After seeing GDPR and AVG abbreviations popping up all over the place – in emails from Google, from the freelancers’ platform PZO, and on social media – and with 25 May fast approaching, and having missed SENSE’s January workshop on data privacy and information security, I thought I’d better take a look at what all the commotion was about. Read on to find out what I dug up and how it applies to freelancers.
What is the GDPR?
The General Data Protection Regulation – or Algemene verordening gegevensbescherming (AVG) as it’s known here in the Netherlands – will soon come into force across the EU. It’s basically a privacy law that tightens up the rules on providing third parties with our data, so that we know what will be done with it and why before we give our willing consent. The new laws are relevant to both our professional and personal lives, as Marianne Orchard indicates in her review of John Yonce’s data privacy workshop: ‘professional because we must protect any personal data of others that we have access to and personal because we should protect our own data.’
For a perfect example of why such a regulation is needed, we need look no further than the Facebook–Cambridge Analytica data scandal, in which the data of millions of Facebook users was handed over to a political consulting firm without those users’ knowledge or permission.
Of course, it’s easy to say, ‘Well what do you expect if you’re on Facebook?’ But even if you’re aware of their business model – ie, that the advertisers are the real clients and you are just the product – most Facebook users, myself included, have not been persuaded to delete their accounts. Naive it may be, but we assume that companies use our data respectfully and comply with what regulations are in place, for the simple reason that we can no longer do without the plethora of apps and websites at our fingertips.
After all, how else do we keep up with friends and families in other countries and with our kids’ online activities, not to mention our professional networks? How else do we comply with requests for information from our clients, agencies and business contacts? Whether moving house, writing a will, buying insurance, joining a professional association, enrolling at a new translation agency or using our clients’ complicated billing systems, we are continuously filling in our personal data online.
When will it be enforced and to whom does it apply?
The GDPR comes into effect on 25 May 2018 throughout the EU, from which point any large companies found to be in breach can expect large fines. Great news for consumers as it means greater protection of our personal data, including sensitive information such as religion, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sexual life or sexual orientation.
According to this website for small businesses, the GDPR applies to any business that processes the personal data of EU citizens. This includes customer, supplier, partner and employee personal data. In addition, companies processing data that have more than 250 employees, or for whom processing data is a core activity, must appoint a Data Protection Officer or DPO – someone up to date on data protection practices and the legal framework and who is responsible for ensuring that unambiguous consent is obtained from ‘data subjects’, i.e. EU consumers and citizens.
What do freelancers need to do about it?
Naturally, freelancers are way below the threshold of 250 employees. And another nugget of information I found on this website for startups is the following: ‘The Regulation only applies to personal data if it is processed wholly or partly by automated means or is part of a sophisticated hard copy filing system.’ Aha! – nothing to do with me as I’m not processing data.
But does this mean that I can ignore it entirely? I’m still in two minds. My gut feeling and pure logic says no: I have no automated mailing list for sending round emails to clients or business contacts. I have no form on my website for people to get in touch. The only personal data I have of clients that is not already publicly available is the data the tax office requires that I put on my invoices. Some clients ask me to address the invoice to their private address, and some clients’ business and home addresses are the same. Colleagues to whom I sometimes outsource work also give me personal data in their emails and invoices. But who is going to be bothered about me having that data on my computer? Surely I can’t run my business without it?
But on the other hand, regardless of whether or not the risk of a fine is minuscule, it’s no bad thing to think about what data on other people I have on my computer and how it is protected, right? I found more information on how freelancers can prepare for the GDPR on this website of a collective of freelancers in healthcare communications.
Is there anything in particular that editors, translators or copywriters should consider?
When I put this question to the SENSE members forum, several people confirmed my initial gut feeling that this does not apply to freelancers. But others are not so sure. What about personal information in medical, legal or HR-related files that we edit or translate? From my days as a medical translator I remember one particular agency that rarely took the trouble to remove personal information from the texts they sent me, which was clearly in breach of privacy legislation.
In this respect, it seems I need a privacy notice, available on demand or downloadable from my website. This is a public statement of how a company – whatever its size – applies data protection principles to processing data. And I assume this applies to personal data that clients and colleagues provide me by email. The privacy notice tells them what I’m going to do with any information they provide. Fair enough.
Fellow SENSE member and translator Robert Bradley recently had a privacy statement drawn up. He says:
To me, it's worth it, and I suspect it might be for quite a lot of translators: not so much because people might start demanding to see what data we have on file, but because we have clients who are subject to the stricter rules and who need to demonstrate compliance. That means that they need confirmation from their suppliers (that's you and me) that everything's sorted out. I'd rather not lose any clients over this.
Meanwhile, over on good old Facebook, a translator based in the Czech Repubic (or Czechia if you prefer) has set up a group called GDPR for Translators (you’ll need to log in first) which has plenty of discussions on the topic, plus resources and tips for both agencies and translators who want to make sure they are GDPR-compliant. There are questions and answers on topics such as deleting old emails and email addresses, cloud storage, websites and privacy statements.
So what is SENSE doing about the GDPR?
Clearly, SENSE as an organization also needs to be on the case with regard to the personal data it collects from members. But more about this in a follow-up post!
Feel free to post your comments below or get in touch to share your experiences with the GDPR.
Sally Hill is an editor and writer for the SENSE blog and newsletter and a British biologist-turned-linguist who runs a business called Scientific Texts.