately those texts only have rather big enterprises in mind and none of them did really fit to my industry and "business model": being a web developer, solving problems with code and occasionally push some pixels (but not calling oneself a designer). And it seems that I'm not the only one wondering. It was also striking that the majority of search results for, e.g. "gdpr for freelancer" returned job ads of companies searching for a specialists, consultants or "Data Protection Officers". So there seems to be the need for clarity regarding this EU regulation all across the economic board.

As a web developer with own direct customers I have client data (say what?) in order to do my job and add value to whatever product or process. Although many articles on this topic quote the examples of health, credit card data or social security numbers it seems that the lawmakers define pieces of data applying to GDPR as early as names, postal addresses, online identifiers (e-mail addresses and more, I assume). Which is, from a customer's perspective, totally reasonable. But for a solo freelancer, trying to harmonize his every day work with current laws and regulations, question marks starting to appear.

Firstly, this article aims not to be the source of all wisdom on web workers and GDPR (although I'll possibly start an article series on this topic once I – hopefully – learn the ropes). I'm a doctor web developer not a lawyer. It's more of a thinking out loud and applying the principle of "you learn a topic more effectively when writing about it". At the end of this articles I share the links that I found. And write a public to do list of sorts.

But let's dive in. At first I try to understand GDPR on an abstract level – key tenets and core intentions:

Essential principles

In the following I try to rephrase what I learned so far in my own words. The crucial elements of the regulation seem to be:

Fairness and Transparency regarding data

⇒ Data must be kept and processed under application of the current law and in a transparent way.

Purpose Limitation 

⇒ The collection of personal data must have a legitimate and clearly defined purpose. It is forbidden to process or collect data that lies outside of this purpose.

Data minimization

⇒ Close to the last point: Organizations and companies must only collect data that is needed for the defined purpose, but no pieces of information irrelevant to it.

Accuracy

⇒ Data must be correct and current

Data Deletion

⇒ Data is allowed to be kept during the fulfillment of said purpose but no longer.

Security

⇒ Companies and organizations must utilize appropriate and protective measures (regarding technology and their self-organization) to secure personal data against malicious access, loss, or alterations. This involves encryption and anonymisation.

Accountability

⇒ Companies and organizations are responsible for their data handling and compliance with the GDPR. A data protection officer and adaptions of contracts is needed. Also, they must be able to demonstrate this compliance.

Data breach notifications

⇒ Companies and organizations must notify within 72 hours of a data breach within 72 hours of becoming aware of a data breach (Thanks for the correction, @grambulf). So no "oops, actually all our data was compromised four years ago" non-notices.

Ok, but in practice?

So far, so common sense. But what does this mean specifically, when you aren't running, let's say, a health insurance company or social network? This is the nitty-gritty I can't wrap my head around yet.

Stocktaking

Right now I can't come to any final conclusions but am left with asking the right questions. So where do I store customer data, directly or indirectly? On my computer, of course:

  • It is, as well as my backups, encrypted with FileVault. Points on the GDPR security score board?
  • Specifically in my contacts app. That's what it's for.
  • Also in my e-mails. Of course, the majority of communication with my customers is via e-mail. I booked a web hosting product, an Open Exchange instance to be precise, to host and manage my email, contacts and calendar and to sync it to devices. Am I responsible of my hosting company, HostEurope suffers a data breach? Will they force to sign me a contract of non-liability?
  • In my billing software. My invoices have to be valid by German law, so they have to have my customer's postal address, therefore these pieces of information must be in this software. For that matter, I'm not using a cloud based software here (think of billomat, freeagent and the like. That felt wrong seven years ago when I started my business and it still does). But with a software just on my system and encryption applied system-wide, am I safe in regards to GDPR?
  • Of course I got customer data indirectly in the project files – which I'm once more backing up via SpiderOak (and their no knowledge approach: spideroak.com/no-knowledge)

So I'm wondering: how and to what extend do I have to change my workflow and processes here? Of course except for the following topic:

My customer's consent to collecting and storing their data

Let's imagine a typical situation: You were recommended by an existing client and have got an enquiry from a potential customer in your email inbox. Now I have to send a contract of data collection consent before the following communication? Or is it all only effective after we signed a project contract? And even if I knew at what point of time I have to place this, how do I create a legally binding document. Should I create one myself or better contact a laywer right now? Anyhow, the action of giving consent can't be dealt with by clicking on a cookie layer on your web site, since:

Consent must be an active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs.
(Source)

Conditioning my customer's data

So under GDPR I have to be accountable for the data and have to keep my records transparent – meaning that I have to have the records in a condition that allows to release and delete it easily on the customers request. That sounds good in theory, but what does it mean? In my practice there is not only one "IT infrastructure" but a combination of software as stated above.

Next steps

Many questions but no satisfactory answers yet. My agenda for the next weeks on this topic is to work through the following links:

Dear reader, did I miss an essential resource/article on this topic which applies to web developers? If so, please ping me on twitter or write me an e-mail. Notwithstanding I will continue researching and, in the best case, write a follow up article with my further learnings about this topic.

Although – the next chapter of Alice in Wonderland is titled "The Pool of Tears"...

Updated 2017/10/14 12:00: Correction of Data Breach notification summary, thanks, @grambulf