Why Language Matters for GDPR Compliance
It can hardly come as a surprise that the GDPR has been in effect for some years now. Nevertheless, it is clear that it can still prove challenging to be in complete compliance. Recently, this was confirmed in the Dutch context by reports that the Autoriteit Persoonsgegevens (AP), the governing body, is facing large backlogs due to the still increasing number of complaints. However, this also means that the AP is investigating potential violations, which highlights the importance of GDPR compliance. In this blog, we would like to highlight a less technical element of GDPR implementation, which can still have far-reaching consequences for your compliance status.
The Importance of Transparent Language
The effects of language are easy to underestimate in this context. Of course, a transparently formulated GDPR statement is important for companies operating in their home region, but it is equally important when planning to expand to international markets. Article 7.2 of the GDPR is of vital importance when drafting such a statement:
If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
The phrasing of this article means that language related to GDPR implementations should be both accessible and intelligeble, as well as in a language that the intended audience can be expected to understand. While it is probably relatively simple to meet these conditions for your local market, it can quickly lead to problems for foreign audiences. Note, also, that this article applies to both requests for consent, as well as to data processing statements and arbitration procedures.
Intelligible Language – For Your Audience
For a website with an international audience, this might mean offering a translated version of your existing GDPR texts. In certain situations, an English version might suffice for an EU-wide implementation, though we recommend having this confirmed by the relevant governing bodies. If there is a chance the intended audience might not be sufficiently comfortable with the English language to grant informed consent, it is always safest to offer translated texts.
Such a translation should also meet the same intelligibility requirements and should, as a consequence, be tailored to your audience. A difficult, highbrow translation for a website aimed at the general population would still be at odds with the requirements of clear and plain language. This is why it is a good idea to choose a translation agency specialized in website translation and well-versed in this type of combination of IT and legal text. We also recommend staying actively involved in the translation process and sharing any relevant information about your audience and any company style guides for external communication.
Language as a Compliance Risk
It might seem like scaremongering to call this a compliance risk. However, for this type of risk assessment, you need to look at both the wording and the intentions of the GDPR legal text. Article 7, as cited above, effectively means that, if the conditions for plain and clear language are not sufficiently met, any consent for processing personal information can be declared null and void, because there is a chance the consenter might not have understood exactly what they were consenting to. Within this context, any data processed on the basis of that consent equals processing data without consent. This is why the language you use matters just as much as the technical side of your GDPR implementation.