How To, Training reviews

What is the difference between Controllers and Processors in the GDPR?

Welcome to Week 3 of my mini-series on aspects of the GDPR, the new data protection rules that come into force on 25th May 2018. This week, we are looking in depth at the differences between controllers and processors. You can view Week 1 and Week 2 by clicking on their links.

What is the difference between Controllers and Processors in the GDPR?
By Jonannes Plenio

The basic difference between controllers and processors is as follows:

controller determines the how, why and what of data processing. They are known as a joint controller if two or more people have this role.

A processor is responsible for the actual data processing as per the controller’s instructions. They do not make any decisions and must not make data available to anyone other than the controller without the controller’s permission.

Because controllers and processors have different roles, they also have different obligations. As processors are the worker bees, their obligations are much simpler. A processor must do the following:

  • comply with the GDPR and show how they have complied
  • maintain processing records
  • appoint Data Protection Officers if required
  • work with supervisory authorities
  • ensure security of data

A controller’s list of obligations is much longer: They must consider the nature, scope, context and purpose of processing, alongside any risks and the potential impact on human rights. Data security must be built into processing right from the beginning. This is known as Privacy by Design. If there is a data breach the controller must notify a supervisory authority within 72 hours. The details of the breach need to include what happened, how many subjects were affected and what data was breached. Include the name and contact details of the controller or the DPO if you have one. Highlight the potential consequences and measures taken. Data subjects must also be informed of the breach if there is a high risk to their rights and freedoms.

Controllers must provide data subjects with any information they request. Subjects must be given the following details:

  • controller’s identity and contact details
  • DPO’s contact details (if the organisation has one)
  • purpose and legal basis for processing
  • who data will be given to
  • if data will be transferred outside EU
  • why personal data is required and what consequences there will be if subject doesn’t provide such data
  • what rights the subject has
  • whether any decision-making is automated
  • if data will be used for another purpose in future

If data is not directly obtained from the subject then the controller needs to provide information on where it was obtained from, unless EU law states data must remain confidential or it would be impossible to do so (such as when undertaking a large study of public statistics).

If you are a joint controller then you have joint liabilities. Evidence must be provided to supervisory authorities that GDPR is being complied with. Organisations should document their policies and keep a record of all processing. While any organisation can appoint a DPO to help with compliance, you must appoint a DPO if your processor is a public body, there is large amounts of data being processed, or the data is categorised as special or it relates to criminal activity.

The DPO acts as a monitor to the data collection process, ensuring GDPR compliance and as such must be a person whose qualifications are recognised under the GDPR.

Controllers must maintain records of all processing (exemptions apply to small businesses but it’s worth recording anyway). These records must include:

  • controller’s name and contact details
  • why data is being processed
  • categories of subjects, date and recipients
  • whether data will be transferred outside the EU and how this will be done
  • projected time till data erased
  • basic details of technical and organisational security measures, to include; risk assessment and considerations of costs and implementation of processing

A Data Protection Impact Assessment (DPIA) must be carried out by the controller if the process may cause a high risk to the subject’s rights and freedoms, such as when using an automatic process. The DPIA must contain a description of the processing, an evaluation of the processing in regards to its purpose, and an evaluation of the risks and proposed measures to be taken to address these risks.

A DPIA is not required for processing carried out for legal compliance or in the public interest.

If the DPIA indicates a high risk to subject’s rights and freedoms and then the controller must consult with the supervisory authority before beginning processing. This is Prior Consultation. The controller must inform the supervisory authority of what responsibilities the controller and processor have, why and how data is being processed, any measures taken to protect subject’s rights, the DPO’s contact details (if there is one), the full text of the DPIA and any other information as requested by the supervisory authority.

Companies outside of the EU intending to process data on EU citizens must appoint a representative within the EU to ensure GDPR compliance. This doesn’t apply to public bodies, processing which is occasional, large-scale processing of special categories or criminal data.

