Very soon, new General Data Protection Regulations (GDPR) come into effect. Both freelance and translation services, including those which deal with medical translation, should be preparing themselves for implementing GDPR rules if they operate within the EU or have clients based in the EU.
What is GDPR?
This is a European regulatory initiative designed to consolidate data privacy regulations throughout Europe. Preparing for the GDPR took around four years and the EU parliament finally approved the GDPR on 14 April 2016. This did not come into force on 25 May 2018 and companies such as those handling medical translation have worked hard over the last few months to ensure that they are compliant with the regulation. The GDPR in fact is the replacement for the Data Protection Directive 95/46/EC.
The GDPR is designed to regulate how personal data is handled by businesses and organisations in the EU, whether the processing of personal data takes place in or outside of the EU, or not. It also applies to the personal data use of subjects in the EU that is controlled or processed when goods or services are provided to EU citizens from outside the EU whether any payment is demanded or not. If a business operating outside the EU processes any data that belongs to EU citizens, it must appoint a representative in the EU.
In summary, the GDPR applies to any instance that involves the following:
● The processing of personal data of EU citizens (whether the data is processed either in or out of the EU area,
● The tracking of behaviour that occurs in the EU.
The only way the GDPR can be ignored by a business or organisation is if it moves its operations outside the EU and then has no clients or customers at all within EU boundaries. This relates to all translation services that either are based in the EU or handle translations for EU customers.
Why to definitely not ignore GDPR
If your company breaches the GDPR, a maximum fine can be imposed that works out to be up to 4% of your yearly global turnover or €20 Million (whatever is the greater). The maximum fine could be imposed in cases where inadequate customer consent is implemented before the processing of data or by violating the central core of the concept referred to as the Privacy by Design. There is a 2% fine under article 28 of the GDRP for a company which is found not to have its data records in order or if it fails to inform the supervisory authority about a data breach or it fails to do an impact assessment. The fining system is a good reason to why to definitely not ignore GDPR.
Companies will need to ask for consent before processing data and anything that’s written must be easily understood and not written in difficult legal language.
As far as a medical translation is concerned, if you are a medical translator who translates from time to time personal health records, you may need to comply with GDPR. The same applies if you are a translator of legal documents that include certificates belonging to clients, such as birth, marriage and degree or diploma certificates.