Data Privacy and Your Language Service Provider

The proliferation of privacy laws requires greater scrutiny of your Language Service Provider

Last updated: November 1, 2021 10:00PM

Do you know your Language Service Provider’s (LSP) culture around privacy? If not, it’s time to find out. There are a growing number of privacy regulations emerging around the world. If your LSP is out of compliance with your data, so are you.

A Patchwork of Regulations: What’s a Company to Do?

To date, more than 100 countries have legislation in place to protect data and privacy, according to the United Nations Conference on Trade and Development. And, that number is growing. China’s Personal Information Protection Law (PIPL), China’s first comprehensive legislation for personal information protection, went into effect in November 2021. Domestically, California’s privacy law—the California Consumer Privacy Act—took effect in January 2020.

Global companies within the U.S. may be subject to these new regulations as well as to older regulations, like the General Data Protection Regulation (GDPR). GDPR is an initiative that went into effect in May 2018 and gives European Union (EU) citizens more control over their personal information.

To learn more about how Lionbridge’s privacy and security protocols ensure customer data is protected and all regional compliance requirements are met, read our Guide to Privacy and Security at Lionbridge. Learn more about how Lionbridge became the first LSP to receive ISO 27701:2019 certification here.

Guide to Privacy and Security at Lionbridge

Lionbridge’s Chief Trust Officer, Douglas Graham, points to privacy—both generally and within the context of LSPs—as an important trend. At the root of legislative action is the conclusion that people’s information is being overshared. Colorado and Virginia both enacted comprehensive privacy legislation in 2021. Expect other states to follow their lead and more companies to be subject to privacy regulations.

Companies and their LSPs will be required to comply with these new laws. However, adhering to a patchwork of regulations will be challenging. What’s the solution? Comply with the most restrictive regulation that is applicable to your company.

How Will Your LSP Handle Your Data?

At the heart of privacy is the individual. Personally identifiable information is any data that could be used to identify an individual, either by itself (such as a full name) or by combination with other pieces of information. These pieces of information could include the person’s date of birth, social security number or driver’s license, to name a few. LSPs should be expected to handle personal information appropriately and in a way that will not surprise the individual or break the law.

Look for transparency: Your LSP should provide clear guidelines and statements on what they will do with the data and never use it for any other reason.

A trustworthy LSP will not translate material and then use that data for secondary uses, such as marketing to the individuals named in the translated document. Beware of an LSP that offers free or low cost translation. Make sure you are not negotiating away your rights to privacy and enabling the LSP to use your data for other purposes.

You can ensure that your company’s data is processed in a manner that meets your specifications by entering into a contract with your LSP that contains a privacy clause.

Who Should Care About Personal Data Breaches?

Any company that has customers will almost certainly collect private information. If you are sending that data to an LSP, you better know how the data is being handled. If your LSP commits any data breach, you may be held responsible even though the breach wasn’t directly your fault. And, the consequences can be harsh.

A breach in personally identifiable information can result in fines under federal and state laws. Failure to comply with the EU’s GDPR can cost up to 4% of a comany's revenue from the previous year.

If steep monetary fines don’t get your attention, consider other costs, such as increased regulatory scrutiny and loss of trust by your customers. Make sure your LSP doesn’t destroy all the goodwill you have built up.

How Should Your LSP Handle Sensitive Data?

The best thing you can do when working with an LSP is assess whether you really need to send the personally identifiable information to them in the first place. The more copies of the data, the more potential there is for it to be misused or erroneously shared with others. When possible, redact or de-identify personally identifiable information.

When you must send private information to your LSP, make sure your vendor knows how to handle this type of data and is contractually obligated to protect it. Here are some best practices:

When redaction is not possible, a secure file transfer protocol should be used. The information should be put in your LSP’s secure servers.
Your LSP should redact private information, when possible, before sending files to the community for translation.
If redaction is not possible, your LSP should ensure that the information is shared only with authorized individuals.
In certain cases, your LSP should have the ability to use a secure room. The employee will do work in this physical space, but have no access to a phone or paper, and will be unable to remove information.
In rare cases, the LSP should send their employee to the client site so the information never leaves the company.

In addition to these practices, a robust security program is critical to protect the privacy of information. If your LSP does not have security, it cannot have privacy because privacy relies on security.

What Happens to the Data When the Job is Done?

In certain cases, an LSP is required to store data for a specified period of time, but that time frame should not be forever. You should understand what data your LSP is keeping and why it is keeping it. Pay close attention to whether the data contains privately identifiable information.

It is appropriate to save information when a translation memory is being built. A translation memory is a glossary of words and phrases that are repeatedly used to enable translations to be processed faster and more efficiently. A translation memory would not contain personally identifiable information.

How Can You Tell if Your LSP Has a Culture of Privacy?

So, does your LSP have a culture of privacy? This refers to the core behaviors of the LSP and whether or not its employees care about privacy and security.

For telltale signs that such a culture exists, look for:

Monetary resources behind privacy initiatives
The existence of a privacy program that is continuously assessed and enhanced
The education and training of employees on privacy processes

Importantly, there should be a C-level appointment of someone who spends all day thinking about these issues. After all, keeping up with developments in privacy law and the LSP’s subsequent legal obligations is nothing short of complicated.

It is important for you to do some front-end due diligence on your LSP’s privacy policies and practices. It will go a long way towards helping you preserve your company’s reputation and help you avoid financial consequences from noncompliance.