I hope this has been a helpful overview of the different tasks a controller and a processor have. The information comes from my work on a free online course from the University of Groningen, which you can access here.

How To, Training reviews

How to make GDPR easy: Focus on data subject’s rights

Welcome to Part 2 of my series on the GDPR, the EU’s new rules on data protection which come into force on 25th May 2018. You can read Part 1 here. For Week 2 of the University of Groningen’s free course, accessible here, we focussed on the rights of data subject’s. I have provided a summary of these rights in this blog post.

How to make GDPR easy: Focus on data subject's rights | Prior Portfolio | Vicky Prior - Freelance Writer

First up, all data controllers must meet transparency and modality requirements. For transparency, data subjects must be provided with clear information on how their data will be collected, processed and used. For modalities, controller’s can give data subject’s information either written or orally once the subject has proven their identity. Information should be given free of charge unless it is an ‘unfounded or excessive request’ or the request is repetitive. One electronic copy of personal data may be given to subject free of charge. Additional copies can be charged at a small fee.

Data subjects rights can be restricted if the data is being collected in the interests of the public, for example, taxation or national security. Controllers must prove the need for restrictions to be put in place. Unsurprisingly, national security is expected to be the most widely used right of restriction.

Right to access

Data subjects can find out what, how and why data has been collected, how long it is stored for and who will access it.

Right to object

Data subjects can stop the processing of their data. Controllers can appeal this stoppage if they can prove the purpose of the collection overrides the rights and freedoms of the subject.

Right to restriction of processing

This differs from stopping processing outright and happens when the subject notifies the controller the data is inaccurate, if unlawful processing has occured, when data is no longer needed by controllers but subjects need it for legal matters, or when there is a dispute over whether data should be collected.

If data processing has been restricted, then data can be; processed but not stored in order to establish subjects legal claims, to protect others or if the collection is in public interest, as long as subject consents. Subjects must be informed by the controller when the restriction is lifted.

Right to erasure

This is more commonly known as ‘the right to be forgotten’ and happens in the following situations:

  • personal data is not necessary for purpose
  • subject withdraws consent with no overriding reason for continuing
  • subject objects to processing with no overriding reason for continuing
  • processing is unlawful
  • deletion needed to comply with law
  • data collected is to do with providing services to minors

The right to erasure does not apply if the controller has a right to freedom of information or is complying with EU or member state law, or if research is in public interest or part of a legal claim.

Right to data portability

Data must be given to subjects in a universal format so they can pass it to a new controller if they wish.

Right to lodge a complaint with a supervisory authority

If the subject thinks their data has been collected or processed in a way that goes against GDPR, they can lodge a complaint with the supervisory authority.

Right to an effective judicial remedy

The subject can bring judicial proceedings against the controller or processor if they are unsatisfied with the supervisory authorities handling of their complaint. The subject can also skip the supervisory authority altogether and go straight to a judiciary if they wish.

Right not to be subjected to a decision based only on automatic processing

Subjects can exercise this right is automatic processing will have legal consequences for them. This right is not applicable if the decision is either necessary for entering a contract, authorised by EU or member state, or the subject already consented. Under normal circumstances, controllers must help make decisions based on their knowledge so that the data processing is not solely automated.

Right to represented by organisations and others

Data subjects can engage not-for-profits to lodge complaints, receive compensation and exercise their rights on their behalf – this right only applies in these situations.

Right to compensation and liability

If a subject’s rights are proven to have been materially infringed, the subject must establish who is liable and request compensation. Controllers are normally liable unless it can be proved the processor acted independently. Neither are liable if events leading up to infringement happened before controller or processor was on board.

I hope these explanations of the right’s of data subjects have been useful. As before, every effort has been made to provide accurate information but if you do spot any errors, please let me know in the comments below.

How To, Training reviews

Why you don’t need to be afraid of the big bad GDPR

Welcome to the first part of a four-week series on how to comply with GDPR, the EU’s new rules on data protection. Week 2 is publishing today.

