Is this the future of NDA compliance requirements?
Thread poster: Geneviève Granger
Geneviève Granger
Geneviève Granger  Identity Verified
Germany
Local time: 13:39
Member (2006)
German to French
+ ...
Sep 18, 2019

Hello,

I hope this is the right forum to post such questions. If not, please excuse my mistake and indicate me the right forum if you know one that would be more adequate.

I received the following request from a customer:

"The information security aspect is becoming more and more important to our clients (besides quality, prices and delivery times).
Basically, our clients want to make sure that the data we (and implicitly you) process are handled in
... See more
Hello,

I hope this is the right forum to post such questions. If not, please excuse my mistake and indicate me the right forum if you know one that would be more adequate.

I received the following request from a customer:

"The information security aspect is becoming more and more important to our clients (besides quality, prices and delivery times).
Basically, our clients want to make sure that the data we (and implicitly you) process are handled in secure environments and do not fall into the wrong hands.
For this reason, we had to update our IT security guidelines and policies (and align them to the TISAX and ISO 27001 requirements).
How does this affect you?
We need your support to:
1. Sign a new NDA (attached)
Main changes:
- mandatory use of encryption for the drive on which the data is processed (not only for hardware that is used outside the office, as it was until now)
- two-factor authentication usage for login to your PC
2. Fill in a self-assessment form (attached) [2 pages long!]
Fill in your name and date and tick the boxes to confirm that the NDA requirements are met and complied with.
3. Send proof that a drive encryption solution and a two-factor authentication software are active on your PC (screenshot/photo)."

The documents attached to this demand indicate the use of Bitlocker for data encryption and a Yubico Key for the two-factor authentication. The requirements extend to the backup system.
However, I don't use Linux with Virtual box for windows applications and make backups on a separate server, which will make the resolution of those requirements "a bit" more complicated than on a simple Windows system my customer supposed me to use.

My questions on this matter are:
- Is this the future of NDA compliance requirements? That is: is it foreseeable that most customers will ask such a configuration or even a more advanced in a near future, and should I better be prepared to it?
- Isn't it a bit nosy to ask me screenshots of my system to prove my compliance and more or less impose me a certain solution for the security of the data I hold?

Thanks a lot in advance for your insights and advice!
Collapse


 
RobinB
RobinB  Identity Verified
United States
Local time: 07:39
German to English
The short answer Sep 18, 2019

Hi Geneviève,

Yes, this is the future for translation work for certain clients. I'm not sure I'd categorize it as an NDA, but rather as an information security agreement, but we don't need to argue about the labels.

There are a few (and quite possibly a growing number of) German corporates that now require a much higher level of information security than was the case in the past. It's not exactly difficult (or expensive) to use a separate hard drive for jobs for those
... See more
Hi Geneviève,

Yes, this is the future for translation work for certain clients. I'm not sure I'd categorize it as an NDA, but rather as an information security agreement, but we don't need to argue about the labels.

There are a few (and quite possibly a growing number of) German corporates that now require a much higher level of information security than was the case in the past. It's not exactly difficult (or expensive) to use a separate hard drive for jobs for those clients, and two-factor authorisation is also very easy to implement.

Basically, it's your business decision: Is the volume of work that would be covered by these tougher information security requirements sufficient to warrant the effort and expense of meeting those requirements?

And I certainly don't think it's nosy to ask for screenshots to document compliance. Rather, that's standard procedure. I certainly had no objections to doing it when I was asked to.

Robin


Geneviève Granger wrote:

Hello,

I hope this is the right forum to post such questions. If not, please excuse my mistake and indicate me the right forum if you know one that would be more adequate.

I received the following request from a customer:

"The information security aspect is becoming more and more important to our clients (besides quality, prices and delivery times).
Basically, our clients want to make sure that the data we (and implicitly you) process are handled in secure environments and do not fall into the wrong hands.
For this reason, we had to update our IT security guidelines and policies (and align them to the TISAX and ISO 27001 requirements).
How does this affect you?
We need your support to:
1. Sign a new NDA (attached)
Main changes:
- mandatory use of encryption for the drive on which the data is processed (not only for hardware that is used outside the office, as it was until now)
- two-factor authentication usage for login to your PC
2. Fill in a self-assessment form (attached) [2 pages long!]
Fill in your name and date and tick the boxes to confirm that the NDA requirements are met and complied with.
3. Send proof that a drive encryption solution and a two-factor authentication software are active on your PC (screenshot/photo)."

The documents attached to this demand indicate the use of Bitlocker for data encryption and a Yubico Key for the two-factor authentication. The requirements extend to the backup system.
However, I don't use Linux with Virtual box for windows applications and make backups on a separate server, which will make the resolution of those requirements "a bit" more complicated than on a simple Windows system my customer supposed me to use.

