When choosing a translation provider there are many factors to consider, such as the level of quality, turnaround times, human vs machine translation, pricing, specialization, and much, much more. But there is more at stake than just getting the best product on the market. One of the most important factors when choosing a language service provider (LSP) to partner with is to make sure their data security measures are air tight.
Beware of information security
Imagine the following scenario: You send your files to an LSP to be translated but before you even receive the translated files back, the original files are already publicly available without you knowing about it. What if the machine-translated parts of your file find their way into your stakeholders hands? Or what if your competition acquired insider information about your organization's new products through a freelancer whose account got lost in the LSP’s system?
When you are letting data out of the secure, digital walls of your organization, the security of your data is no longer under your control. Therefore, you must take precautions before sending your data outside of your organization’s digital borders. To decrease the risk of data breaches, any buyer of language services should ask the following six questions before selecting a new vendor.
1. How does the LSP handle file transmission, processing, and storing?
This question refers to the technology the LSP uses, as various tools may provide the organization with different data management processes and different security levels. It is essential to learn how the LSP handles different data types, what formatting tools they use, what happens with your files after the job is done and so on. The key here is to find out if the LSP uses licensed software instead of free online tools. If the provider uses free online tools, chances are your files will be available online in some form or another in short order. The tools in use may be free optical character recognition tools (OCR tools), online machine translation engines, or even free PDF management tools. The rule of thumb is: if it’s free, the data is what you’re paying with. And the LSP may be paying with your data as well, so make sure to ask about these technologies.
2. Does the LSP have a risk-based security policy in place and what are the security measures they have implemented?
Any company dealing with client data should have sufficient security measures in place. What you hope to find by asking this question is a structured, mindful approach toward client data. The information security policy should involve procedures for receiving, storing, and discarding client data. Ask about the scope of the LSP’s information policy and definitions (data leaks, breaches, etc.) first, and then ask about the requirements set out in the policy (for employees, freelancers, and privileged user access) and the basic security requirements of the systems they work with. In addition, make sure to ask and (if possible) negotiate accountability and liability in case a data leak does occur. Regarding their current security measures, you want to find out if the LSP uses VPNs, encrypted technologies, how they monitor security events, what accreditations and certificates they have, and if they follow security norms and standards (such as ISO27001).
3. Does the LSP have access control management?
The majority of data leaks are not outside jobs but happen within an organization. The usual scenario is that a person has access to information he or she should not have. By asking about access controls, you want to find out if the LSP knows who is allowed to handle data of specific clients. You can ask about an access control matrix that displays the relations between user groups (with assigned access and roles within systems) and processes that correspond with business processes. The access control matrix is used to simplify the process and make the assignment of access rights transparent. Questions related to this topic should cover the access levels of freelancers as well — so no freelancer’s account is overlooked and accidentally equipped with access to the organization’s files. As part of this discussion, you may also want to ask about the process for the termination of users (how long does it take after the contract was terminated, what further controls are in place over the account termination, etc.).
4. Does the LSP provide the employees with security training?
You can build the most impenetrable system but still have a leak because the most vulnerable piece in the information and communications technology (ICT) systems chain are humans. By asking about internal data security training, you want to find out the level of active information security. Having a written ICT security policy is a must, as it is a benchmark that defines organization approach and capabilities to deal with security incidents. However, without employees knowing what the policy entails and how to follow it, the policy is worthless. Therefore, any company that is dealing with client data should provide information security training — freelancers included. Otherwise, you might have partners from LSP sending emails via airport Wi-Fi or converting word files to PDFs via free online tools before sending them to you, without realizing the risks involved.
5. Can you trust the LSP’s vendors?
When choosing an LSP — a vendor — for your organization, keep in mind that the LSP is also on the receiving side of the supply chain. No matter how thorough you may be when choosing a vendor, it is important to remember that your vendor does not need to share the same approach. When sharing documents with your LSP, chances are that the LSP’s vendors will have access to your sensitive data via shared ICT (Information and Communications Technology) systems. So when choosing an LSP, make sure you ask about the number of vendors they’re working with, so you can better assess the risk of data leaks. That being said, having multiple vendors is not an issue in and of itself. The potential problem lies rather in agreements between the LSP and its vendors. Therefore your questions should focus on formal agreements that protect the LSP’s clients (aka you), like agreements that address the responsibility in case of a data leak, or agreements that bind the vendor to provide immediate support to the LSP and its clients when cyber attacks or similar incidents occur.
6. Is the LSP willing to sign an NDA?
So far, we have covered the physical and administrative essentials that guarantee a basic level of a secure environment. Now it is time to look at legal measures. One form of securing formal protection during and after a project is via non-disclosure agreements (NDAs), which guarantee that no information provided will be disclosed under any circumstances. These legal documents should be signed by everyone engaged in a project. Even if you feel like you do not need an NDA because you maintain a good relationship with your vendor and a leak seems impossible, it is better to be safe than sorry. An NDA legally binds the LSP to not break your trust. If you have a good relationship with your provider now, you will have a good relationship after the agreement is signed, too.
