Translation: how to protect your data

Translating professional documents often leads to the risk of sensitive data being leaked or misused. 

This article examines the importance of identifying potential vulnerabilities in order to ensure confidentiality and compliance, and outlines strategies to mitigate them right from the translation process: 

• The rules that govern the confidentiality of translations
• The methods available for you to protect your data.

Translating sensitive data – a risk that is often overlooked

While companies are careful to implement cybersecurity solutions to protect their internal data, they are sometimes less cautious when it comes to translation. 

The translation industry has borne witness to several major data protection incidents. The most emblematic case remains that of Statoil in 2017, where the use of the free Translate.com service led to the public disclosure of confidential documents. 

The Norwegian press agency NRK discovered that contracts, emails, staff member contact details and other sensitive information from the oil giant were freely accessible via simple Google searches.

Translating means exposing sensitive data

However, a data breach can have serious consequences, particularly due to the nature of the documents translated. 

As the Statoil example shows, this could involve critical documents and their disclosure, which can have serious repercussions: breach of patient confidentiality, access to staff contact details, disclosure of business strategies, etc. 

Not to mention the financial consequences – the average cost of a data breach will reach 4.4 million dollars in 2025, and the GDPR sets fines of up to 20 million euros, or 4% of a company’s turnover, in the event of a breach of its provisions.

Translation methods that do not always meet security requirements

In the translation industry, the number of people involved in the process presents a risk. To get their documents translated, companies use online tools and rely on freelancers and agencies, who sometimes use subcontractors themselves. This increases the risk of data breaches, and the protocols designed to ensure data protection (NDAs, access control) are not always up to the task.

However, there are regulatory and legal frameworks, in particular the GDPR, ISO standards and specific agreements in place.

What rules govern the confidentiality of translations?

The GDPR and translation – what the law says

The GDPR (General Data Protection Regulation) defines the guidelines when it comes to collecting and processing the personal data of European Union citizens. If a translation contains this type of data, the GDPR applies and the translation service providers (known as “data processors” in the Regulation) are subject to different obligations. For example:

• The data processor cannot hire another data processor without the prior, written consent, whether specific or general, of the data controller (the client).
• Having the data processed by a data processor must be governed by a contract or other legal document.
• Personal data must not be retained for longer than necessary.

ISO standards and certifications 

There are also different standards and certifications that cover the data protection measures implemented within an organization. For example, the ISO 27001 standard, which provides guidelines for the establishment, implementation, updating and continuous improvement of an information security management system. More specific to the sector, the ISO 17100 standard describes the requirements for the processes necessary to provide high-quality translation services and, in particular, guarantees the confidentiality of client information. When you use certified service providers, you reduce the risk of your data being leaked.

NDAs, contractual clauses 

Data may also be protected by non-disclosure agreements, more often known as NDAs. These agreements force all parties (clients, agencies, translators, interpreters, sub-contractors) to comply with strict confidentiality rules and outline the specific consequences in the event of failure to comply with the clauses. The most reputable translation agencies ensure all their freelance linguists and staff sign these agreements as soon as they join the team.

How can you protect your translations?

What are the best practices to implement to protect your data during the translation process?

Select a qualified and certified language services partner

To ensure your sensitive data remains confidential, you need a competent and reliable translation service provider. 

How can you evaluate them? 

• Request information about the procedures in place within the organization, for example, relating to audits and continuous improvement. 
• Ensure that the service provider, if it is an agency, works exclusively with professional translators who have signed non-disclosure agreements – this is the case for all agencies that are ISO 17100 certified. The ISO 27001 standard (covering information security management systems) is another good indicator. 
• Don’t forget to find out about the software used and the IT infrastructure. If need be, ask for advice from your IT or legal department. You should know that serious service providers will be happy to answer all your queries before you start your project.

Adopt secure workflows

The entire translation workflow must be secure: 

• Sensitive documents must be downloaded using a secure method, such as an FTP or a password-protected portal. 
• Once the service provider has received the files, they must be protected by access controls and encryption. 
• The translation tools used must offer high security standards, such as two factor authentication. Only individuals directly involved in the project should have access to the documents. 
• And all tasks and communication relating to the project must go through official channels that have been approved by the IT department – no Shadow IT.

Raise awareness among your in-house teams

From your perspective, your in-house policy must incorporate the principle of protecting sensitive data “by design.” 

Your teams should be aware of this issue and the risks around data must be taken into consideration at every stage, including the translation phase. 

Here are a few questions that could help your teams make the right decisions and protect your information: 

• Which documents really need to be translated? 
• Which ones contain sensitive data? 
• Is it possible to anonymize the personal data before sending the files (spoiler alert – yes!)? 

By defining the scope of the translation correctly, you limit the risks.

Conclusion – make data protection a strategic reflex

Translation is often a blind spot when it comes to protecting sensitive data. However, a data breach may have serious consequences. 

To avoid compromising the confidentiality of your data, there is a legal framework and applicable standards governing data processing that translation service providers have to comply with, as well as best practices to put in place to ensure your data is secure. 

These include selecting partners that will support you throughout the translation process and securing workflows, both essential steps. 

However, you should not forget that data protection is a principle that must be integrated “by design”, and must be considered at every stage. Making your teams aware of this issue is essential.