ATA59 Session Review: The General Data Protection Regulation in the European Union – How It Applies to Freelance Translators Worldwide

Review by Heike Holthaus,
CTA Member

January 17, 2019

GDPR. The elephant in the room. No. That’s an understatement. The untamable wildebeest ready to put its foot on the throat of the uncompliant. Yikes!

Perhaps you were introduced to GDPR last spring, when everyone scrambled to have their privacy statements written and translated to meet the May 25th compliance deadline. Perhaps you thought, “Good thing GDPR does not apply to us in the US.” Or does it?

In her session Monique Longton started out by defining what the GDPR is and summarizing its main purpose:

What is General Data Protection Regulation (GDPR)?

Regulation (EU) 2016/679 to protect data subjects with regard to their personal data (GDPR, Art.1)

  • Data subjects = natural persons living in the EU/EEA (Iceland, Lichtenstein and Norway)
  • ‘Personal data’ = any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR, Art. 4)

What is the main purpose of GDPR?

Gives certain right to data subjects:

  • Access to your privacy policy (GDPR, Art. 12, 13 and 14)
  • Confirmation whether you are/are not processing their personal data (GDPR, Art. 14)
  • Access to their personal data (GDPR, Art. 12, 13 and 14)
  • Rectification of inaccurate personal data (GDPR, Art. 16)
  • Erasure of personal data (= “right to be forgotten”) (GDPR, Art. 17)
  • Restriction of processing (GDPR, Art. 18)
  • Object to processing (GDPR, Art. 21)
  • Withdraw their consent to have their data processed (GDPR, Art. 13.2.c & 14.2.d)
  • Data portability (GDPR, Art. 20)
  • Not be subject to a decision based solely on automated processing, including profiling (GDPR, Art. 22.1)
  • Raise complaints with a Data Protection Authority

And then the dreaded question: Does GDPR apply to you? (I must admit, deep down inside I was still hoping she would say something like, ‘If you live outside the EU – you’re in the wrong session’. But she didn’t.)

Okay, so:

Does GDPR apply to you?

  • Do you deal with clients in the EU?
  • Website: EUR prices? Languages? References to EU clients?
  • Do you translate files which contain EU data subjects’ personal data (e.g. birth certificate, passport, resume…)
  • B2B +B2C: professional email address = personal data!
  • It does not matter where YOU live (GDPR, Art. 3)
  • GDPR was implemented in EU member states’ national legislation

Did you answer yes to any of the above questions? Congratulations – you won a seat at the GDPR table! So, now what? How do we become GDPR compliant? Monique offered a 6-step plan to help us with just that.

Step 1: Analyze your business to have a picture in mind to create a register and set up legal documentation.

In this step we take a closer look at what we DO:

  • We have a website
  • Contact form?
  • Web analytics tool?
  • We send emails to our clients to keep them informed
  • We exchange files
  • We send warm emails to qualified leads
  • We translate and add segments to our TMs
  • We save our projects and need them for our repeat clients
  • We send invoices to our clients and pay our suppliers

Step 2: List files and organize data – create a register

i. Where is our data?

  • Local electronic storage (computer, local discs, USB device/key…)
  • Online storage
  • Website: Copies of email requests submitted though your website contact form
  • Cloud
  • Online backup systems
  • Email boxes
  • Cookies: IP addresses collected by your website
  • Paper documents (business cards anyone?)

ii. Let’s delete/destroy all data we no longer need!

  •  Mandatory retention period?

iii. Create a register with the data you need to keep (GDPR, Art. 30)

Step 3: Tools: Website, contact form, policy banner, cookie banner etc.

Monique labeled your website the “master tool” for GDPR compliance. This is where you post your privacy statement, fulfill the transparency requirement and inform visitors about changes to your privacy policy.

Step 4: Secure your data

Securing our data can be a daunting task. Here are some of the simple first steps that Monique shared with us:

  • Never ever click a hyperlink or open an attached file you do not trust within an email
  • Make sure all your devices are protected against unauthorized access (phone, laptop, desktop, modem…)
    • Use strong passwords
    • Encrypt any sensitive or personal data… anything that is important to you!
    • Don’t keep your passwords on your device (check www.lastpass.com)
  • Never ever ever… send sensitive information over email, text message or any unsecured platform (check www.signal.org)
  • Don’t use the WiFi in public places
  • Back up your data:
  • Keep up with the security news

Next, Monique addressed GDPR requirements regarding data security:

  • Process personal data in a manner that ensures appropriate security of the personal data (GDPR, Art. 5)
  • Data Protection by design and by default (GDPR, Art. 25)

Did you know that the SBA (Small Business Development Administration) offers a free course and a downloadable workbook on cyber security? You can use these tools to set up a 5-step cyber security plan: IDENTIFY, PROTECT, DETECT, RESPOND and RECOVER.

Steps 5 and 6: Translate (transferring data out of the EU) and Invoicing – take steps to make sure we stay compliant when we take care of business.

Monique concluded her presentation with information on protection authorities, ISO standards and what to do in case of a data violation. The incredible amount of very useful resources she shared with the audience is now available on her website.

Thank you, Monique, for showing us how to tackle what for many is this huge, overwhelming task by dividing it into manageable bite-size pieces. Thanks for putting a leash on the GDPR wildebeest!


Heike HolthausHeike Holthaus is a CTA member living in Michigan. She is a German native freelance translator with a background in entrepreneurial business.