On May 25th 2018, the GDPR changed data protection expectations. It created new individual rights over personal data, required businesses to implement more strenuous protections, clearly defined responsibilities and liabilities for data protection, and made reporting of breaches mandatory.
Fines for violating regulations have risen to €20 million or 4% of annual turnover — whichever is greater. For users of business transcription services, the GDPR has deepened concerns over outsourcing protected data to third-party suppliers. To safely engage with transcription services, businesses need to understand the nature of their data, the policies of their partners and the ability to enforce data protection at every point in the process.
As transcription service specialists, our entire focus regarding the GDPR has been its impact on this industry — and the relationship between suppliers and providers. Collectively, this is our list of the 5 big takeaways to using transcription services and remaining compliant with the GDPR.
1. Understand the internal policies of transcription service providers
Arguably the biggest change brought in by the GDPR was a shift in the responsibility for data protection to the collectors throughout every stage of data processing — and increased requirements to be able to demonstrate compliance. This does not remove responsibilities placed on others using the data, but it means that whenever data you have collected is processed by a third-party, you are on the hook if they cut corners.
If the data you share with a transcription service provider is subject to the GDPR, you not only need to make sure nothing goes wrong, but it’s also your responsibility to actively investigate that all of your partners are compliant in the handling of that data and be able to demonstrate that to the regulator. You need to understand the data protection policies of anyone with data access.
2. Data protection basics need to be standard expectations
The GDPR is about data protection. In addition to following the many unique GDPR reporting and assessment criteria, a central goal is to prevent the loss of data. You are required to report a breach if one occurs.
To prevent reputation damage and regulatory fines, you need to make sure that no silly mistakes occur. This applies equally to both human transcription services and speech to text software/ASR (automatic speech recognition).
At a minimum, make sure that any transcription service partner uses SSL or TLS encrypted log-in portals, encrypted storage protocols, is willing to sign an NDA (non-disclosure agreement), and has ISO 27009 and 9001 accreditations. Then, read some customer reviews to check for horror stories.
As we will cover, there is more that you need to investigate, and the nature of your data might trigger different GDPR requirements, like undertaking DPIAs (data protection impact assessments) or appointing a DPO (data protection office). But these are the very basics of keeping data safe online.
3. Not every transcription service is able to enforce their SLAs (service level agreements)
Getting guarantees from your data processing partners (including transcription services) about how they treat your data might keep the regulator off your back. But it won’t guarantee that your data remains safe, and in the face of a breach, you never know how kindly anyone will take your claims about ‘SLAs’. You will be required to publicly report and breach, and the public isn’t likely to be very interested in ‘mitigating circumstances’.
Something to think about with human transcription services is who is transcribing your data. The production of transcripts is often offshored to reduce costs. These distributed and high-turnover networks make it hard for transcription services to actually guarantee that ‘best practices’ are always being followed, and distances and different jurisdictions can make it hard to pursue violations when they occur — making it more likely that someone will look to take advantage of the system.
The GDPR puts some responsibility on you to make sure that compliance is maintained by your partners. Even if you avoid regulatory trouble, you will still be in trouble with your customers. Paying more for transcription services that keep their transcribers in-house can make all the difference under certain circumstances.
4. Using transcription services subject to the GDPR is the safest option
One of the best ways to shortcut compliance is to pick transcription partners that are, themselves, subject to the GDPR. This is no guarantee, and anyone handling EU citizen data is technically liable under the GDPR, but picking businesses already operating under the GDPR does increase the likelihood that they understand their responsibilities and are compliant.
For English speaking transcription services, this broadly means sticking to UK based companies. However, again, it is important to look for partners who keep their transcriptionists in-house. If they send your data outside of direct GDPR jurisdiction, you might as well have done it yourself in the first place.
5. Partnerships help guarantee security
By finding trusted transcription services and striking long-term partnerships, you can remove a lot of the burden of compliance. You remove the need to constantly review new internal policies, and it makes it easier to show your commitment to security. When you need to make sure everything goes to plan, turning to people you have built trust with through experience is always the best bet.
Building long term partnerships with transcription services can bring other benefits. This might include bulk discounts, reduced fees for extras, faster turnarounds or simply better customer service. A lot of businesses have found success with the GDPR by strengthening relationships across data processing supply chains.
BONUS: Transcription services can help you comply with other reporting aspects of GDPR
Although the processing of any data has become more complicated since the GDPR, transcription services themselves can help you remain compliant. As we have said, being able to demonstrate compliance is a large part of remaining compliant. You need to be ready for an audit by the regulator. You also need to be prepared in case something completely out of your control does happen.
A main feature of transcription services is to create exact, searchable and direct records of events. You can use the connections you already have to produce transcriptions to keep internal records about your data protection policies, and demonstrate your efforts to ensure compliance by your partners. Just one tool in your reporting arsenal, transcription services can help make all of your data processing partnerships more transparent and GDPR compliant.