Why you don't need to be afraid of the big bad GDPR | Prior Portfolio | Vicky Prior - Freelance Writer
by Marius Masalar

On 25th May 2018, every business in the UK must be compliant with new rules called GDPR. The rules have actually been around for nearly two years, so quite why us Brits are only hearing about it now is a mystery to me. It might have something to do with the GDPR being an invention of the EU, however, and this is really important:


The rules apply to any data of EU based citizens or companies even if said data is held by a business outside of the EU. So get complying. Luckily, I’ve been working through an excellent online course and can help you not be scared of the big, bad, GDPR.

By now you’re probably sick of those four little letters, so here is what they stand for. GDPR means General Data Protection Regulation. Which isn’t that complicated when you think about it. The old laws on data protection needed updating as everyone is using digital these days, and the software outstrips the old laws. So GDPR is an easy way of clarifying the existing laws, not a shiny new thing. As with most data protection laws, it boils down to common sense. Over the next four weeks, I’m going to be sharing what I’ve learned from the University of Groningen’s GDPR course, to help you achieve compliance.

First up, the GDPR expects that all data collection software used by companies must have privacy options built in from the beginning. This is known as Privacy by Design. Privacy will be the default option and the aim is to prevent privacy breaches from occurring, rather than fixing the breach if it does. Examples of Privacy by Design include VPNs, encryption and authentication.

Technically, the GDPR applies to natural persons and not companies, however it would apply to members of staff of a company, so in this way company data is often covered.

The GDPR covers data processing carried out by computer or manually. But it does not cover activities carried out
– for national security
– to prevent conflicts
– to aid political cooperation
– to provide humanitarian aid
– in the home for personal reasons (such as keeping an address book of friends and relatives)

You do not have to sell a product for GDPR to apply. If your goods or services are given free of charge, you still need to comply with the rules.

GDPR applies to ‘any information’ including but not limited to a person’s name, gender, occupation, email address, and health, whether it is stored digitally or not. Any data that could be used to identify, whether directly or indirectly, a natural person, must be protected. These rights do not apply to anyone deceased.

Understandably, extra care must be taken with data categorised as ‘special’ or ‘sensitive’, to include; racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetics, biometrics, health, sex life, sexual orientation.

The people in charge of data processing, including deciding how it will be processed and why, are known as data controllers. The people who actually do the processing, according to the controller’s wishes, are data  processors. Processors that process the data on behalf of the controller must maintain a record of processing and ensure its security, but they do not have to implement other principles of processing as this will be done by the controller. If you are a self-employed freelancer like me, you get to be both controller and processor. Yippee!

The special term for natural persons whose data will be processed is a data subject. A Data Protection Officer (DPO) will be appointed by the controller to ensure compliance with GDPR, chosen for their specialist legal knowledge. As the DPO must have qualifications recognised by the GDPR, freelancers will most likely have to appoint an outside agency for this role.

To wrap up Week 1, the course set out the GDPR’s six main principles of data protection. These are:

1) lawfulness, fairness, transparency (be clear and concise, data subjects must know you are collecting)

2) Purpose limitation (only collect data for specified purpose, don’t use data for another purpose)

3) Data minimisation (don’t collect more than you need)

4) Accuracy (inaccurate data must be deleted ASAP)

5) Storage limitation (don’t store for longer than necessary)

6) integrity, confidentiality (Keep data secure)

A further principle of accountability means the buck stops with data controllers. If the controller does not comply with the GDPR, they are the ones in big trouble.

One final note, data subjects must freely give their consent to have their data processed and controllers must be able to prove consent was given. In the case of the minors under age 16, consent must be given by a parent or legal guardian.

I hope this run through was helpful to you in implementing GDPR at your business. This blog is based on my notes from Week 1 of this course, which you can join for free. I have endeavoured to make sure everything is accurate, but if any errors have occured, please let me know in the comments below.

