Is this the future of NDA compliance requirements?
Thread poster: Geneviève Granger

Geneviève Granger  Identity Verified
Germany
Local time: 23:01
Member (2006)
English to French
+ ...
Sep 18

Hello,

I hope this is the right forum to post such questions. If not, please excuse my mistake and indicate me the right forum if you know one that would be more adequate.

I received the following request from a customer:

"The information security aspect is becoming more and more important to our clients (besides quality, prices and delivery times).
Basically, our clients want to make sure that the data we (and implicitly you) process are handled in
... See more
Hello,

I hope this is the right forum to post such questions. If not, please excuse my mistake and indicate me the right forum if you know one that would be more adequate.

I received the following request from a customer:

"The information security aspect is becoming more and more important to our clients (besides quality, prices and delivery times).
Basically, our clients want to make sure that the data we (and implicitly you) process are handled in secure environments and do not fall into the wrong hands.
For this reason, we had to update our IT security guidelines and policies (and align them to the TISAX and ISO 27001 requirements).
How does this affect you?
We need your support to:
1. Sign a new NDA (attached)
Main changes:
- mandatory use of encryption for the drive on which the data is processed (not only for hardware that is used outside the office, as it was until now)
- two-factor authentication usage for login to your PC
2. Fill in a self-assessment form (attached) [2 pages long!]
Fill in your name and date and tick the boxes to confirm that the NDA requirements are met and complied with.
3. Send proof that a drive encryption solution and a two-factor authentication software are active on your PC (screenshot/photo)."

The documents attached to this demand indicate the use of Bitlocker for data encryption and a Yubico Key for the two-factor authentication. The requirements extend to the backup system.
However, I don't use Linux with Virtual box for windows applications and make backups on a separate server, which will make the resolution of those requirements "a bit" more complicated than on a simple Windows system my customer supposed me to use.

My questions on this matter are:
- Is this the future of NDA compliance requirements? That is: is it foreseeable that most customers will ask such a configuration or even a more advanced in a near future, and should I better be prepared to it?
- Isn't it a bit nosy to ask me screenshots of my system to prove my compliance and more or less impose me a certain solution for the security of the data I hold?

Thanks a lot in advance for your insights and advice!
Collapse


 

RobinB  Identity Verified
United States
Local time: 16:01
German to English
The short answer Sep 18

Hi Geneviève,

Yes, this is the future for translation work for certain clients. I'm not sure I'd categorize it as an NDA, but rather as an information security agreement, but we don't need to argue about the labels.

There are a few (and quite possibly a growing number of) German corporates that now require a much higher level of information security than was the case in the past. It's not exactly difficult (or expensive) to use a separate hard drive for jobs for those
... See more
Hi Geneviève,

Yes, this is the future for translation work for certain clients. I'm not sure I'd categorize it as an NDA, but rather as an information security agreement, but we don't need to argue about the labels.

There are a few (and quite possibly a growing number of) German corporates that now require a much higher level of information security than was the case in the past. It's not exactly difficult (or expensive) to use a separate hard drive for jobs for those clients, and two-factor authorisation is also very easy to implement.

Basically, it's your business decision: Is the volume of work that would be covered by these tougher information security requirements sufficient to warrant the effort and expense of meeting those requirements?

And I certainly don't think it's nosy to ask for screenshots to document compliance. Rather, that's standard procedure. I certainly had no objections to doing it when I was asked to.

Robin


Geneviève Granger wrote:

Hello,

I hope this is the right forum to post such questions. If not, please excuse my mistake and indicate me the right forum if you know one that would be more adequate.

I received the following request from a customer:

"The information security aspect is becoming more and more important to our clients (besides quality, prices and delivery times).
Basically, our clients want to make sure that the data we (and implicitly you) process are handled in secure environments and do not fall into the wrong hands.
For this reason, we had to update our IT security guidelines and policies (and align them to the TISAX and ISO 27001 requirements).
How does this affect you?
We need your support to:
1. Sign a new NDA (attached)
Main changes:
- mandatory use of encryption for the drive on which the data is processed (not only for hardware that is used outside the office, as it was until now)
- two-factor authentication usage for login to your PC
2. Fill in a self-assessment form (attached) [2 pages long!]
Fill in your name and date and tick the boxes to confirm that the NDA requirements are met and complied with.
3. Send proof that a drive encryption solution and a two-factor authentication software are active on your PC (screenshot/photo)."

The documents attached to this demand indicate the use of Bitlocker for data encryption and a Yubico Key for the two-factor authentication. The requirements extend to the backup system.
However, I don't use Linux with Virtual box for windows applications and make backups on a separate server, which will make the resolution of those requirements "a bit" more complicated than on a simple Windows system my customer supposed me to use.

My questions on this matter are:
- Is this the future of NDA compliance requirements? That is: is it foreseeable that most customers will ask such a configuration or even a more advanced in a near future, and should I better be prepared to it?
- Isn't it a bit nosy to ask me screenshots of my system to prove my compliance and more or less impose me a certain solution for the security of the data I hold?

