Companies can’t simply outsource the responsibility of data governance and privacy compliance to their vendors. Especially under the new GDPR guidelines, companies have an obligation to conduct due diligence, have appropriate contract terms in place, and monitor the services provided by vendors to ensure they are processing data in accordance with applicable data protection regulations. If there is a violation or data breach caused by a vendor, your organization will be liable. GDPR and vendor management is essential to remain compliant.

A framework for vendor management & GDPR compliance: people, process, technology & metrics:

• identify the right people
• formulate a process for interfacing with vendors
• leverage technology to manage the process
• maintain solid metrics for internal and external compliance purposes

People: A first step is to determine who in your organization should be engaged with vendor selection and vendor management. Identify and assign someone to be accountable within each business team that utilizes vendors. This will help identify the privacy champions who are responsible for complying with company policy on vendor management and for evangelizing a culture of mindful sharing of data with vendors. While it’s great if you have a formal Vendor Management Office, the alternative may be a committee of stakeholders from the procurement/sourcing, legal, privacy, and security departments.

Process: It’s important to view vendor management as a life cycle. It begins with the strategic choice of vendors and should include a formal intake process. A common misconception is that free or click-through terms are GDPR-safe. Wrong! Any processing of personal data by a third-party vendor must be in scope with a GDPR-compliant vendor-management process, regardless of the cost of the service offering. Another common misconception is that these obligations only apply to processors managing customer data. Wrong! Processors that manage a company’s employee data must also be in scope.

Defining appropriate contractual terms, conducting security reviews, and sponsoring ongoing maintenance and monitoring are part of the cycle. The goal is consistent treatment of data by the company and its processors to maintain compliance with regulatory obligations and promises made to data subjects.

Global companies that are interested in cross-border transfer of information out of certain countries must also pay attention to outsourcing. The data protection regimes in Europe require controllers to provide direction to and monitoring of their data processors. Additionally, acceptable mechanisms for cross-border transfers of data — including binding corporate rules and the EU-U.S. Safe Harbor agreement—require companies to have adequate assurance that onward transfers of personal data will be protected by those providers and vendors. This level of assurance is also required in many of the new laws in the Asia-Pacific region, including the Australian Privacy Principles and Hong Kong’s Personal Data Privacy Amendment.

Technology: Ad hoc vendor inventory and contract record keeping is a recipe for disaster. Many companies struggle with compiling and maintaining a complete inventory of vendors and vendor contracts. This is especially true in organizations where there is no central repository of vendor contracts, or where business teams may keep (or not) copies of vendor contracts locally. Ideally, you should create have a centralized system which will not only track vendor contracts but will also provide robust reporting to flag vendors who process personal data, flag vendor-use by geography and alert stakeholders of contract terms with upcoming renewal dates.

Metrics: With the right technology platform in place, your organization will have superior visibility into your vendor management roadmap and should have no problem tracking progress and measuring milestones. This is key, because you will want to be able to create documentation which demonstrates compliance with GDPR.

Vendor management is a multi-faceted process that requires many steps to ensure accuracy and consistency. Translation and interpreting providers also have a responsibility to ensure they are following the privacy protocols of GDPR. INGCO International works hard to comply with GDPR requirements in relation to the management of all or our vendors as well as recognizing our responsibilities as a vendor to our clients. This blog is not intended as legal advice rather it is our current GDPR compliant process regarding vendor management and our intention to follow industry best practices. Contact us now to discuss your translation and interpreting needs and how we can help ensure your projects are GDPR compliant.

The General Data Protection Regulation (GDPR) sets new rules to improve the management, processing and protection of European citizens’ personal data and information. It is a revision of the 1995 European legislation, the “Data Protection Directive.” The GDPR was adopted because the legislation was interpreted differently by each Member state and was in urgent need of modernization.

Is your translation provider GDPR compliant? GDPR rolls out May 25, 2018 and ensuring compliance now is essential to avoid potential financial consequences.

The GDPR was approved on May 24, 2016. Organizations have until May 25, 2018 to comply with the new legislation. It’s the most important change to the protection of personal information in the last 20 years.

The principal changes are:

• companies will only be able to store personal data on individuals with those individuals’ express prior consent
• people will have the right to request disclosure of the personal data that companies collect about them
• people have the right to demand that their personal data is erased

Who is affected?

In short – everyone. The GDPR applies to all companies and organizations which collect, manage and process personal information, regardless of their size, which are:

• established in the EU
• established outside the EU, but supply goods and/or services to European citizens
• collect personal information and/or monitor the behavior of EU citizens.

Failing to comply to GDPR rules can result in heavy fines of up to 4% of annual turnover.

5 questions to ask your translation provider

Think about the amount of data you share with your translation provider; it is vital to ensure they are complying with all aspects of GDPR.

1. Are you operating in a GDPR member state?

Ensure your translation provider operates in a member state that has signed up to the GDPR and complies with all the relevant regulations. This doesn’t just apply to the translation provider, but to all sub-contractors too, such as linguists and the jurisdictions in which the company’s web servers are based.

1. Do you work within a secure translation management system?

It will no longer be possible – nor is it good practice – to allow your translation provider to send your files for translation via an unsecured email address. A reputable translation provider – and one which complies with the GDPR – works with a secured translation management system; translators use a secure server-based environment to complete their work and are unable to download any files to their personal devices.

1. Do you work with NDAs?

Non-Disclosure Agreements are common practice for a lot of organizations, but they’re becoming more important than ever now. A translation provider that refuses to sign an NDA, or does not already have their own in place, will not in compliance with GDPR. It is also important to ensure the linguists working on your content are also prepared to sign these agreements.

4. Are your tools and technology secure?

Neither your organization nor your translation provider should be using free/open-source machine translation engines such as Google Translate. Besides the fact that they are proven to be laden with errors, you are essentially giving the system a worldwide license to use, host, store and publish the content (definitely not GDPR compliant). Your translation should be using a secured translation management environment which is only available to you and your translation provider.

INGCO International has set in place many measures to ensure compliance with General Data Protection Regulation. Questions? We are happy to discuss our compliance plans with you!