LEGO, Productivity

How to build a LEGO obsession: Buy the brilliant Assembly Square

I had a basic LEGO set when I was little, but I never embraced it through to adulthood like many of my friends had done. That said, I did enjoy browsing the LEGO store and seeing the beautiful sculptures that people came up with. I’d keep an eye out for internet articles on new builds. And thus I was led to the LEGO Creator Expert series, a group of modular buildings that fit together to form a street. For the range’s 10 year anniversary, LEGO threw everything into building a town square that would incorporate elements from all the previous builds, include a whopping 7 shops and a flat, 8 highly prized minifigures (plus dog and baby) and a plethora of features to make this LEGO’s most detailed set of the series. I fell in love.

How to build an obsession: Buy LEGO Creator Expert Assembly Square | Prior Portfolio | Vicky Prior - Freelance Writer

Assembly Square is a magnificent piece of kit. It also retails for a fairly magnificent price, which given the fact the kit contains over 4000 individual pieces, is actually very reasonable. I had a small amount of savings left over from moving house with my parents, a particularly stressful and complex move. Didn’t I deserve a treat? No, they said, reasonably pointing out that I hadn’t established my writing business in Doncaster as yet, and so needed to keep hold of my savings.

Then came my 31st birthday, when it transpired that my mischievous parents had ordered LEGO Assembly Square the very next day after I’d shown it to them. Apparently, I did deserve a treat after all. This is where things went horribly wrong, if you’re my parent’s bank balance, and horribly right if you’re a LEGO seller. We all fell in love with Assembly Square. We couldn’t believe the detail. Building it satisfied my architectural fantasies and my love of dollhouses. The storytelling possibilities were endless. We had to have more.

How to build an obsession: Buy LEGO Creator Expert Assembly Square | Prior Portfolio | Vicky Prior - Freelance Writer
There is water in the toilet bowl!
How to build an obsession: Buy LEGO Creator Expert Assembly Square | Prior Portfolio | Vicky Prior - Freelance Writer
A chicken statue tops of one of the buildings

And so this is the first in a series of blogs about the LEGO Creator Expert range. I have all the ones currently available, bar the Diner because it’s just not quite right for me. I will be reviewing each build in turn and I regularly post pictures on my Instagram, where the response from fellow AFOLs (Adult Fans Of LEGO) has been delightful.

Now to the nitty-gritty: The ridiculously large box houses lots of bags of LEGO, numbered 1-6 for each stage of the build. You work from the floor up, with the groundwork including lots of detailed tiling, as well as paving and even street vents. Then you build each room up, filling it with baking equipment for the patisserie, flowers in the florist, a piano for the ballet teacher and a camera for the photographer. Best of all, the flat is occupied by an official AFOL, who has filled the room with her LEGO models. In a stroke of genius, these comprise miniature versions of famous LEGO sets, including the first three Creator Expert buildings. Here is a LEGO train set in miniature, with the Eiffel Tower in the background:

How to build an obsession: Buy LEGO Creator Expert Assembly Square | Prior Portfolio | Vicky Prior - Freelance Writer

The outside is magnificent and the inside a hoot, but even the back of these builds is a sight to behold. An alleyway between the coffee shop and the florist leads to back and side entrances, plus access to the dentist , photographer and flat via a gorgeous climbing staircase with balconies. The flat has an outdoor garden and grill area, hidden from front view by the elaborate roof, while the florist has a stained glass window section that can be removed for easier access while playing. The design is a nod to LEGO Creator Expert Brick Bank.

