By Raisa McNab, Learning and Development Manager
The General Data Protection Regulation – can’t live with it, can’t live without it – especially if you work for 420 language service providers (LSPs) as clients who face the same conundrum.
It’s been on my mind a lot lately, as I’ve been drafting our own policies, but also because I’ve been involved in putting out LSP GDPR guidance through the Association of Translation Companies. Below, I present five ways to GDPR it – STP style.
To consent or not to consent?
That is the question, especially when it comes to direct marketing. The Information Commissioner’s Office in the UK (ICO) helpfully issued some clearer guidance last week. This came right about when everyone’s inboxes had already jammed up with emails asking for consent to send more emails. But if you haven’t yet sent your consent forms, this might help.
At STP, we’re going for “legitimate interest”. Our direct marketing database only contains translation industry contacts who can reasonably be expected to have an interest in translation services. So you won’t get a consent form from us, but you will of course be able to opt out of receiving our wonderful newsletter or topical blog posts at any time.
We don’t even know what data we have!
Amongst all the hype, it’s difficult to remember that most of the content we translate doesn’t actually contain any personal data. That’s your lawnmower manuals, your mobile apps and your knowledge base translation – and many more.
One of the challenges at this point, of course, is that we don’t even know how much, or little, content we have that contains personal data. Or where it is, within the 60,000 individual projects we handle every year at STP.
Content profiling is definitely the way to go. Once we start tracking what comes in, we’ll know whether it’s 20% or 2% of all projects that contain personal data. Realistically, probably only a fraction of that will contain sensitive personal data, so having distinct content flows will allow us to safeguard those data without going overboard and deleting everything right after delivery.
Can we not keep any TM content?
Translation memories are a tricky one. If you take the ICO’s word for it, having personal data in a database is classed as retaining those data. Full stop. And it’s not OK to keep on doing that indefinitely.
That’s obviously going to be a disaster for the translation industry, so either we need a way of anonymising or redacting personal data from TM content, or we need to make sure our TM use is considered and the risks associated are weighed up.
Many LSPs seem to be taking the approach that restricting TM use to a single client is a good way of mitigating the risks to data subjects, and that’s what we’re doing as well. In addition, tool developers are also realising that it might actually be a pretty good commercial stunt to be the first one to give users a redacting tool. We know that Kilgray and SDL are on it, but do tell us if you know of anyone else!
Retention, retention, retention
How long you should retain files sent for translation is pretty much on a par with the age-old question of how long is a piece of string.
We’ve said seven years as a standard and six months for sensitive content. Incoming client agreements have it all: delete immediately after delivery, two weeks after our invoice has been paid, once the contract expires, if there’s a “right to be forgotten” request, and so on.
Does this even matter if the data in question are being stored safely and securely? Probably not. I’d like to think that we can come up with an agreement that doesn’t lead to every single LSP having dozens of different retention periods. This would add to admin and rates, which would adversely impact our clients.
Don’t panic
The ICO estimates that a significant number of UK businesses are not going to be GDPR ready by today (25 May). And the translation industry is not the primary target of the Regulation. In addition, there are only 60 staff for enforcement in the whole of the UK.
That’s not to say nothing should be done. However, in the absence of concrete case law to tell us exactly how to deal with TMs, file retention and supplier agreements, we’re addressing the issues and mitigating the risks as best we can.
If you are yet to do anything about GDPR, the excellent ATC LSP Guide to the GDPR is a good starting point, as is the ITI guide.