��������

This post was originally published on . It is reposted with permission from the author.

Do you collect personal data from your clients and prospects living in the European Economic Area (EEA)? If so, give a fresh start to your privacy practices.

1. Clean up your clients and prospects’ personal data

Do you store personal data from your clients and prospects living in the European Economic Area (EEA)? If no legal or contractual obligations require you to keep it, destroy it immediately. Check the legal data retention period that is applicable to you with your local attorney. If you want to keep your translation memories for a long time, anonymize them or clean them up.

2.��Have a privacy policy

Here are two options:

• Contact your local privacy attorney as they surely have a privacy policy template. Audit your activity first and be ready to explain what you do, what personal data you collect, and why. Don’t forget that we have now entered the new GDPR era: you need a legal basis to process personal data.
• Craft your own privacy policy. Check your relevant Data Protection Authority’s website. Some of them have templates. Be sure to check the local legal requirements that apply to you on top of the GDPR. Have a privacy lawyer review your policy.

��3. Post your privacy practices

Post your privacy practices in a conspicuous place on your website (e.g. the footer). Be transparent. At data collection time, advise the user what the data will be used for on your contact form. Don’t have a website? If you have a trade association, ask them if they can add a section to your profile to post it online. Your clients and prospects will be able to see that you care about their privacy.

4.��Make sure the partners you work with adopt appropriate safeguards to protect personal data

Review your translation service agreements: do they incorporate the required data processing addenda?

5.��Check the data you collect through the cookies you place via your website

Make sure you collect anonymized data (e.g. IP addresses). Remember, you need to collect your website users’ approval before placing any non-functional cookies on their devices.

6. Attend a cybersecurity forum

Contact your local small business administration or equivalent organization if you have one. They may be organizing cybersecurity trainings where you’ll learn the best industry practices to protect your hardware, software, and data. You can also check whether a free Massive Open Online Course (MOOC) on cybersecurity is offered online.

7.��Reduce your chances of a data breach

You don’t need to keep all your data on your computer. Adopt “lean” practices. Think about it this way: the less data on your device, the less data a hacker can get their hands on. Done with a translation project? Encrypt your data, transfer it to an offline device, or choose a reliable cloud service. Under the GDPR, data breaches must be notified within 72 hours.

8.��Follow your client’s instructions exactly when you translate a file containing personal data

Use the best security measures to translate files containing personal data. Don’t use machine translation tools unless your client has explicitly instructed you to do so. Under the GDPR, you must not transfer personal data without your client’s explicit approval.

If your client does not understand the source language and you notice the source file contains EEA individuals’ personal data, let them know about it to ensure personal data is adequately protected all the time.

9. Stay tuned to the privacy law evolution

Subscribe to your data protection authority’s or your law firm’s newsletter. Under the GDPR (Art. 59), each data protection authority must publish an annual report on its activities. This wealth of information will allow you to better understand how consumers, even your own clients, use the GDPR framework. It will remind you why you need to obtain your client’s valid consent before launching direct advertising campaigns.

Keep an eye on the proposal for the future EU ePrivacy Regulation.

10.��Treat your client’s subject access requests with care

Don’t overlook your replies to the subject access requests you may receive. Establish a routine method to check the identity of the data subjects initiating the requests. Reply within one month. In most cases, you must provide the information free of charge.

Need more resources? Check out my .

Author bio

Monique Longton has been translating legal and financial documents from English, Swedish, and Danish into French for over 12 years. Her expertise with the General Data Protection Regulation (GDPR) and related privacy and data security matters was honed by translating numerous legal analyses, security policies, privacy notices, and data processing agreements.

As a Certified Information Privacy Professional for Europe and member of the International Association for Privacy Professionals, she stays current on industry trends, attends cybersecurity events, and networks with privacy professionals. She is especially familiar with the unique GDPR challenges faced by U.S.-based freelance linguists working for privacy-minded European clients.