You've received a client's customer database to clean. It contains names, emails, phone numbers, and addresses for 25,000 people. The client expects you to return a clean file. But the process of cleaning — examining, profiling, correcting — involves handling personal data that belongs to people who never interacted with you.
This is a common situation for bookkeepers, virtual assistants, freelance analysts, and marketing agencies. Here's how to handle it responsibly.
Your Legal Obligations When Handling Client Data
When you handle personal data on behalf of a client, you typically become a "data processor" under GDPR and similar regulations — even if you're a freelancer or small business. This creates obligations:
Sohovi automatically detects PII in your datasets — emails, phone numbers, SSNs — all processed client-side so your data never leaves the browser.
- Data Processing Agreement (DPA): You should have a written agreement with the client specifying how you'll handle their data
- Purpose limitation: Use the data only for the cleaning project, nothing else
- Data minimization: Access only the data necessary for the task
- Security: Store the data securely during the project
- Deletion: Delete the data (and any copies) after the project is complete
Practical Privacy-Safe Data Cleaning Practices
Use browser-based tools where possible: Tools like Sohovi that process data locally never transmit client data to external servers. This is the safest approach for profiling and quality assessment.
Work on a secure, dedicated machine: Don't mix client data with personal files, open browser sessions, or applications that sync to cloud storage automatically.
Avoid unnecessary copies: Every copy of the file is an additional risk. Work from one controlled copy, not from "working_v1", "working_v2", "final", "final_REAL".
Encrypt data in transit and at rest: If you need to transfer the file (receive from client, return cleaned version), use encrypted transfer. Store the working file encrypted.
Confirm deletion after project completion: Tell the client explicitly when you've deleted all copies of their data. Consider providing written confirmation.
Don't share with others: Unless explicitly authorized by the client, don't share the data with subcontractors, colleagues, or tools your client didn't agree to.
The Conversation to Have With Clients
Before accepting a data cleaning project, confirm with the client:
- What are they authorizing you to do with the data?
- What tools can you use? (Especially relevant for cloud-based tools)
- What's the timeline for completion and deletion?
- Do they have a DPA template they want you to sign?
Being explicit about these expectations protects both you and your client.
Handling client data responsibly is a professional differentiator. Clients who've had a bad experience with a service provider who mishandled their customer data will pay more for a provider who takes privacy seriously.
