On May 25, 2018, the new EU General Data Protection Regulation (GDPR) will come into effect after a two-year transition period. The main focus of the new regulation is the standardization of previously disparate legislations in the EU member states and stronger protection of personal data. The regulation not only affects European companies but also companies based outside of the EU who work with European companies.
The effective date is coming soon and there are still many open questions—and many possible interpretations of the EU GDPR. Which new rights and obligations are there for companies and private persons? What has Plunet done so far in order to comply with the new regulation? Which security measures should Plunet customers prepare for? We consulted our data protection expert Sufian Reiter—Head of Operations at Plunet—and received some enlightening answers.
Can you please briefly explain what the EU GDPR means for companies? What exactly will change with the new regulation compared to before?
For companies, first and foremost, it means investing more time and effort. All companies need to question, rework, and document their data processing methods – this also includes software applications and contracts. For EU citizens, on the other hand, it means more rights and freedom of decision. For everyone, it will ultimately result in more security when dealing with personal data, and reduces the likelihood of data breaches as we saw with Facebook. It’s not easy to explain it briefly. Essentially, country-specific laws have now been implemented and maintained at EU level, and we now have a prohibition law subject to authority approval. This means that dealing with personal data is generally forbidden, unless it is allowed by the regulation or another legal provision, or the affected person gives their consent.
You mentioned Facebook—an American company. Are their data protection measures also affected by the EU law?
The law protects EU citizens like you and me. It doesn’t matter where the company processing the data is based. As Facebook & co. work with our data, they have to abide by the law. Do they? Actually, US companies have been very quick to follow our EU data protection law. For one thing, it’s a big market for them, and, eventually, a similar law will come into effect in the USA as well.
In your view, what are the most important things for companies to be aware of when following the EU GDPR?
Updating the data protection agreement on the company website is very important. I can imagine that the warning letters will come in droves from June onwards, and that can be very expensive. Contracts with service providers also need to be checked. Service providers that are not based in the EU are particularly important here. And the general way in which you deal with data. You have to ensure that the only people who can access data are those who really need to.
How well-prepared is Plunet for the legal changes and which measures has Plunet taken so far in order to comply with the new law?
It’s not possible to estimate yet, but I think we are doing fine. We have revised all of our contracts. We have edited the data protection agreement on our website. We have documented which data we have collected, when and where – that took a lot of time and effort. We also had to adjust some parts of Plunet BusinessManager. In particular, the principle of the right to erasure is not so easy when it comes to database applications. If you just delete data, it could result in inconsistencies. So we had to modify the application extensively. We have entrusted an external company with carrying out the necessary penetration tests and checking our system every day for security gaps. We also require new agreements with all of our employees. And then there’s the question of what actually happens after May 25, when the courts start administering and interpreting the law. Perhaps we will have to make more adjustments.
What is important for Plunet customers to know and bear in mind?
It is important to remember that it affects everyone. And that Plunet BusinessManager is only ONE part of their business model. They cannot assume that if Plunet is compliant with EU GDPR, then they are too. Plunet assumes the role of the data processor. The customer remains the data controller. It is their job to ensure that the data they collect and manage are secure at all times. Dealing with files is particularly complicated. Plunet works with meta information. We do not actually touch the files—we only make them accessible in projects. But what happens when there are sensitive personal data in these files—and what do I need to secure when I make these data available to a translator in Delhi? This is the responsibility of the customer.
Will there be any more new functions? If so, which ones and when?
The law will be administered on May 25. Then we will see how the courts interpret the legal texts. Will e-mail communication now have to be completely encrypted? If I used the name of a customer contact in an e-mail in 2013 and they now want all of their data to be deleted—so I have to trawl through my e-mails and delete everything that has any connection to this contact? Which type of authentication is appropriate now? Username and password—or rather a two-factor authentication? There are a lot of open questions and we will have to wait and see how the law is interpreted. Until then, I can only recommend that everyone protects all sensitive data to the best of their knowledge and ability.
In your opinion, what kind of effect will the new EU general data protection regulation have on future work in the translation industry?
I hope not too much of an effect. A similar law will surely come into place in the USA soon and in the end, we will all have the same legal status. This will now be an issue for the next couple of years, but generally, the bar will be raised a little higher for the benefit of all individuals.
Thank you for the insights!
About Sufian Reiter
Sufian Reiter has been with Plunet since 2008. Initially Head of Sales, he has been responsible for all internal processes as Head of Operations for several years. In addition to technical and economic subjects, the challenges of data protection are also an integral part of his daily work.