Freelancer Management: The Most Overlooked Component of Data Security
As regulators ramp up efforts to enforce data protection laws, CTOs, CISOs, and CEOs have made hefty investments in data security solutions and processes to remain compliant — and for good reason.
Violating the General Data Protection Regulation (GDPR), for example, can lead to fines of more than $23 million or 4 percent of annual global revenue (whichever is higher). Those penalties are enough to topple some companies entirely. A data breach can be equally damaging, costing millions to recover from and destroying customer loyalty and trust.
All of the latest employee training programs, security solutions, and internal processes designed to protect company data are beneficial, but most fail to account for one crucial component of data security: freelancers.
Despite businesses’ increasing reliance on freelancers, independent contractors, and agencies, most companies don’t consider non-payroll talent when addressing data security.
Why Data Security Plans Overlook Freelancers
The GDPR imposes strict security requirements on the individuals who direct and carry out the processing of sensitive customer data. The law addresses two groups within companies: data controllers and data processors.
Under the GDPR, a controller is the entity that “determines the purposes and means of the processing of personal information,” while a processor is any entity “that processes data on behalf of the controller.”
When determining who within an organization is a controller or processor, companies frequently forget about freelancers. Usually, they only think of employees as fitting these definitions. This is wrong.
It’s not the work relationship that defines whether a person is a processor or controller — it’s the work they actually perform and the level of access they have to data systems. For example, a freelance business intelligence analyst with access to a company’s CRM should be considered a processor, even though they aren’t an employee.
Focusing only on employees ignores real-life risk. You may not define someone as a processor, but their actions can still lead to a breach (intentionally or accidentally). As a result of these oversights, many companies aren’t committing their freelancers to basic security standards, such as signing data processor agreements, undergoing security training, or facing the same levels of accountability for data integrity that employees are subject to.
How to Ensure Data Security When Working With Freelancers and Contractors
The key to keeping data secure and meeting GDPR privacy standards when working with freelancers is to implement the same approach to security that is taken with employees. Adding the following steps to your standard freelance management process can help you ensure the proverbial back door isn’t left open.
1. Identify Your Data Controllers and Data Processors
This is absolutely crucial. It sets you on the path to compliance with GDPR and ultimately allows you to produce a list of exactly who has access to your data systems and the levels of access they have.
It’s important to note that contractors who process employee data (not just customer data) should also be identified as processors. For example, you may hire an agency to manage your employee payroll; they’ll have access to your staff’s bank account information. Keeping this information secure is also crucial.
The right time to determine whether someone may be considered a processor is before you even hire them. When you define the role, you should also define the worker’s involvement with data and the level of access they need. Then, when you begin the onboarding process, you will be prepared with all of the necessary data agreements and security training.
2. Ask Freelancers to Sign a Formal Data Protection Agreement
Once you’ve identified who meets the data processor definition, the next step is having them sign a data protection agreement. This should occur early in the onboarding process — certainly before they begin performing work or accessing data.
The contract between your company (the controller) and a data processor must outline certain information, such as the subject matter and the duration of the data processing, the types of personal data that will be processed, the nature and purpose of the processing, and the controller’s and processor’s obligations and rights.
3. Provide Adequate Security Training
Freelancers should undergo mandatory data security training like employees do. Introduce them to your organization’s security practices and procedures and provide information that will help them avoid the human errors and poor judgment calls that can expose internal data systems to potential hackers.
4. Ensure the Tools and Processes Freelancers Use Are Safe
If a freelancer has access to sensitive data, such as customer or employee financial data, provide guidelines and conditions for accessing it. It is recommended to prohibit them from accessing internal data systems on the public internet, downloading unapproved third-party platforms, or sharing the data via unsecured methods.
5. Revoke Access to Databases, Systems, and Platforms When the Work Relationship Ends
This one sounds obvious, but it’s surprising how many companies don’t offboard their freelancers and subsequently forget to turn off their access to the data systems they worked on. This creates a major risk.
Overlooking your freelancers when creating data security practices and training staff is a serious but common mistake. By making data security a routine part of freelance onboarding and management, you can create more reliable freelancer relationships, reduce risk, and gain more control over your compliance efforts.
Shahar Erez is CEO of Stoke Talent.
Get the top recruiting news and insights delivered to your inbox every week. Sign up for the Recruiter Today newsletter.