How to build an obsession: Buy LEGO Creator Expert Assembly Square | Prior Portfolio | Vicky Prior - Freelance Writer

The keener-eyed of my readers will notice a ladder to the left of the grill area. Rooftop access is very important to LEGO modular builds, and the roof of the blue building can also be accessed via staircase and trap door. Alongside offering surfaces for creating my own outdoor space (I’m thinking a romantic picnic area on top of the flat) it links in well with the rooftop escape needed in the LEGO Brick Bank storyline. But you’ll have to wait for my third review to find out about that…

It should be obvious that I thoroughly recommend buying LEGO Creator Expert Assembly Square 10255 Building Kit, although I accept no responsibility for any ensuing addiction. I do have to tell you that the links in this blog are affiliate links, which means if you click on them and purchase anything from the Amazon store, I will receive some commission. This does not alter the price you pay, though it will enhance my ability to buy more LEGO.

My next review will be LEGO Creator Expert Parisian Restaurant and should be published in March.

NaNaWriMo, Productivity


As detailed here, I use National Novel Writing Month, or NaNoWriMo as it is better known, not to write a novel but to achieve other career goals. 2015 saw me upping my stamina in how many words I could write daily, with a pretty good level of success. 2016 was more of a mixed bag.


The challenge was to write 50 applications for writing jobs, to include one-off article pitches and applications to agencies, within the 30 days of November. I pretty much set myself up for failure on this one. I actually managed a grand total of….wait for it….9 applications.


On a surface level, I failed my NaNoWriMo in spectacular fashion. However, if I take into account why my total is so low and what I actually did do in November, a much brighter picture emerges.


First up, I wrote myself a proper writing CV. Technically it was a rewrite, but the first one was so rubbish I don’t think it counts. While this didn’t take nearly as long as I thought it would, it was something I had been putting off. And this is where my big November success comes in, while new applications didn’t feature very well, old applications that had been gathering cyber dust really came into their own.


I applied to both CloudPeeps and nDash, both online agencies that work a bit like the dreaded Upwork, except the clients are better vetted and oh-my-word is the pay better. I now have to work on pitching the clients I can access through these platforms, but just filling in the applications was a huge step. I also finally applied for specialisation on Scripted, and managed to pitch a client on there. This girl is on fire!


The other important result from November was that I checked job boards and emails every single day. This led to the realisation that I can take the weekend off job searches, as it is rare for new opportunities to be posted. I also learned that while it might not always be suitable for me, there is a constant supply of freelance writing jobs. This is not a career path that shows any sign of slowing down, despite well-publicised financial problems in print media.


Although I compiled a list of places that wanted writers, but didn’t actually apply to them, I have ended up with a new list of places that regularly accept freelance work. It is best to apply to these magazine sites when they are actively seeking new writers, but they do not object to writers pitching them throughout the year. I know that a big block for me was coming up with ideas to pitch, so at least I have the relevant contact details on hand for when inspiration does strike.


Overall, I’m calling NaNoWriMo 2016 a win. I learned a lot about my strengths and weaknesses and I did manage to clear a backlog. I also spent a lot of time working with new clients that accepted me just as November started, which took away a chunk of application time. I still need to balance applying for jobs with doing paid work, but I think a routine is slowly emerging.


As ever, if you would like to hire me and put a temporary stop to my application woes, drop me a line at



NaNaWriMo, Productivity

NaNoWriMo logo

If you have considered writing, or you spend time on social media, then you are bound to have heard of NaNoWriMo. Every November is designated National Novel Writing Month for us wordsmiths, the aim being to crank out 50,000 words of a fiction novel in 30 days.


Over time, NaNoWriMo has evolved from developing a short novella in 30 days to having the first 50,000 words of a longer novel. Or of a non-fiction book. Or a collection of short stories. Poetry became so popular they have their own month (April). I haven’t ever properly participated in NaNo, but last year I chose to adapt it for my own purposes. A wonderful online community springs up every November, and a casual search of #NaNoWriMo on twitter brings up a virtual room filled with every agony, ecstasy and support for writers.


