With only a few days to go, many businesses all over the world are preparing for the moment the General Data Protection Regulation (GDPR) comes into effect. Translation agencies and freelance translators alike should be prepared to implement the rules of the GDPR as well, but among freelance translators especially, the lack of interest or knowledge of this highly complicated matter seems striking. What is the GDPR actually and what should translators do to be prepared? Read the answers on 10 important questions.

For Spanish-speaking readers: Fabio Descalzi translated this post into Spanish. You can read it here.

1. What is the General Data Protection Regulation?

The General Data Protection Regulation, in short GDPR, is a European regulatory framework that is designed to harmonize data privacy laws across Europe. Preparation of the GDPR took four years and the regulation was finally approved by the EU Parliament on 14 April 2016. Afterwards there was a striking silence all over Europe, but with the enforcement date set on 25 May 2018 companies have worked increasingly hard in the past months to make sure that they uphold the requirements of the regulation.
The GDPR replaces the Data Protection Directive 95/46/EC. It was designed to protect and empower the data privacy of all European citizens and to reshape the way organizations approach data privacy.
While the term GDPR is used all over the world, many companies have their own designation. For instance, in the Netherlands the term is translated as ‘Algemene Verordening Gegevensbescherming’ (AVG).
More information about the GDPR can be found on the special portal created by the European Union.

2. To whom does the GDPR apply?

The GDPR applies to the processing of personal data by controllers and processors in the EU. It does not matter whether the processing takes place in the EU or not. It is, however, even more extensive as it also applies to the processing of personal data of data subjects in the EU by a controller or processor who is not established in the EU when they offer goods or services to EU citizens (irrespective of whether payment is required). Finally, the GDPR applies to the monitoring of behaviour that takes place within the EU as well. If a business outside the EU processes the data of EU citizens, it is required to appoint a representative in the EU.
So in short, the GDPR applies to every instance that

• processes personal data from EU citizens (whether they process these data in the EU or not),
• monitors behaviour that takes place in the EU.

In fact, this means that companies inside and outside the EU that offer or sell goods or services to EU citizens (paid or not) should apply the principles.

3. Controllers, processors, data subjects?

Yes, it is confusing, but let’s keep it short:

• Controllers are parties that control the data.
• Processors are parties that process the data, such as third parties that process the data for … ehm controllers.
• Data subjects are parties whose data are controlled and processed by … you guessed it.

A controller is the entity that determines the purposes, conditions and means of processing personal data. The processor processes the personal data on behalf of the controller.

4. Sounds like a business horror. Can I opt out?

Not in any easy way. Oh wait, you can by moving outside the EU, getting rid of your European clients and clients with translation jobs about their European clients, and only focus on everything that is not EU related. But staying safe is much easier for the future, although it offers considerable hassle for the time being.

5. What happens if I do not take it seriously?

Of course the European Union thought about that before you did and they included a generous clause: if you breach the GDPR, you can be fined up to 4% of your annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements, like insufficient customer consent to process data or violating the core of Privacy by Design concepts.
There is a tiered approach to fines. For instance a company can be fined 2% if it does not have its records in order (article 28), if it does not notify the supervising authority and data subject (remember?) about a breach or if it does not conduct an impact assessment.

6. So adhering to the GDPR is a no-brainer?

Yes indeed. Although you certainly should use your brains. Until now it was easy to impress all parties involved by using long and unreadable contracts, but the GDPR finally puts an end to that. Companies will no longer be able to use long unintelligible terms and conditions full of legalese. They need to ask consent for processing data and the request for consent must be given in an understandable and accessible form. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. Apart from that, all data subjects (just to check) should be able to withdraw their consent as easily as they gave it.

7. So I need to involve all people for whom I process data?

Yes. You need to ask their consent, but you need to give them access to the data you hold about them as well. EU citizens from whom you collect or process data, have a few rights:

• Right to access
  People can ask your confirmation as to whether or not personal data concerning them is being processed. They can also ask where these data are processed and for what purpose. If someone makes use of their right to access, you need to provide a copy of the personal data in an electronic format. And yes, that should happen free of charge.
• Right to be Forgotten
  The right to be forgotten entitles the people you collect data from to require you to erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. There are a few conditions however: article 17 states that the data should no longer be relevant to the original purposes for processing, or a data subject should have withdrawn his or her consent.
• Data Portability
  The GDPR introduces the concept of data portability. This grants persons a right to receive the personal data they have previously provided about themselves in a ‘commonly us[able] and machine readable format‘. EU citizens can than transmit that data to another controller.

8. What are these personal data you are talking about?

The GDPR pivots around the concept of ‘personal data’. This is any information related to a natural person that can be used to directly or indirectly identify the person. You might think about a person’s name, photo, email address, bank details, posts on social networking websites, medical information, or a computer IP address.

9. How does this affect my translation business?

As a freelance translator or translation agency you are basically a processor. (And if you are an EU citizen you are a data subject as well, but let’s keep that out of the scope of this discussion.)
The actual impact of the GDPR on your translation business differs greatly. If you are a technical translator or literary translator, chances are that you do not process the personal data of the so-called ‘data subjects’. In that case compliance should not be a heavy burden, although you should, of course, make sure that everything is in order.
However, if you are a medical translator for instance, translating personal health records, or if you are a sworn translator, translating certificates and other personal stuff, you have somewhat more work to do.

10. Great, you made it perfectly clear. How to proceed?

The best approach to ensure compliance with the GDPR is to follow a checklist. I’ve done some research and there are plenty of them on the Internet. You might chose this 5-step guide for instance. However, if that sounds too easy you might use this 10-page document with complex language to show off your GDPR skills.
You will find a short summary below:

1. Get insight into your data
Understand which kind of personal data you own and look at where the data comes from, how you collected it and how you plan to use it.

2. Ask explicit consent to collect data
People need to give free, specific, informed and unambiguous consent. If someone does not respond, does not opt in themselves or is inactive, you should not consider them as having given consent. This also means you should re-consider the ways you ask for consent: chances are that your current methods to get the necessary consent are not GDPR compliant.

3. Communicate how and why you collect data
Tell your clients how you collect data, why you do that and how long you plan to retain the data. Do not forget to include which personal data you collect, how you do that, for which purpose you process them, which rights the person in question has, in what way they can complain and what process you use to send their data to third parties.
NOTE: This needs thorough consideration if you make use of the cloud (i.e. Dropbox or Google Drive) to share translations with clients or if you use cloud-based CAT tools for translation.

4. Show that you are GDPR compliant
The GDPR requires you to show that you are compliant. So identify the legal basis for data processing, document your procedures and update your privacy policy.
NOTE: If you are outsourcing translation jobs to other translators, you should sign a data processing agreement (DPA) with them.

5. Make sure you have a system to remove personal data
Imagine what happens when someone makes use of their right to access or to be forgotten. If you do not have their data readily available, you will waste your time finding it and risking still not being compliant. So make sure you have an efficient system to fulfil the rights of all those people whose data you are processing.

So, the GDPR is no joke

It is definitely not funny for any of us, but we need to comply. To be compliant or not to be compliant: that is the question. The easiest way is to do that is the required Privacy Impact Assessment, so you know which data you collect or process and what the weak links and bottlenecks are. Following an easy guide will then help to establish the necessary controls. Opting out is not an option, but making sure your data subjects (still know what they are?) are opting into is.
Good luck. Once you are ready, you can easily forget what a pain that implementation actually was…