The acronym on everyone’s lips is GDPR. As the translation industry gets to grips with how to comply with the General Data Protection Regulation in practical terms, we thought we’d give our network some tips to help them make sure their translations are going in the right direction.
As we’re sure you’ll be aware, Personally Identifiable Information (PII) in any communication or documentation travelling outside of your organisation is something to focus on when considering translation as the PII may be travelling to countries where GDPR or equivalent laws aren’t in place. As a ‘data controller’ of any PII you send, your responsibility extends to any materials needing to be translated.
GDPR-compliant market research translation
Our market research clients will be aware that there may be PII in surveys they send to us for translation. For example, the front page of the survey may say if you have any questions regarding this survey contact xxxx at firstname.lastname@example.org so respondents know who they can get in contact with. However, in order to leave this PII in the document, the company sending it would need to obtain permission from the person whose email address is on the survey beforehand. They should also confirm to their Language Service Provider (LSP) that this permission has been obtained.
Another opportunity for PII to slip by undetected is in survey responses. Market research agencies can anonymise any responses sent out for translation or coding, by removing columns containing PII, limiting the risks to a certain extent.
However, as we have seen first-hand at The Language Factory, respondents may, without thinking, include information in their responses which identifies another person. For example “I really like XYZ Airline; Joe Bloggs from their customer service team is very proactive.” We would recommend including a reminder in the survey questions not to provide any information in their answers that could identify a person.
Easy ways to stay compliant
There a few things it would be good to get into the habit of doing in order to adhere to GDPR and to keep the translation process as streamlined as possible.
- Only send PII over email if you have permission to do so, for example, sending your LSP your colleague’s contact details, such as name and email address, so they may contact them about a project in the event of your absence.
- Make sure your LSP is familiar with GDPR and their obligations as a ‘data processor’
- If you need to send documents for quoting and translation, which contain PII, consider using an FTP site rather than email.
- Check your document through for PII before sending it to your LSP and gain permission for any PII you want to remain visible. The rest of the PII should be removed if your documents will need to be sent to a translator residing in a country outside of the EEA or other “adequate” countries as they won’t be covered by GDPR or equivalent laws
Countries in the EEA are considered “safe” for sharing PII, these are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and United Kingdom.
Countries outside the EEA, considered to have “adequate” laws for sending PII are currently: Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks are also in place to enable companies to comply with data protection requirements when transferring personal data from the EU and Switzerland to the United States.
How The Language Factory is handling GDPR compliance
At The Language Factory, we’ve been keeping up to date with practical recommendations for GDPR, including translation and market research industry specific recommendations from the ATC, ITI and MRS.
As part of our GDPR compliance, among other things, we’ve doubled checked that:
- Our IT systems and processes are secure and compliant
- We only keep personal data for as long as we need to and under the correct legal basis
- All third-party suppliers, such as our email marketing platform, adhere to GDPR law
And, despite not often handling sensitive information or PII within our translations, we’re asking all of our translators to sign updated agreements containing even more secure working practices to comply with GDPR.
If you have a project you’d like our help with, please send us your details using the form below or call us on +44 1727 862722. You can find out more information about our services here.