Thanks a lot in advance for your insights and advice!
Collapse


Dan Lucas
 

Luca Tutino  Identity Verified
Italy
Local time: 23:01
Member (2002)
English to Italian
+ ...
Only for specific types of clients, and it requires their collaboration Sep 18

It looks acceptable to me. Of course, you should consider your (money, effort and time) costs and negotiate a significant adjustment of rates and terms of collaboration accordingly.

Kay-Viktor Stegemann
Philippe Etienne
neilmac
Samuel Murray
 

neilmac  Identity Verified
Spain
Local time: 23:01
Spanish to English
+ ...
I hope not Sep 19

Any client wanting me to sign something like that would need to pay me double or triple my current rates. It screams lack of trust, and I don't want to work with people who don't trust me implicitly from the outset.

 

Peter Motte  Identity Verified
Belgium
Local time: 23:01
Member (2009)
English to Dutch
+ ...
Privacy concerns are also business concerns Sep 19

I received the following request from a customer:

"The information security aspect is becoming more and more important to our clients
- mandatory use of encryption for the drive on which the data is processed (not only for hardware that is used outside the office, as it was until now)
- two-factor authentication usage for login to your PC
3. Send proof that a drive encryption solution and a two-factor authentication software are active on your PC (screenshot/photo)."


That's indeed going a bit far.

I don't use drive encryption, because I'm working alone, not in an office, and there's no danger that somebody opens my computer to look at the files.

Some clients, however, demand that I do not use the cloud, and one of them even asked me not to use Trados - although that was for another reason.
However, as people become more aware of privacy issues, we can expect businesses to be worried about it too.

After all, all information in a company which does not have to get to the general public, is a privacy issue.

The advocates of "everything has to be open", "people should not have secrets", and so on, tend to divert our attention from some genuine problems which will arise if everybody know your income, the prices of your providers, your profit margin, the infrastructure and tools you use ... and so on.

The risc is you're basically opening up all elements of your company to just anybody who wants to take a look into it, and who wants to compete with your business.

Privacy is not about "nasty things" you do, you need it to protect you from others doing "nasty things" to you.

Actually, the Dutch word for "back office" is "privékantoor", which translates as "private office".
That says a lot. People in the past were much more aware of the importance of privacy then they're nowadays.



[Edited at 2019-09-19 14:00 GMT]


 

Dan Lucas  Identity Verified
United Kingdom
Local time: 22:01
Member (2014)
Japanese to English
Could be worse Sep 19

Geneviève Granger wrote:
- Isn't it a bit nosy to ask me screenshots of my system to prove my compliance and more or less impose me a certain solution for the security of the data I hold?

Yes, it is. I experienced something similar when I had an end client (let's call them Company A) demand, via an agency, that I download and install a certain piece of utility software that it claimed would sniff around my storage devices to detect whether I had any problems with malware. The idea was that I would return the log to the agency to check. The justification given by Company A gave was that it was asking freelancers to deal with sensitive information.

Well, I deal with material nonpublic information all the time - it's not a situation unique to this end client. I certainly wasn't going to give Company A free rein to use a piece of software to root about in my projects folder where sensitive information from other end clients is stored. After all, that sensitive information is protected by NDAs.

I asked for a written assurance to the effect that no data not owned by Company A would be read or opened, and for Company A to accept responsibility for any breach of those agreements. Unsurprisingly, Company A did not want to give it, and the agency said that without this process I couldn't do work for this end client. I shrugged and told the agency not to contact me regarding projects from Company A.

What else can you do? Allowing this one client to take aggressive steps to secure the security of their data would have led to infringements of the privacy of the data of other clients. If the situation had been reversed, with a different end client demanding access to a drive on which Company A data was stored, would Company A have accepted it? Almost certainly not.

Ultimately, if the information is that sensitive a company should be using an in-house translator.

Regards,
Dan


Thomas T. Frost
Michele Fauble
 

Peter Motte  Identity Verified
Belgium
Local time: 23:01
Member (2009)
English to Dutch
+ ...
Old problem Sep 20

Who's the guard to guard the guards?

 


To report site rules violations or get help, contact a site moderator:


You can also contact site staff by submitting a support request »

Is this the future of NDA compliance requirements?

Advanced search






CafeTran Espresso
You've never met a CAT tool this clever!

Translate faster & easier, using a sophisticated CAT tool built by a translator / developer. Accept jobs from clients who use SDL Trados, MemoQ, Wordfast & major CAT tools. Download and start using CafeTran Espresso -- for free

More info »
TM-Town
Manage your TMs and Terms ... and boost your translation business

Are you ready for something fresh in the industry? TM-Town is a unique new site for you -- the freelance translator -- to store, manage and share translation memories (TMs) and glossaries...and potentially meet new clients on the basis of your prior work.

More info »



Forums
  • All of ProZ.com
  • Term search
  • Jobs
  • Forums
  • Multiple search