Last Autumn I was building up my work on content mill-style sites. Each day I would log in, search the available work, and shy away from anything that was too long, that I’d need to research, that wasn’t absolutely perfect. I was doing well, but there was so much more work on there I could be doing if only I stretched myself a little bit. So I printed off a blank calendar for November 2015 and sat down to think about comfortable word counts.


A good target should present a challenge but not be impossible. Setting yourself up to fail is a bit counterproductive. I decided that 50,000 words was far too much, especially as I was relying on other people to post work opportunities. I settled on 700 words a day, or 21,000 for the month. I ended November with a grand total of 19,647 words and a healthier bank balance.


This year, I’m building up my writing business (you can hire me, if you want). I need to apply for freelance gigs but I get nervy and fed-up. NaNo will provide the push I need. Although I’m once again relying on what other people post, I’ve decided to stick to the ’50 in 30′ concept and set a target of 50 applications. This can include applying to online marketplaces for future work, freelance gigs and the occasional non-paid writing opportunity, if I think it will enhance my portfolio.


So, I’ve got 50 jobs to apply for 30 days. How are you going to adapt NaNoWriMo to work for you?

Clients, HireWriters, Uncategorized

HIreWriters Logo

All freelance writers have come across sites known as ‘content mills’. Most of them offer semi-regular work without endless pitching. Unfortunately, rates can be low. For this reason, content mills have gotten a bad rap. But there is one site, HireWriters, that provides plenty of work and there are decent incomes to be earned. Even better, they take on writers from across the globe, including the UK.

Entry to is via a simple sample piece and a short grammar test. Once that is done, you will be taken on at the beginner tier. This is the lowest of four tiers and understandably has the smallest pay rate. It is very easy to quickly work your way up the tiers. Quality is determined by how many pieces of work you have submitted and how high a rating you got. 14 pieces averaging 4.6 stars plus 4 star plus earns you the top tier, Expert, which is where real money can be made. My first 12 pieces easily got a 5 star rating, a combination of my genius writing ability (of course) and how nice the clients are!

The clients also have ratings, and you can see how often they reject vs accept pieces. As a general rule, avoid clients with a less that 90% acceptance rate. Obviously this is a little hard to judge with brand new clients who have only ordered a couple of pieces of work. Check the quality of their instructions. You want a clear brief and defined keywords. You can privately message the clients if you have questions, but be aware that their response time does not affect the final deadline, and you can be penalised for late work.

If rewrites are necessary, the client can also contact you. I’ve been lucky in not needing to do extensive rewrites, but I did have one client who asked me to expand on a detail in an article I was writing for him. Try as I might, I could not find the information needed. I messaged the client, apologising and offering to withdraw from the piece. To my joy, he accepted the piece as was with no further rewrites required.

Some clients even go so far as to pay bonuses on top of the standard fee. The fees are clearly set out in each job advert. There is a percentage fine to pay if you cannot submit the piece by the deadline, but most deadlines are generous. Short 150-300 word pieces often come with a deadline of 12 hours, where long form 1000 words plus can be anything from 1 day to 5.

I have a private client, which is someone who contacts me directly via HireWriters as opposed to posting on the open jobs board. On average, I am paid $30 for a 1000 word piece. We thoroughly discuss the topic and direction beforehand and I am given a generous deadline for research and writing. This is far more than can be earned picking up beginner jobs, where a 150 word plus description can often be paid at $1.27. However, it is worth knocking out a few of these at the start to get your rating up so that you can attract the higher paying private clients. As a bonus, some of the shorter pieces are fun to write. I built my rating up writing short pieces of celebrity gossip. It felt more like break-time than work, and I earned a little bit of money.

All the work on is ghostwriting, so you do not get to see you finished work up on a website. But if you are a quick writer, it is an easy way to make money. HireWriters pay out every Friday, so long as you have $10 or more in your account. There are often over 700 jobs on the system, so hitting a $10 target each week isn’t difficult. If you are looking to see if freelance writing is for you, I thoroughly recommend signing up to

Please note, this is an affiliate post for HireWriters.