Personal Devices and GDPR: Hidden Risks for Freelancers and Outsourced Teams
Many people think data security is about passwords. To some extent, it is. We have written before about the risks of sharing logins, weak passwords and clients handing over access in ways that make everyone’s life harder later on. If you have not read those already, it is worth starting with:
- https://koffeeklatch.co.uk/should-you-share-passwords-in-a-gdpr-world/
- https://koffeeklatch.co.uk/sharing-logins-with-a-va/
But the bigger issue now is often the device itself.
You probably already carry client and 3rd party data around in your pocket every day, whether you realise it or not. Your phone previews messages on the lock screen, stores downloaded files automatically, syncs photographs to the cloud and connects to watches, tablets and home devices. Many phones and apps now include AI features which summarise messages, organise photographs or suggest replies automatically. In many cases, people have never actively switched those features on. They simply arrived after an update.
For freelancers, VAs, designers, childrens’ activity session leaders and outsourced teams, personal devices are now part of everyday business operations. The problem is that this is all going on with no conscious thought or decisions or awareness. Many contracts, privacy documents and working practices were written before phones became this connected and this intelligent (if you can call the rapid sharing of random data intelligent!).
Why Personal Devices Create GDPR Risks
Many small businesses now run almost entirely through phones and tablets. Client emails, WhatsApp messages, booking systems, photographs, voice notes and documents all pass through personal devices during normal working days. Many use apps precisely because they work on a phone.
Most people are not being careless. They are busy. They are trying to get work done quickly and keep clients happy. But that does not change the fact that personal data is often being stored, processed and shared through devices that were never set up as formal business systems.
You have probably seen some of these situations yourself:
- downloaded attachments remaining on a phone for years,
- client screenshots sitting in photo galleries,
- lock screen previews showing confidential messages,
- family members borrowing tablets or phones used for client work,
- WhatsApp images automatically saving into personal camera rolls,
- files syncing automatically across devices without anyone really thinking about it.
If you work with children’s data, health information or sensitive business information, the risks become much more serious very quickly.
Why This Is Different for Freelancers and Outsourced Teams
Large companies often have dedicated work devices and internal IT teams. Most freelancers and outsourced businesses do not. The reality is that many VAs, designers, social media managers and session leaders work from their own phones and laptops every day.
Our recent GDPR health checks have shown that mid-sized teams are working with some client-provided devices and some freelancer-owned devices. An attempt to impose ‘company-owned laptops and phones’ on freelancers has tax implications for both and it is not wise to get into a ‘knee jerk’ decision on what to do.
We covered some of the tax problems this can create in our blog: Does Your Client Want You to Use Their Laptop?
The Bits People Often Do Not Realise Are Switched On
One of the biggest changes over the last couple of years is the number of AI features now built into ordinary devices and apps.
Depending on your settings, your phone may already be:
- summarising notifications,
- analysing photographs,
- transcribing voice notes,
- suggesting replies,
- categorising images,
- making text searchable inside photographs,
- syncing information across multiple devices.
The issue is not that AI is automatically unsafe. The issue is that many businesses have no clear idea what is switched on, where information is stored or whether their privacy documents still accurately describe what is happening.
When I ask a business owner – which countries are you storing data in – they often have no idea. When I ask who is your client personal data being shared with – they don’t know what AI is up to.
That matters because GDPR is not really about pretending technology does not exist. It is about being honest and realistic about how personal data is actually handled.
Why Children’s and Health Data Raises the Stakes
If you work with children’s data, the risks become much harder to ignore.
Many children’s activity providers and session leaders now handle registrations, emergency contacts, allergy information, attendance records, parent messages and photographs directly through phones and tablets. Some also use personal devices to take photographs during activities or communicate with parents during busy sessions.
Again, most people are trying to do their best. But modern phones are designed to sync, store and share information constantly.
A photograph taken during an activity may automatically upload to a cloud account. Messages may preview on smart watches. Images may sync to shared family devices at home. AI tools may categorise or analyse photographs automatically in the background.
We have also written before about the wider challenges of handling children’s data in small organisations:
https://koffeeklatch.co.uk/is-data-privacy-hard-for-a-child-centred-business/
The practical reality for many small providers has changed significantly over the last few years and personal devices are now part of that picture whether businesses intended them to be or not.
Many say ‘we use reputable platforms’ and leave their examination of data security at that. But that is not enough, even though it’s a great start.
The Problem Is Often the Software Itself
Some business owners are still using personal software for business purposes. (Do check as this can invalidate your professional or cyber insurance as it is simply not designed for working with a team).
Many platforms still assume one person is running the business alone. Proper team access is often hidden behind expensive upgrades and some systems are surprisingly poor at handling outsourced support safely.
As a result, people create workarounds. Passwords get shared, accounts stay permanently logged in and client information ends up spread across multiple personal devices simply because the systems were not designed for the way small outsourced businesses actually work. And team members export data to ChatGPT to speed up their workflow and nobody knows about it.
At the same time, software providers are rapidly adding AI features, integrations and syncing tools faster than many small businesses can realistically keep up with. It’s a rare day I don’t get update messages on my laptop and phone from some app or platform, never mind the endless data privacy notice updates. Most people don’t read them.
I could argue that they are not meant for us to read as sending long documents in small type at 2am on a Monday morning is not a great way to get a busy business owner’s attention. But they do have an effect – and it is the one the suppliers want. It puts all the blame on you if someone complaints about their data disappearing. Many go further than that and make you promise to pay them if this gives them any legal problems!
And those lovely click this to integrate with that buttons are a hazard in their own right. Suddenly data loving curated and stored in an appropriate environment is squirting down an invisible tunnel into who knows where.
Most Businesses Are Not Deliberately Unsafe
he reality is that most small businesses are not trying to be reckless. Usually they are busy, understaffed and trying to get the work done efficiently without annoying their clients.
The problem is that technology has changed faster than most businesses’ contracts, privacy documents and working practices.
Many people are still operating on assumptions from five years ago:
- that phones are just phones,
- that apps only do what you actively ask them to do,
- that cloud storage is “somebody else’s problem”,
- or that reputable suppliers automatically mean compliant suppliers.
Meanwhile devices are syncing, analysing, storing, categorising and sharing information in the background all day long.
The danger is not always the dramatic Hollywood-style data breach. Sometimes it is simply that nobody in the business really knows where information is going anymore.
That becomes particularly important if you:
- work with children’s data,
- handle confidential client information,
- use outsourced support,
- rely heavily on apps and integrations,
- or use AI-enabled software without fully understanding how it processes information.
Most businesses do not need panic. They do need to stop assuming that modern devices behave like the laptops and phones they used ten years ago.
Your contracts and privacy documents should reflect the way you actually work now
If your business relies on phones, tablets, outsourced support, cloud systems or AI-enabled software, it is worth checking whether your contracts, privacy documents and working practices still match reality.
That does not mean panic rewriting everything overnight. It does mean being honest about:
- who has access to personal data,
- which devices are being used,
- how information is shared,
- and what modern software is actually doing in the background.
KoffeeKlatch templates and GDPR support are designed for real small businesses and outsourced teams, not imaginary corporations with full-time IT departments.
You can find our contracts, GDPR templates and support options here:
