True

The GDPR Readiness Report

  • 03 May 2018
  • by Balázs Kis
The GDPR Readiness Report

GDPR wasn’t a high-profile piece of legislation until recently. Now it has everyone’s attention because of the looming deadline of May 24 and the Facebook/Cambridge Analytica scandal. Today, you can’t start a professional conversation or go to a trade event – and escape talking GDPR.


We at memoQ are just as busy with preparations as everyone else; and rightly so, since we work with the data of our customers, users, partners, vendors, employees, and everybody who ever got in touch with us. We engage with our customers on many levels, and most of the time – instead of going undercover to get business intel – we choose to keep it personal. Probably the best example for this is our Customer Insight Program. If we didn’t take GDPR seriously enough, we would risk losing all these channels.

We have a GDPR readiness team that works to get everything ready by the time the sun rises on May the 25th. That being so, I thought it was high time we reported to you on the things we are doing and how the introduction of GDPR will affect you.

Disclaimer: Information and interpretations in this post are from ourselves and from the consultants we work with – please do not refer to this post as official information.
 


Quick Links

 

Basics

You would think GDPR needs no introduction – but in fact, I have seen and heard a fair amount of misconceptions about it, so we’d better start with the basics.

GDPR stands for General Data Protection Regulation, and it’s the popular name for Regulation 2016/679/EC of the European Commission. Its purpose is to prevent the dishonest and unsanctioned use of people’s personal data. The basic tenet of GDPR is that you own your personal data, and you deserve complete control about how everyone else can access and use them. GDPR gives you the right to know what data are stored about you, who and how processes them, and where they are transferred. You may also withdraw your consent to use your data, or request to be deleted from an organization’s database.

Although it says ’General’, the scope of the directive is very specific: it protects the personal data of the citizens of the European Union. It does not protect corporate data, and neither does it protect the data of other countries’ citizens. (There are quite a few international treaties for the latter, though.)

What are personal data? Everything that can be used to identify an individual. From the memoQ perspective, it’s usually your name and e-mail address, occasionally your phone number or your address, and maybe the name of organization you work for. However, it can be any combination of seemingly unrelated details – if that combination pinpoints an individual without any doubt.

What are not personal data? In the memoQ world, a serial number is not a personal detail. The serial number identifies the copy of memoQ or memoQ server you are using – but you may have several serial numbers, or a serial number may belong to several people.

We need some of your personal data before we can give you products or services or certain documents. We don’t ask for these data for nothing: we will use – process – them to your benefit and to ours, in several ways.

Our Privacy Policy has a list of all possible purposes we use your data for. We haven’t written up this list just to be nice. (I hope we are nice, though.) GDPR demands that we be completely transparent about what we use personal data for. What’s more, we must not use these data for anything else, and not for a moment longer than justified or necessary. And in many cases, we can’t even do that before we ask for the express, voluntary, and written consent of the data subject (that’s you).

Basically, GDPR knows about four levels of the lawful processing of personal data:
 
  • One: Required by law. For example, we must keep invoices and all documents (with all the data) that prove a business transaction for eight years, for possible tax inspections.
  • Two: Required by contract. For example, we need to know who you are, and we need to be able to talk to you if we want to give you licenses or provide services.
  • Three: Lawful business interest. We could claim this to send you marketing communication – we could do this without your consent. However, if we claim this, we will need to document that this does not harm you – and we will ask your consent anyway.
  • Four: Based on your consent. This is mostly about marketing – sending offers, invitations to events or surveys, targeting advertisements. We need to be extra careful using data for this, especially if you are not yet our customer, which means that you may or may not want to talk to us.

Let’s clear up some terminology: In the GDPR constellation, you are the data subject (the owner of your personal data), and we are the data controller (the organization that directly collects data from you). However, with some data, you will be the data controller, and we will be an external data processing agent. An external data processing agent is another organization where you occasionally forward data you collected, for a specific action of data processing. A mass e-mailing service is a good example. We also use external data processing agents for certain bits of – mostly – marketing activity. Our Privacy Policy lists those, too.
 

Protection 101

Collecting, storing, using data, any data, comes with a great deal of responsibility. We have been putting a lot of effort into protecting data – we even had ourselves audited against the ISO 27001 information security standard.

But what does it mean for a data controller like us to protect data, particularly personal data (if the topic of the day is GDPR)? Well, it can be summarized in just four words:
Inventory. Regulate. Guard. Communicate.

Let’s elaborate on these a bit.
 

Inventory

In data protection, regardless of the regulations, the very first thing you need is to know what data you collect, where they are, who can access or use them, and how you process them. If you yourself don’t know about the data you store, you won’t be able to protect them, or to ensure that the data subjects – people in touch with you – can exercise their rights.

Over the last several weeks, we have gone through and took detailed note of all our systems and databases, and all potential external places where we may store personal data – not for the first time and not for the last. This time we put on the GDPR glasses to do this, so we are now in a much better position if we need to show you all the data we have about you (as is your right).
 

Regulate

Once we know what data we have and where they are, we need to set up internal rules – called policies – on how to deal with them. In other words, we must document our data processing. From the GDPR perspective, this means the following:
 
  • Processes and systems to protect the data from unauthorized access.
  • Processes to track the data whenever they are transferred.
  • Processes and rules to ensure the data are used for the purposes we published, and nothing else.
  • Procedures for data subjects to exercise their rights (ask for the data, or ask to delete the data, grant or withdraw consent, and file complaints).
  • A policy on how long we keep the data (this is called the data retention policy).
 

Guard

Now that we’ve written up our policies, we need to implement them. Guarding the data means that we must
 
  • have eyes on them at all times, and be able to report on their status or whereabouts;
  • protect them from unauthorized access and use;
  • try to track them whenever they are transferred;
  • finally, have early warning if the data, despite all our efforts and defenses, fall into unauthorized hands. (We must notify the supervisory authority in 72 hours after we learn about a breach.)

By the time we began to work on GDPR compliance, we had already had an ISO 27001-audited information security system in place. Obviously, we need to inspect it and tighten it up, but we don’t need GDPR to know we have do that. Information security is never good enough: the fact that defenses and process automation can always be better will surely give us work for the years to come.
 

Communicate

Transparency is one of the magic words in data protection. Before you ask for data, you need to be very clear about what data you will store and process, and what you will use them for. In addition, you must give the data subject – the person giving you their data – an opportunity to agree or disagree with what you plan to do; to change their mind; or to complain, if it comes to that.

We are currently knee deep in the work to make all this happen.
 
  • We have published a new Privacy Policy that tells all about the data we are collecting and the things we do with them.
  • We are upgrading several online forms to meet the new requirements.
  • We are implementing new forms where you can ask about the data we store about you.
  • We are preparing a massive e-mailing campaign to let our customers and partners know about the changes. (We are making sure that everyone receives just one e-mail.)
  • We are updating the generic legal agreements to be GDPR-compatible. Most of all, we will include data processing clauses in our General Terms of Service, so that you won’t have to conclude a separate Data Processing Agreement with us.

And when all this is done... but I’d better not speculate because full and perfect readiness does not belong to the realm of possible things.
 

Tricky situations and the data processing agreement

There are a few tricky questions that GDPR does not answer and that we have to figure out as we go. Especially as the authorities tend to take the strictest possible stance about unclear situations. So far, I have found two of these, plus one where we – you and Kilgray – must be careful because of the kind of service we provide you.
 

Representatives of organizations

GDPR protects the data of individuals, but it does not protect the data of organizations. (This obviously doesn’t mean that we don’t protect the data of organizations – we do, just not because of GDPR.) You may have the right to remove yourself from our system, but if you work for a company – and if we’re dealing with the company rather than yourself –, does the company want the same?

When this happens, it’s not entirely clear who the data controller is. We are for sure – because we collect data directly from you. But in this relationship, we think your employer is a data controller, too. (In GDPR, employers are always controllers of the data of the employees, anyway.)

We don’t have a magic wand to resolve this. However, when someone from a company wants out of our databases (as is their right), we will always kindly ask their company to give us the details of another, consenting, contact person.
 

Personal data in documents

If you are a memoQ customer or consider to become one, I assume you deal with – translate – documents. Documents that may contain personal data or even sensitive personal data. Normally, you are bound by a non-disclosure agreement with your client, but – what happens if you need to transfer that document to us to solve a problem? Are we expected to be responsible for whatever happens with the personal data in there?

Or, what happens if you import that document on your memoQ server, and assign the job to a translator outside the EU? You may be transferring the document with all those personal data, to another country that the GDPR says is off-limits. Do you think you should be responsible for this?

Finally, what happens if the document gets imported on a memoQ cloud server or a memoQ server that runs in our infrastructure? Will both you and we be responsible for what happens to it?

Authorities say yes. If you receive a document that contains personal data – accidentally from your perspective –. and your client does not notify you about this, your relationship violates GDPR. You – or your client – may need to remove or conceal the personally identifiable information (that is, anonymize the document).

If your client is aware of this, they must enter into a Data Processing Agreement (DPA) with you – strangely enough, GDPR makes this their responsibility. You may offer them one by “simply” including the required DPA clauses in your contracts or service terms. We will help you by doing the same in our General Terms of Service, thus offering you a template. We need to do this anyway, since – strictly speaking – we also count as a data processing agent in this relationship.
 

Personal data you add to servers operated by memoQ

If you use memoQ cloud server, memoQ server, memoQ Customer Portal, or Language Terminal, you will need to add some personal data to your server or to your profile – about your team members as well as your clients. These are usually protected personal data.

If you use any of these products – in case of memoQ server, if you host it with us – GDPR makes Kilgray an external data processing agent. In this relationship, the data controller will be – you.

This means you will need to conclude a Data Processing Agreement with us (see the previous section). We will help you by offering you one: our General Terms of Service will soon be updated with the required data protection clauses.

You will also need to tell your team members and clients that you will process their data in a memoQ system: this is easily done in the Privacy Policy you publish on your website. (Again, you can use ours as a model if you like it.) If you plan to use their details for marketing communication, you will also need to get their consent, if you haven’t done so already – if you just use the data to comply with existing contracts, there is no need to do this.
 

Supervision and certification

For GDPR, every EU member country will have a supervisory authority that inspects data controllers and accepts complaints. A Privacy Policy (ours, too) must include the address of this authority.

In time, it will be possible for companies to get GDPR-certified. But for now, we don’t know of any auditing organizations that can officially offer this. So, don’t expect a company audited and certified by May 24: no such certification exists. All we can do is keep our eyes open – and we will.
 

What can you expect in the few weeks to come?

In the weeks leading up to May 24, you will see changes on the memoq.com website, mostly on the Legal page and in the forms – we are currently working to upgrade them.

Plus, if you have been in touch with us these few years, you will receive exactly one e-mail. Depending on our relationship, this e-mail will
 
  • simply tell you about the changes, or
  • ask you to update your contact details if necessary, or
  • ask for your permission again to use your data. You will be able to grant your permission by clicking a link and then checking a check box.

If you have questions about the way we deal with data protection or GDPR, write to data-protection@memoq.com. If you believe you received the wrong type of e-mail or something is not right about your data – again, please write to data-protection@memoq.com. For the time being, these e-mails will be handled directly by the memoQ GDPR readiness team.
 
May the 24th be with you.