The GDPR (European General Data Protection) goes into effect on May 25, 2018. Put simply, the EU’s new data regulation brings big changes for how companies are allowed to treat the personal data of EU residents. Many LSCs have the same question: how will the GDPR impact my business?
Does it apply to me?
Baker Tilly recently revealed that an astonishing 90% of companies are not prepared for GDPR compliance. In fact, many companies are not even sure if the GDPR applies to them. Since companies face hefty fines if they are not GDPR compliant by May 25th, it’s best to know now if the GDPR applies to you.
GDPR applies to all companies that regularly process EU residents’ personal data. First, ask yourself: do I process data from EU residents? This is an easy “yes” if your company is based in the EU or if you work with EU clients. In this case, the GDPR considers you as a “data controller,” and the regulation applies to you.
What does the GDPR change?
Once you know the new regulation applies to your company, you can start to prepare for the changes. And the changes are many!
The GDPR aims to protect individuals’ right to personal privacy. Specifically, the regulation impacts how LSCs collect, process and store personal data. That is, anything that sets apart an individual as him or herself.
Looking forward, Deloitte also identifies the following as key changes of the GDPR.
Increased territorial scope
The GDPR applies to all companies that process personal data of people who reside in the EU. This means that companies located outside of the EU still have to comply with the regulation if they process any data from EU residents.
Explicit and retractable consent
Companies must collect consent in an easy to understand form using clear language. Users should be able to just as easily withdraw consent as give it.
Right to access and portability
A person can ask for confirmation of whether or not you are processing their personal data, where it is processed and why. You also need to be able to give a copy of all personal data for free in electronic format.
Notify breaches within 72 hours
Any breach that is likely to “result in a risk for the rights and freedom of individuals,” must be reported within 72 hours from the time you become aware of the breach.
Privacy by design
Now, companies must include data protection from the beginning of system design. It shouldn’t be added in as a later addition.
Right to be forgotten
A person is entitled to ask you, the data controller, to erase his/her personal data, to no longer disseminate it, and potentially ask third parties to stop processing the data.
Appoint a data protection officer
Each company will need to appoint a data protection officer to demonstrate compliance to the GDPR and compensate for the GDPR no longer requiring notifications/registrations of data processing activities. Who the data protection officer is will look different for small versus large companies. In some cases, small companies can appoint a staff member as the data protection officer.
How can LSCs prepare?
LSCs need to make sure that all data, from actual content for translation to existing client data, supplier data and employee data, is handled properly. Prior to May 25th LSCs should thoroughly review current data protection policies.
Look at how you process and document data
Contrary to past legislation, the GDPR now holds companies accountable for complying with data protection regulation. In order to prove compliance, companies must document all processing activities (this includes data processing, data sharing and data storage). A data protection expert can help evaluate your process and suggest strategies for GDPR compliance.
Another key point is that the GDPR will treat small businesses differently. For example, SMEs might not have to keep the rigorous documentation of processing activities that larger companies must maintain. Overall most LSCs fall into this category as a company with less than 250 employees.
Talk with your team to raise GDPR awareness
Compliance with the new regulation will involve your entire team, so you need to make sure everyone is aware of what personal data is and what GDPR standards are. Essentially, the GDPR divides personal data into separate groups that should be treated differently:
General data includes information like name, age, sex, birth date, citizenship, IP address and photograph.
Organizational data includes business/personal address, phone number, email or national identification numbers.
Sensitive personal data
Sensitive personal data includes “special category,” data such as race, political and religious beliefs, health, criminal offences and sexual orientation. Genetic and biometric data also falls under the sensitive data banner.
Find out what personal data you process and where
More often than not LSCs spread out work through freelance translators. Perhaps even international offices. In a recent presentation at the EUATC’s T-Update Madrid, data protection and IT security compliance expert Eva Skornickova noted that the GDPR applies to: “both in-house and outsourced paper storage, ICT systems, client centers, processes and activities, security, personal data, consents, knowledge and know-how.”
To list a few examples, LSCs commonly process data via translation tools, marketing platforms and outsourcing.
Translation tools that store personal data such as client names, translation memories and so on need to be GDPR compliant. If the company behind your tools is based in the EU, they are also required to comply with GDPR. If they’re not located in the EU, you’ll need to do more research. A professional in data protection will be able to advise you on your specific situation.
If you’re a memoQ user like us, check out their extensive guide on preparing for the GDPR.
Marketing platforms that have access to clients’ personal data must be GDPR compliant. For example, say you send emails to clients via Mailchimp. Well, Mailchimp is an American company. Is the company compliant? You’ll have to do your research. It’s a tedious task, but an important one; you are ultimately responsible for how you use your clients’ data.
By the way, you Mailchimp users: they have a form you can use to make sure your list is GDPR compliant.
Outsourcing is another important consideration. Generally speaking, many LSCs work with freelance translators outside of the EU. Look at where and how you outsource. Although sharing personal data with freelancers in the EU should be no problem, freelancers in countries that the EU considers inadequate for GDPR compliance could present complications. Perhaps some LSCs will have to change how they do business and begin to outsource through a GDPR-compliant online environment.
Update how you ask for consent
Consent under the GDPR must be explicit. To use the email marketing example above, this means that consent is no longer as simple as an unsubscribe link. A link can help data subjects to withdraw consent, but you need a positive sign of consent. You also want to take a look at your privacy notice to make sure you include information on how data subjects may exercise their rights.
Leverage the opportunity to connect with clients
When you review consent for existing clients, take the opportunity to reach out to clients directly. After all, what’s not to learn about asking what your clients are interested in receiving from you. Ideally you can start conversations that will build trust and a stronger relationship.
LSCs have the privilege of building relationships with people from all over the world. In the end, everyone, whether an EU resident or not, should have the right to the highest standards in data protection. Not only is protecting client data simply the right thing to do, it also builds trust. Here at Word Connection, the team has always taken data protection seriously and we are fully GDPR compliant. Like for all LSCs, building trust and relationships is what business should be all about.
For a more comprehensive guide to the EU’s General Data Protection Regulation, the UK’s Information Commissioner’s Office (ICO) has an easy-to-read, helpful publication: Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now.