GDPR: What’s the Commotion All About?
Does Y2K Ring a Bell?
Where were you on January 1st, 2000, at 00:00 AM? I was switching on my computer to see whether it would still be working. Like many others, I was scared that, because of the Y2K, the global ICT infrastructures (including my humble desktop) would collapse in the first few minutes of the year 2000 and society would descend into chaos.
In the end, Jan. 1, 2000 went by rather quietly. Y2K turned out to be a bit of a damp squib, but it was a golden bowl for consultancy firms offering a solution to an imminent danger.
GDPR: Another Y2K?
On May 25, 2018 the General Data Protection Regulation (GDPR) will come into effect. This EU regulation is meant to give users great control over their data. Any organization inside or outside the EU that processes personal data of EU residents shall have to implement a strict procedure for data protection and processing, especially when it comes to both personal data and sensitive personal data. Just to clarify, personal data is every piece of information that allows you to identify a natural person, be it a name, an image, an email address, banking details, posts on social media, an IP address, or cookies; sensitive personal data concerns, for example, racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, etc.
With the Y2K lesson in mind, the GDPR is not going to be the end of the world. The EU has already its own Data Protection Directive (EU Directive 95/46/EC), meant to protect individuals with regard to the processing of personal data. It is a directive, though, which means that the EU sets the results to be achieved, but each Member State is free to decide how to transpose the directive into national laws. A regulation like the GDPR, on the other hand, has binding legal force and is immediately applicable in all Member States.
While some EU countries are aware of the importance of data protection and have adopted privacy processes and procedures, others have already exceeded the GDPR criteria. One example for all: In 2003, the Italian law on data protection (D.Lgs. 196/03) introduced and defined the roles of Data Controller (“the entity that determines the purpose, conditions and means of the processing of personal data”) and Data Processor (“an entity which processes personal data on behalf of the controller”).
The GDPR in the Translation Industry
Data may be the new fuel, but like Wordbee Sales Director Mark Shriner said in the webinar on the GDPR topic, “Data is also liability.” And data is everywhere. Translation memories, TMSs, vendor databases, CRMs, apps, emails, just to give few examples - they all contain huge volumes of data
So, how is the GDPR going to impact on the translation industry? It depends, of course, on the size of the company (big LSPs vs. small LSPs, translation marketplaces, tech providers), on the volume of the collected data, and on its use. And what should you do with the data already collected and stored? All data for which you do not have explicit treatment authorization should be destroyed unless you can prove that they are completely anonymized or needed to perform your duties (e.g., the personal data in a clinical record to be translated and possibly legalized).
4 Tips for GDPR Compliance
Here are few practical considerations for a more systematic approach to data security.
Because sanctions for non-compliance amount to up to 4% of a company’s latest annual turnover or a maximum of 20 million euros, the best approach is to allocate that 4% for the implementation of practices and tools that will make your company GDPR-compliant. Consider also hiring a reliable consultancy firm to help you choose tools and solutions.
Companies should set up a step-by-step procedure. Start by identifying all data created and owned, wherever it might be stored. Highlight user-identifiable data: This could be data generated by the users themselves (e.g. exchanges on mobile devices) or generated on their behalf (e.g. data entered in a database or results from a customer survey).
The regulation is clear about explicit consent. Therefore, prepare new forms to obtain consent from those whose data is already in your possession as well as from those whose data will be collected in the future. A small example: The “Work with Us” or “Subscribe to our newsletter” pages on your company’s website will have to be redesigned to contain detailed information about the use of that data and request explicit consent for processing sensitive personal data.
In terms of data protection, if your company is ISO/IEC 27001 certified, you’re already a step ahead of the competition. Automatic encryption is essential for round-the-clock protection. Make sure that your company has strict rules in place to track secure data access. Also, pay attention that login credentials should not be stored in clear text and they must be personal and unique. And, of course, in case of a multilingual website, the privacy statement and GDPR-related information should all be localized as well.
There are tools that can help you with some steps, like automated data discovery process or data flow, and the GDPR will lead to the development of new technologies for a more complex data management. But for the time being you’ll have to strike a balance between automated and manual processes because, in some cases, unstructured data may not be stored on computers or in databases ‒ it could even come in the shape of hand-written notes, paper files etc.
This is a particularly sensitive aspect. The GDPR requires also staff training. Depending on the size of the company, there may be different solutions: online or in-person courses, training manuals and/or documentation. In any case, you must ensure that your staff has been trained. This could be done through a final test following an online or in-class course or by having every employee sign each page of their own copy of the documentation.
From the experience of Y2K, we have learned that it doesn’t help to let anxiety take over. It is essential to take stock of the situation, identify the necessary measures and plan their implementation. In the worst-case scenario, the allocated 4% budget will have to be spent in full, but, in any case, you’ll be able to sleep peacefully. If in the end the situation should prove less critical than it appeared at first, there will be a little extra budget to draw on for innovation.