Leaked in translation

by
Privacy in translation: Leaked in translation - rats eating the leaked data

Translators need to think carefully about privacy

Privacy in translation

Do you know if your workplace lives up to the e-Privacy directive? Or the GDPR? If your data ombudsman rang you and asked to see your privacy impact assessment, would you say “Sure, I’ll mail it right away”, or just “Errr…”.

Data privacy is becoming an ever more pressing issue. It rarely (as yet) hits the headlines, but organizations that should have known better are getting into hot water because they have not thought through the privacy issues involved in their work or the tools they use.

Perhaps you think “Oh, that doesn’t apply to me, it’s only for Googles, Amazons and Tik Toks”. Really?

Our company is a small translation agency based outside the EU. Not the kind of thing that would draw the attention of Margrethe Vestager, the EU’s fearsome competition commissioner, but we realized we needed to think about privacy in translation and to be sure we are compliant. Why? Because our clients and partners need to know that their data is safe.

Where do these laws apply?

Well, the country we are based in has data laws that are pretty well a copy/paste of the EU’s. Secondly, since we sell services around the globe, including in EU member states, EU data law applies to us. We handle clients’ and suppliers’ data, some of it personal and some of it classed as sensitive: we have the role of data controller.

So a while back we analyzed our data flows. We got quite a surprise.

What kind of data do we collect?

Some of the least sensitive data includes client’s identity data, as this is usually publicly available through business registers, advertising and so on.

The next most sensitive may be suppliers’ personal data. Each month we engage with somewhere between 100 and 200 freelance translators in various countries, and we need to be sure who they are, what their skills are, and how to pay them. In the wrong hands and in combination with other data taken from the web, this could be used for identity theft.

The most sensitive data we handle is perhaps clients’ documents that we translate, which may contain personal data including health records or financial data, or it may contain business secrets.

How can it leak?

Leakage can occur when either we, a client or a supplier receives, stores or sends data. When we looked at the list of these people, we realized just how many they are, and what diverse systems and devices they use, each with its own risks.

Did Lars, a Spanish-Swedish translator in Göteborg, use an outdated version of MS Outlook? Was Franz careful about clicking on links in dubious e-mails? Did Françoise keep her documents on Google drive? Did our Korean partners use cloud services and if so could their data be stored in California? Where do our accountants keep our invoicing data, and for that matter, what about the tax authorities?

You’ll be thinking of the danger of getting hacked, but there’s probably a greater chance of losing it in ways you think are entirely legit. Data handled by Big-Tech has been prone to serious leakage. What’s more, it may be brazenly sold to data aggregators (or swiped by them, like the case of Cambridge Analytica), companies that use it for worryingly unknown purposes. These guys can put it together with other stuff they dredge up and generate a picture of you so detailed it would make you gasp.

Think I’m exaggerating? Take a look at this article about your innocent TV.

Big Tech also tends to store your data wherever in the world is most convenient, often in countries like the USA, which is currently considered unsafe territory under some decisions taken under EU law.

But what can we do about it?

It turns out a whole heaping lot. First, you just have to realize that the legislation is entirely reasonable. What’s more, it doesn’t take a legal expert to understand what’s at stake. (If you think it’s complicated, read this book by Heather Burns, it’s a pearl. )

The principles are easy. Let’s run over them.

Why do you keep it?

First, the less you have, the less can be lost, so keep it to a minimum and give as few people as possible access to it. Use it only for the purposes you need it for and that the owner has agreed to. Secondly, keep it correct, relevant, and up-to-date. Give it an expiry date, then delete it unless the owner wants you to renew it.

Who gave it to you and why?

Make sure the owner knows what you have and what you do with it. Make sure they can correct it. Let them know their rights. If they ask you to delete it, delete it.

Ah, but can you keep it safe?

Data security has both organizational and technical dimensions. Many clients will make you sign an NDA (non-disclosure agreement). Do the same with anyone who has access to your data. Put a clear confidentiality clause in your staff contracts and train them to understand what’s at stake.

Ask freelancers to work on your own server rather than their own unsecured hard drives, which probably run old (or perhaps even worse, new) versions of Windows. If you really have to send them documents, make sure your contract says they must delete them when their work is done, and remind them of it. Check out their mail arrangements and encrypt whatever you mail them. (Remember that Google, for example, keeps all gmail forever, even if you delete it. What they will do with it is anyone’s guess.)

As for technical security, no system can be completely watertight, but you can do a lot. We have steadily developed a raft of measures over the years: our own secure mail and data servers, no documents in the cloud, several layers of backup, active threat monitoring, staff training, something new all the time.

Of course, privacy in translation has to be in special focus for sensitive data whose theft could result in people getting cheated or even hurt: a person’s race, religion, health, sexuality, location, biometric data; a company’s accounts or research work. Some clients ask for a dedicated secure mail service like Egress, or even hand delivery.

And if something should still go wrong?

The essential thing is to keep track of everything, so if the worst comes to the worst, you know what’s happened. Fix problems as soon as you discover them, and if you suspect data theft, inform the owners and the authorities immediately.

But if one day…

Your screens go blank, and a message asks you to pay up or be forever locked out of your data…

Nothing is 100% secure, but if we recognize this and do the few sensible things the law asks us to, we can limit the chances of getting it badly wrong.

Privacy: Leaked in translation - rats removed, but bigger dangers lurk