Two of my clients, one in the USA and one in Cape Town, recently instructed their language practitioners (i.e. freelancers) to confirm their compliance with the European General Data Protection Regulation. More info at ec.europa.eu.

The US request is:

“I have setup two-factor authentication (also known as dual-factor authentication) on the email account(s) used for conducting work for XXX”

?

The relevant section of the GDPR reads as follows:

“The GDPR applies to:

1. a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
2. a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.

If your company is a small and medium-sized enterprise ('SME') that processes personal data as described above you have to comply with the GDPR. However, if processing personal data isn’t a core part of your business and your activity doesn't create risks for individuals, then some obligations of the GDPR will not apply to you (for example the appointment of a Data Protection Officer ('DPO')). Note that ‘core activities’ should include activities where the processing of data forms an inextricable part of the controller’s or processor’s activities.

Examples

When the regulation applies

Your company is a small, tertiary education company operating online with an establishment based outside the EU. It targets mainly Spanish and Portuguese language universities in the EU. It offers free advice on a number of university courses and students require a username and a password to access your online material. Your company provides the said username and password once the students fill out an enrolment form.

When the regulation does not apply

Your company is a service provider based outside the EU. It provides services to customers outside the EU.? Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.:?

?

Given the last sentence, one may well ask whether the two clients’ request is applicable to a South African who translates (say) a birth or marriage certificate issued in a European country for the person mentioned on the certificate. After all, it’s highly likely that the SA translator does not “specifically target individuals in the EU”, and one could also ask whether translating a birth/marriage certificate or any other personal document is tantamount to “monitoring the behaviour of individuals” or “processing” personal information.

?

But getting organisations to change what passes for a mind is usually futile, so my question is simply:

Does anyone know how to apply two-factor authentication to email?

?

Tony