My questions on this matter are:
- Is this the future of NDA compliance requirements? That is: is it foreseeable that most customers will ask such a configuration or even a more advanced in a near future, and should I better be prepared to it?
- Isn't it a bit nosy to ask me screenshots of my system to prove my compliance and more or less impose me a certain solution for the security of the data I hold?

Thanks a lot in advance for your insights and advice!
Collapse


Dan Lucas
 
Luca Tutino
Luca Tutino  Identity Verified
Italy
Member (2002)
English to Italian
+ ...
Only for specific types of clients, and it requires their collaboration Sep 18, 2019

It looks acceptable to me. Of course, you should consider your (money, effort and time) costs and negotiate a significant adjustment of rates and terms of collaboration accordingly.

Kay-Viktor Stegemann
Philippe Etienne
neilmac
Samuel Murray
 
neilmac
neilmac
Spain
Local time: 13:39
Spanish to English
+ ...
I hope not Sep 19, 2019

Any client wanting me to sign something like that would need to pay me double or triple my current rates. It screams lack of trust, and I don't want to work with people who don't trust me implicitly from the outset.

 
Peter Motte
Peter Motte  Identity Verified
Belgium
Local time: 13:39
Member (2009)
English to Dutch
+ ...
Privacy concerns are also business concerns Sep 19, 2019

I received the following request from a customer:

"The information security aspect is becoming more and more important to our clients
- mandatory use of encryption for the drive on which the data is processed (not only for hardware that is used outside the office, as it was until now)
- two-factor authentication usage for login to your PC
3. Send proof that a drive encryption solution and a two-factor authentication software are active on your PC (screenshot/photo)."


That's indeed going a bit far.

I don't use drive encryption, because I'm working alone, not in an office, and there's no danger that somebody opens my computer to look at the files.

Some clients, however, demand that I do not use the cloud, and one of them even asked me not to use Trados - although that was for another reason.
However, as people become more aware of privacy issues, we can expect businesses to be worried about it too.

After all, all information in a company which does not have to get to the general public, is a privacy issue.

The advocates of "everything has to be open", "people should not have secrets", and so on, tend to divert our attention from some genuine problems which will arise if everybody know your income, the prices of your providers, your profit margin, the infrastructure and tools you use ... and so on.

The risc is you're basically opening up all elements of your company to just anybody who wants to take a look into it, and who wants to compete with your business.

Privacy is not about "nasty things" you do, you need it to protect you from others doing "nasty things" to you.

Actually, the Dutch word for "back office" is "privékantoor", which translates as "private office".
That says a lot. People in the past were much more aware of the importance of privacy then they're nowadays.



[Edited at 2019-09-19 14:00 GMT]


 
Dan Lucas
Dan Lucas  Identity Verified
United Kingdom
Local time: 12:39
Member (2014)
Japanese to English
Could be worse Sep 19, 2019

Geneviève Granger wrote:
- Isn't it a bit nosy to ask me screenshots of my system to prove my compliance and more or less impose me a certain solution for the security of the data I hold?

Yes, it is. I experienced something similar when I had an end client (let's call them Company A) demand, via an agency, that I download and install a certain piece of utility software that it claimed would sniff around my storage devices to detect whether I had any problems with malware. The idea was that I would return the log to the agency to check. The justification given by Company A gave was that it was asking freelancers to deal with sensitive information.

Well, I deal with material nonpublic information all the time - it's not a situation unique to this end client. I certainly wasn't going to give Company A free rein to use a piece of software to root about in my projects folder where sensitive information from other end clients is stored. After all, that sensitive information is protected by NDAs.

I asked for a written assurance to the effect that no data not owned by Company A would be read or opened, and for Company A to accept responsibility for any breach of those agreements. Unsurprisingly, Company A did not want to give it, and the agency said that without this process I couldn't do work for this end client. I shrugged and told the agency not to contact me regarding projects from Company A.

What else can you do? Allowing this one client to take aggressive steps to secure the security of their data would have led to infringements of the privacy of the data of other clients. If the situation had been reversed, with a different end client demanding access to a drive on which Company A data was stored, would Company A have accepted it? Almost certainly not.

Ultimately, if the information is that sensitive a company should be using an in-house translator.

Regards,
Dan


Thomas T. Frost
Michele Fauble
 
Peter Motte
Peter Motte  Identity Verified
Belgium
Local time: 13:39
Member (2009)
English to Dutch
+ ...
Old problem Sep 20, 2019

Who's the guard to guard the guards?

 
Geneviève Granger
Geneviève Granger  Identity Verified
Germany
Local time: 13:39
Member (2006)
German to French
+ ...
TOPIC STARTER
Endless annoyance ahead Oct 21, 2019

Hello everybody,

Thank you for your answers and thoughts about this, and please forgive my late reaction.
I believe these new data protection requirements will actually be the rule in the future – as far as I understood from further readings on this topic, these norms will apply in 2021 and will be required from customers who want to get a conformity certification, and this will probably build a considerable share of our customers.

