Like the proverbial ostrich, I’m afraid I’ve left it rather late to get my head out of the sand and start thinking about what I need to do for the new GDPR (or General Data Protection Regulation), which comes into force this Friday, 25 May. Aaaagh! I’ve been aware of its approach, of course I have, but there has always been something more interesting, or paid, or more relevant to do… With time fast running out, however, and at least a little breathing space to think (no more procrastinating!), the time has finally come to sit down and do something.
I know I’m not alone in this. Many translators of my acquaintance have been taking exactly the same approach, while others have been panicking for the last few weeks. Until recently, there has been little help from our professional bodies, the ITI and the CIoL, although they have both produced webinars on the subject for access by members. Unfortunately, these webinars contained conflicting information, leaving colleagues even more confused than ever. I have to confess I’ve only listened to the ITI version, which, for example, seemed to suggest that it was most unlikely that we would need to register with the supervising authority in the UK, the Information Commissioner’s Office, or ICO, whereas the CIoL webinar apparently clearly stated quite the opposite: all freelance translators/interpreters should definitely register!
This morning, I finally received an e-mail from the ITI containing a brief, but informative guide to the GDPR, which throws more very welcome light on the situation and, to my relief, confirms the stance I’m actually taking. This is where it really is useful to be a member of a professional association: we should be able to depend on our professional bodies to take the lead in this kind of area. Inevitably, every translator or interpreter’s circumstances will be different, but this guide should help point you in the right direction at the very least.
There has been much discussion about the new regulation on my various translator e-groups, particularly the ITI German Network, and there is even a dedicated group on Facebook called “GDPR for Translators” with lots of useful information if you’re still floundering. Do check it out: it’s a closed group, but you can ask to be admitted if you are a professional translator or interpreter.
So what conclusions have I come to? After much discussion and reading in various forums, I’ve reached the following main conclusions, most of which reflect the advice given in the recent ITI guidance file.
- I need to register with the ICO as a data controller as I work for direct clients and occasionally outsource to colleagues;
- I need to decide how long to keep data, and audit my records to remove any that exceed the specified time;
- I need to audit my systems for storing personal data so that I can demonstrate compliance with the GDPR.
As far as I can see, these are the main points that I, as a freelance translator and occasional outsourcer, need to be addressing. Although the deadline of 25 May is fast approaching, the main thing is to have started looking at what we need to do and to be seen to be taking steps to ensure compliance. I attended a seminar given by a local business association, TW Mums in Business, a month ago, given by a marketing expert, and this was the general gist of his message. Interestingly, he didn’t seem to think most small business owners present would need to register with the ICO either, so I ultimately found it quite a confusing session, raising more queries than it answered. I was the only translator there, but with other people using Mailchimp and sending out marketing newsletters, I’d have thought they would be regarded as data controllers and therefore need to register… Another query I had related to whether I would need to re-request consent from my blog subscribers. There were a number of people in the audience who seemed bent on offering their own advice (yes, you do!), whereas the presenter seemed to suggest that you don’t (they’ve already opted in without any coercion from you), so I came away really none the wiser – although my head was spinning!
The Facebook GDPR group has probably been one of the most useful sources of information, although I did also call the ICO helpline last week to seek clarification on whether or not I needed to register. Needless to say, it has sometimes been quite difficult to get through to them as the deadline approaches, but I didn’t have to wait too long to speak to a helpful lady who at first seemed to think I shouldn’t need to register as a data processor, only processing client’s data or data for my own administrative records and accounts. However, when I mentioned that I also outsource and therefore decide who to contact and what information to store on colleagues I outsource to, she confirmed that in that respect I am a data controller, and should therefore register. For the sum of £35, it really isn’t worth not registering if you are in any doubt – or just call them and see what they say about your specific circumstances.
In terms of data storage times, it is entirely up to each individual to decide how long they keep data on their systems. I opted for a period of 10 years, but other people have selected shorter times, such as 5 years, which coincides with the length of time you have to keep tax records in the UK. As long as you do what you say, it shouldn’t be an issue. I have added that I will delete data sooner on request, but I can’t be responsible for the content of translations deleted sooner if I can no longer check my original content. I’m sure we’ve all seen cases where your original translation has been changed beyond recognition (and often not for the good!) by a proof reader and you need to have evidence of what you actually submitted.
I spent quite some time last week going through old translation folders and deleting any that went back to before 2008 – the joys of having been in this business for 30+ years! I even had old CD-Roms on which I used to back up translations before the advent of cloud back-ups – not that I’ve had cause to look at any of these in years! I used to use floppy discs before then, but got rid of those long ago – does anyone still have the means of opening them, I wonder?! I ended up cutting the CD-roms with old-fashioned scissors to make them unreadable, but you can apparently get shredders that can process them too nowadays. I tend not to keep paper copies of translations any more, but I did unearth some ancient files relating to a long-term nuclear project that I must have thought worth keeping at the time. I suspect my shredder would spontaneously combust if I shredded them all in one go, so I’m intending to have an old-school bonfire down at the allotment to get rid of any papers exceeding the 10-year mark, along with anything relating to clients I no longer work with or old quotations.
Finally, I need to make a note about how and where I store information. In actual fact, having been in the game so long, my systems are very simple and still mainly paper-based, so I really don’t store client/colleague details in databases or spreadsheets. Any personal data I do have eletronically will mainly be hidden in translations as data processed on behalf of clients, or in the form of accounts/records on invoices or in client folders/e-mails.
Translation memories are an area that has been concerning colleagues, but my understanding of the ICO’s requirements is that we are merely required to make reasonable attempts to identify data. Most personal data that appears in my TMs will be in special file formats and segmented, so would be of little use to anyone looking for lists of data to hack. Again, these will be password-protected on our systems, so as long as we make reasonable efforts to make sure that we do not share our TMs or leave them lying around, I think that should be enough. That said, I have received a link to an e-book from SDL Trados this week which talks about “pseudonymizing content” using an app to protect data during a project by converting it to tags, which you can then convert back when returning the target file to the client. Something to consider in the long-term, or for people with particularly sensitive data, perhaps? See the eGuide to GDPR and your use of SDL Translation Software if you want to know more. I imagine the other CAT tool companies have produced similar guides; I know I’ve seen a link to a MemoQ ebook in the GDPR for Translators FB group.
Phew. Apologies if this is all a little overwhelming. I’ve tried to explain what I’ve done as simply as possible, and I may of course be underestimating what I should be doing, so please don’t take my words as gospel. The main thing is that you come out of the closet and have a good think about how you handle personal data. It’s highly unlikely that the ICO will be interested in pursuing sole traders and small businesses in the early stages, if at all, especially if you can prove that you have taken steps to ensure compliance. Just don’t leave your head in the sand…. Good luck!