GDPR Compliancy In Any language
Meridian Linguistics is GDPR Compliant!
Remember the plethora of emails regarding Data Privacy that you started to receive in May? Well, the European General Data Protection Regulation (or EU-GDPR, for short) has arrived, and as of May 25, 2018, is now in effect as law. The dust may feel like it has settled, but have you covered all your bases as a translation buyer or translation provider?
What is GDPR?
If you have not been aware until now, GDPR (General Data Protection Regulation) is a European Directive that protects the rights of European data subjects (natural persons). It is also designed to strengthen and unify data protection, replacing the previous mandated legislation (Directive 95/46/EC) and provide greater uniformity to sensitive data handling across the EU (and other international states).
The concept is that a living person has a fundamental right to his/her own data flows through the GDPR just as it did through Directive 95(/46/EC). And just as with the previous data regulation regime, personal data is considered to be any data that, directly or indirectly, identifies, or can be used to identify, a living individual by any reasonably likely means.
I DON’T LIVE IN EUROPE, DOES THIS AFFECT ME?
Yes, if you conduct any business with European clients, use European vendors, or partner with any suppliers or institutions with links to Europe, you will want to cover your bases on this. Under GDPR, Organizations/ Legal Entities within other continents must comply with this legislation, as typically sensitive data on EU subjects generally transports across international waters and is processed via technology in other parts of the world.
There are a number of key areas worth noting from GDPR:
- Accountability: Data protection must be by “design” and “by default”. Processes must be subjected to privacy impact assessments and be well-documented. Processors not only controllers also have direct obligations regarding privacy assurance.
- Data Controller and Data Processor: These are terms that have existed in the past but are now embedded in the legislation to allow organizations to adapt easier to how the law should apply. As part of the “accountability” of an entity, it is important to define these roles as how they apply to you.
A Data Controller is a legal body or entity that receives personal data for processing. For example, translation companies, translators, law firms, accountants, consultants, and really anyone receiving personal data.
A Data Processor is an entity that, well, “processes”, the personal data. This can include cloud-based CAT tools, credit card processors, outsourced human resources companies, e-mail marketing clients, CRM’s, and more.
The Controller and Processor may exist within a single entity, but in today’s business modelling, it is highly likely that a lot of this automated processing is outsourced.
The reason these terms matter is because of the accountability and relationship a Controller has with a Processor. Although the Controller is accountable for the processing and protection of personal data, Processors now share that responsibility, meaning that should a data breach occur at any stage in the relationship, the Supervisory authority identifies proportionate blame where applicable. A number of Controllers use Data Processors who are actually sole traders or contracted individuals; although not within the internal function of the Controller, they must also comply with the law in protecting the personal data of Data Subjects to the same level as a Data Controller. This is something to keep in mind when engaging with external parties for Outsourcing of business functions. If your company or members of your company function as or cooperates with a Data Processor or a Controller, they may be liable for any data breaches that occur.
- Consent and data rights: Consent must be explicit and limited. Data subjects have the right to request their data, rescind that request, and be forgotten.
- Data transfers: Data transfers outside the EU and specific authorized countries and international organizations are permissible so long as the data controller or processor has taken safeguards in line with the GDPR.
GDPR and Translation services
In the translation project lifespan, clients send their most precious and sensitive data to a Language Services Provider in the interest of having a translator review that data, translate it accurately to the common language and send back for review, editorial and ultimately, approval. There are many steps in that transaction flow and thus, data changes virtual hands several times over. It is now of paramount importance that both translation buyers and translation providers adopt the GDPR principle of “Privacy by Design” to protect that sensitive data.
On the other side of the wall, this also means that, as discussed in the accountability of legislation, data processors now must adhere to the same compliance when it comes to protecting the data that has been granted to the Translation company for processing and, thus requires translators and other external parties to comply with protecting the data at all costs; something that has not been expected before. Translation buyers are also responsible for ensuring that their translation provider is GDPR compliant.
After a long and thorough review of internal processes and infrastructure within Meridian Linguistics, it is with great pride that we announce Meridian’s compliance with GDPR (EU 2016/679) Implementation. As of 25th May 2018, those changes necessary to comply with the European Legislation have been achieved.
Therefore, regardless of your relationship with Meridian Linguistics, whether you are a vendor, buyer, or partner, you can rest assured that you are sharing your translation data with someone you can trust. Meridian Linguistics shares your desire to process this information with the same discretion as you would expect, all from implementing policies from legislation set out by the European Commission.
For further information on GDPR, the legislation and implications to yourself, you can contact our Data Privacy Partners, SPA Consulting s.r.o for further details.
By Mgr. SB Purdie, SPA Consulting, GDPR Consultant for Meridian Linguistics
Do you need your GDPR documentation translated by a company sensitive to every legal nuance? Contact us here for a free customized quote.