The clock is ticking. On May 25th, the GDPR goes into effect. Want to stay in compliance? Of course, you do – those fines are no laughing matter! Even if you think you’re prepared, there’s one aspect you might have overlooked: translation! It’s not enough that your organisation is compliant. If you collect personal data, including names, addresses, email addresses and more, you’re responsible for making sure that any third-party processors you contract with are also compliant. With that in mind, here are six questions about GDPR compliance to ask your translation partner today.
Is your translation management system secure and compliant with the GDPR?
When you submit content to your LSP for translation, is it being handled securely? If you don’t know, you’d better find out. Your LSP should have a secure translation management system for you to submit your documents, manage the translation workflow and access the work once it’s complete. For example, at K International, our translation management system is hosted securely in the cloud.
Do you use subcontractors and freelancers, and if so, are your procedures for outsourcing also GDPR-compliant?
Most LSPs rely, at least in part, on a network of talented freelance translators to meet clients’ needs. The GDPR is unlikely to change that. However, LSPs do need to ensure that any freelancers that have access to personal data are handling it appropriately. Freelance translators (and any other subcontractors who deal with GDPR-protected data) should have agreed to comply with safe data handling procedures and may need to sign NDAs. Ideally, they should only have access to sensitive data from within a secure translation management system, where downloading files to their own devices is not an option. Otherwise, all such data must be deleted on a regular basis after jobs are complete.
Do you have procedures in place for identifying sensitive documents and treating them appropriately?
Ideally, clients should remove or anonymize personal data before sending it off to be translated. However, that can be difficult if the information is in a language (and possibly a script) that the client doesn’t understand. So, many LSPs are adopting a “better safe than sorry” approach, treating all material that might contain sensitive data as if it does contain sensitive data. Regardless, there should be a procedure for identifying documents with personal data and ensuring that data stays secure.
You’re not using Google Translate, right?
Really, you shouldn’t have to ask this question. But in the past, we’ve seen a few unfortunate examples of translation companies using Google Translate as their own work. The GDPR is one more reason it’s past time for that practice to end.
There’s a laundry list of reasons why Google Translate is never the best choice for accurate translations. However, even if it did provide adequate, error-free translations, it would still be a security risk along with all the other free, online machine translation options out there. For example, last September, Statoil, Norway’s state oil company, discovered that sensitive company information (including GDPR-protected personal data ) was floating around online in the cloud. How did that happen? Employees were using the free, public machine translation available on Translate.com to get rough translations of foreign language documents.
In this day and age, machine translation with human post-editing is sometimes necessary for some types of projects. That said, it needs to be managed correctly, both to ensure accuracy and to ensure security.
Do you have a GDPR-compliant data breach response plan in place? Are you prepared to assist our company in the event we have a data breach?
In the event of a privacy breach, companies must notify the appropriate authorities within 72 hours. Companies must also inform affected consumers. Any LSP worth handing sensitive data to will have a data breach response plan in place, but you should inquire about how the plan has been updated to comply with the GDPR.
And what if the data breach is on your end? Consider that you’ll also be responsible for notifying consumers, and given the linguistic diversity of the EU, you’ll need to send notices in a variety of languages. You’d do well to ensure that your LSP has the capacity and the expertise to help you communicate with customers as the law requires.
What security certifications do you hold?
When it comes to data security, don’t just take your LSP at their word. Certifications ensure that the company takes security seriously. Third-party audits confirm that the company’s policies and procedures meet standards. At K International, we are certified to ISO 27001, a specification for information security management systems.
Your translation partner should just that- a partner. Right now, the spectre of the GDPR (and the potential fines for violations) has the whole world spooked. Reduce your risk by partnering with a company that already has a long-standing reputation for taking privacy and security seriously.
At K International, we’ve been in business since 1986, and we take pride in being a security and quality-conscious agency. We are regularly trusted to handle documents of a secret or sensitive nature for the British government. Rest assured, we’ll be just as careful with the GDPR-regulated data your business handles. Does that sound good you? Feel free to contact us; we’d love to hear from you.