My thoughts to this:
- R
... See more
Hello everybody,

Thank you for your answers and thoughts about this, and please forgive my late reaction.
I believe these new data protection requirements will actually be the rule in the future – as far as I understood from further readings on this topic, these norms will apply in 2021 and will be required from customers who want to get a conformity certification, and this will probably build a considerable share of our customers.

My thoughts to this:
- Requirements like these are continuously growing. Once a new technology has been invented to protect data, there are people who are clever enough to crack the new system and thus make this new technology inefficient. New technologies will have to be invented that will represent for small providers like us more and more costs, enormous administration works (a new NDA, compliance agreement, etc. to be signed every couple of months, among other paperwork such as the further compliance aspects in the frame of the GDPR we had to go through last year, etc.), as well as a burden for our computer systems, with accordingly productivity decrease, along with the risk to block ourselves from our systems in case of mistake from our own wide. Not every translator is a computer specialist and will require the help of a professional to solve a number of the implied problems, which will means costs, again an NDA with this person/company, etc. On the other side, there is an enormous pressure on rates on the market and, as far as I am concerned, I have found no chance in the approx. last 15 years of my career to raise my rates. If I raise them, I will lose my customers. How far will be this going? In the end, small providers and the honest people suffer from those growing requirements, as this madness piles on administrative and technical burdens on them, reducing their productive time, while crooks do not really feel impeded by such regulations.

- Due to those growing requirements, some companies drive the data protection to hysteria: For example, I have a number of customers who classify systematically all projects as confidential, while the text to be translated is obviously meant to be widely published and/or to be made accessible to a wide public. This implies, according to the NDA to be signed, that you are ought to delete all project data, including the TM produced during the translation right after the end of the project or once you have received the payment. However 1) this is contrary to most national laws, which stipulate that project documents have to be kept for a number of years for fiscal reasons, in case of a legal case, etc. and 2) translation memories of the done work are the gathering of the experience of a translator. They allow building up knowledge to work faster and with higher ease and reliability. Most translation companies expect the translators buying a certain CAT tool at their own costs, while reaping all the advantages of it (discounts on matches). However, if I have to buy a system at my own costs, I would actually expect to be the one to get the benefits of it, and not the customer. I would at least wish to keep my own work, and I think this also brings benefits to the customers. I also see strictly no disadvantage for anybody if I am able to reuse bits of sentences, standard texts such as normed safety notices, or terms I have translated in the past.

- According to the norms named by this customer, companies have indeed to “help” their provider in implementing a solution. This is why this customer did “suggest” me the solution I mentioned above. However, if I have several customers who want to apply the norms, they may favour/suggest different solutions. Obviously, I will not be able to meet the preferences of each and every customer about how to solve the compliance to the norms. I will thus examine the said norms by myself, implement my own solution, and write a document on how I comply. I will then submit this document to any customer who wants “proofs” of my compliance and they will have to be content with that.

- Up to now, you had to sign an NDA or any other agreement, and customers had to believe in your good faith. Now, you have to provide “proofs” (though I think that a screenshot does not ‘prove’ anything – I could as well copy a picture from instructions found in the Internet or ask a buddy to make one on his job computer). I find this definitively to be a lack of trust in their providers and this degree of control is putting us under tutelage: you are not believed to be responsible enough to actually meet your commitments. Just like you have to trust my good faith when I sign an NDA declaring a number of things or when we meet certain agreements, my customer should trust that I actually implement a certain solution.
Collapse


 
Katalin Horváth McClure
Katalin Horváth McClure  Identity Verified
United States
Local time: 08:39
Member (2002)
English to Hungarian
+ ...
Not practical to pass the requirements to an individual freelancer Oct 21, 2019

Dan Lucas wrote:
Ultimately, if the information is that sensitive a company should be using an in-house translator.

Or, have their independent contractors (us) log into their systems (for which they can implement two-factor authentication and whatnot) and work on the data that is stored on their computers according to whatever encryption standards they want.
IMHO, the end client in this particular case was requesting all these security measures to be implemented BY THE AGENCY, on the agency's systems, knowing that they outsource work.


Dan Lucas
 


To report site rules violations or get help, contact a site moderator:


You can also contact site staff by submitting a support request »

Is this the future of NDA compliance requirements?






Wordfast Pro
Translation Memory Software for Any Platform

Exclusive discount for ProZ.com users! Save over 13% when purchasing Wordfast Pro through ProZ.com. Wordfast is the world's #1 provider of platform-independent Translation Memory software. Consistently ranked the most user-friendly and highest value

Buy now! »
CafeTran Espresso
You've never met a CAT tool this clever!

Translate faster & easier, using a sophisticated CAT tool built by a translator / developer. Accept jobs from clients who use Trados, MemoQ, Wordfast & major CAT tools. Download and start using CafeTran Espresso -- for free

Buy now! »