GDPR, the General Data Protection Regulation, is soon to be introduced across Europe, and is prompting language service providers (LSPs) to update policies and practices relating to their handling of all types of personal data.
The GDPR comes into effect on 25 May 2018 and supersedes the existing Data Protection Directive of 1995. It introduces some more stringent requirements on how the personal data of EU citizens are treated.
Specifically, LSPs must demonstrate that they are compliant in the way that they handle any type of personal data that at some point flows through their business. Personal data means any information by which a person can be identified, such as a name, location, photo, email address, bank details…the list goes on.
Therefore, LSPs need to ensure that all data, from employee records and supplier agreements to client contact information and content for translation, are handled appropriately.
What personal data do LSPs handle?
Aside from the actual content for translation, an LSP is likely to possess a vast array of personal data including Sales and Marketing data (prospective client details, mailing lists, etc.), existing client data (customer names, emails, POs, etc.), HR and Recruitment data (candidate and employee data including CVs, appraisals, addresses, etc.) and Supplier (freelance) data (bank details, contact details, performance data, CVs, etc.).
In this respect, the challenges that LSPs will face are not significantly different from most other service businesses, and there are lots of resources that outline the requirements and responsibilities for complying with GDPR. For example, the Europa website details some key points, and ICO (for the UK) has a self-assessment readiness toolkit for businesses.
What about content for translation?
Content that a client sends you for translation also may contain personal information. Some of these documents are easy enough to identify by their nature (such as birth, death, marriage certificates, HR records, and medical records), but personal data might be also considered to extend to the case where you receive an internal communication from a customer that includes a quote from the company CEO, for example.
It is important to be able to interpret what the GDPR means for LSPs generally, and for your business specifically. The impact of the regulation will become clearer over time, but it throws up some potentially crucial questions in the immediate, such as:
- What the risks are for LSPs who continue to store personal data within translation memories and machine translation engines;
- What the implications are for sharing personal data with suppliers outside of the EU / EEA, and specifically in countries deemed to be inadequate with respect to GDPR obligations (even a mid-sized LSP would work with hundreds of freelancers outside the EU);
- How binding corporate rules can be applied to LSPs with a global presence;
- Whether obliging suppliers to work in an online environment could help LSPs to comply with certain GDPR obligations
While the GDPR presents a challenge to LSPs in the short-term, it may also impact on the longer-term purchasing habits within the industry.
For example, if LSPs are penalized for sharing personal data with freelancers located within inadequate countries (of which there is a long list), LSPs could be forced to outsource translation work within the EU / EEA / adequate countries only or even insource certain language combinations entirely, potentially driving up the cost of translation spend for some languages.
Or, if a client company is penalized for sharing personal data with a subcontractor (i.e. an LSP or freelancer) without the full knowledge and consent of the person the information relates to (known as the data subject), will they be more inclined to employ alternative buying models for their language needs: e.g. to source freelancers directly or via digital marketplaces, or implement in-house translation models of their own?
Although most LSPs are well-acquainted with data privacy, there are a lot of unknowns around the impact of GDPR, and LSPs would be wise to tread especially carefully when it comes to handling personal data, in particular post-25 May.
Perhaps the noise around GDPR turns out to be hot air, but with companies in breach of the regulation facing possible penalties that the GDPR recommends should be “effective, proportionate and dissuasive”, it is essential to get informed, and quickly.