By Katie Rigby-Brown, VP Global Finance Solutions, SDL
The upcoming European Union General Data Protection Regulation seems to have caught most businesses – including the financial industry – by surprise. Only a third of companies claim to be compliant (or at the very least on their way to compliance), exposing many to heavy penalties once May 2018 passes. These penalties include up to 4 per cent of annual turnover for a data breach, not to mention the untold impact on brand equity and daily operations.
For those not familiar with the new legislation, the objective of this new set of rules is to give citizens back control of their personal data, and to simplify the regulatory environment for businesses. The data protection reform is a key enabler of the Digital Single Market which the European Commission has prioritised, and will allow financial institutions to fully benefit from the digital economy.
Financial supply chain
Despite being more compliance-focused than most, the financial industry is not immune to the dangers of a post-GDPR world.
One of the underlining principles of the GDPR framework is to understand – and control – the customer data you hold, why you hold it, where it is, and who has access to it. In finance organisations, this can be easily managed. But in large multinationals – with customers scattered across the world speaking different languages – the picture is very different.
Multinational banks, insurance and financial enterprises rely on large teams of translators – both internal and externally – to localize everything from marketing collateral to highly sensitive documents including sensitive HR documentation and forms relating to the claims and underwriting process. This often involves sharing, storing and collaborating on documents with colleagues and partners across the globe.
Under the radar
The truth is that many translation activities take place under the radar, and financial firms often have limited visibility of activity across the entire translation supply chain.
This exposes weaknesses even within organisations that have a central policy in place. For instance most banks have established vendor pools where NDAs and data protection contracts were signed years ago. However this does not provide the chain of custody required for GDPR compliance.
While ISO 27001 (and 9001) is important for validating vendors, it also does not mean that translation processes are truly compliant with the new regulations.
Understand the risk
Financial firms should ask themselves the following questions to understand how their translation teams, and processes, could impact their GDPR governance.
- Can you be certain that your employees are not unwittingly putting you at risk via the use of free online translation tools?
- When was a security review of your vendors and their processes last carried out? Do you know whether you are sending PII out as part of the translation process?
- Is your process for handling multilingual content fit for purpose?
- Who is responsible for security across the translation supply chain? Can you identify what happens to your documents after they reach your external vendor(s)?
Unless financial organisations have a challenge and demand policy in place, and a robust process that ensures vendors can only receive work through a central platform, then there's no way of proving that security is designed into the process.
These are crucial questions that any financial business should ask of their translation teams, systems and processes.
Relationships with customers – particularly in this industry – are built on trust. Consumers are more empowered than ever, and they need to know that their chosen bank or insurer takes their data privacy just as seriously as they do. While this presents challenges, it's also a huge opportunity for businesses that get it right.