GDPR – It’s a Train and It’s a Comin’

In the recent article about Oxford Ancestors shuttering, I briefly mentioned GDPR. I’d like to talk a little more about this today, because you’re going to hear about it, and I’d rather you hear about it from me than from a sky-is-falling perspective.

It might be rainy and there is definitely some thunder and the ground may shake a little, but the sky is not exactly falling. The storm probably isn’t going to be pleasant, however, but we’ll get through it because we have no other choice. And there is life after GDPR, although in the genetic genealogy space, it may look a little different.

And yes, one way or another, it will affect you.

What is GDPR?

GDPR, which is short for General Data Protection Regulation, is a European, meaning both EU and UK, regulation(s) by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU/UK and processing of data of residents of the EU/UK by non-EU/UK companies.

There are actually two similar, but somewhat different regulations, one for the UK and one for the EU’s 28 member states, but the regulations are collectively referred to as the GDPR regulation.

Ok, so far so good.

The regulations are directly enforceable and do not require any individual member government to pass additional legislation.

GDPR was adopted on April 27, 2016, but little notice was taken until the last few months, especially outside of Europe, when the hefty fines drew attention to the enforcement date of May 25, 2018, now just around the corner.

Those hefty fines can range from a written warning for non-intentional noncompliance to a fine of 20 million Euro or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is GREATER. Yea, that’s pretty jaw-dropping.

So, GDPR has teeth and is nothing to be ignored.

Oh, and if you think this is just for EU or UK companies, it isn’t. It applies equally to any company that possesses any data of any EU or UK resident in their data base or files, providing that person isn’t dead. The law excludes dead people and makes some exceptions for law enforcement and other national security types of applications.

Otherwise, it applies to everyone in a global economy – and not just for future sales, but to already existing data for anyone who stores, transmits, sells to or processes data of any EU resident.

What Does GDPR Do?

The intent of GDPR was to strengthen privacy and data protections, but there is little latitude written into this regulation that allows for intentional sharing of data. The presumption throughout the hundreds of pages of lawyer-speak is that data is not intended to be shared, thereby requiring companies to take extraordinary measures to encrypt and anonymize data, even going so far as to force companies to store e-mail addresses separately from any data which could identify the person. Yes, like a name, or address.

Ironic that a regulation that requires vendor language be written in plainly understood simple wording is in and of itself incredibly complex, mandating legal interpretation.

Needless to say, GDPR requirements are playing havoc with every company’s data bases and file structure, because information technology goals have been to simplify and unify, not chop apart and distribute information, requiring a complex network of calls between systems.

Know who loves GDPR? Lawyers and consultants, that’s who!

In the case of intentional sharing, such as genetic genealogy, these regulations are already having unintended consequences through their extremely rigid requirements.

For example, a company must appoint a legal representative in Europe. I am not a lawyer, but my reading of this requirement suggests that European appointed individual (read, lawyer) is absorbing some level of risk and could potentially be fined as a result of their non-European client’s behavior. So tell me, who is going to incur that level of risk for anything approaching a reasonable cost?

One of the concepts implemented in GDPR is the colloquially known “right to be forgotten.” That means that you can request that your data and files be deleted, and the company must comply within a reasonable time.

However, what does “the right to be forgotten” mean, exactly? Does it mean a company has to delete your public presence? What about their internal files that record that you WERE a customer. What about things like medical records? What about computer backups which are standard operating procedure for any responsible company? What happens when a backup needs to be restored? If the company tracks who was deleted, so they can re-delete them if they have to restore from backup, then the person isn’t deleted in the first place and they are still being tracked – even though the tracking is occurring so the person can be re-forgotten.

Did you follow that? Did it make sense? Did anyone think of these kinds of things?

Oh, and by the way, there is no case law yet, so every single European company and every single non-European company that has any customer base in Europe is scrambling to comply with an incredibly far-reaching and harsh regulation with extremely severe potential consequences.

How many companies do you think can absorb this expenditure? Who do you think will ultimately pay?

Younger people may not remember Y2K, but I assuredly do, and GDPR is Y2K on steroids and with lots of ugly teeth in the form of fines and penalties that Y2K never had. The worse scenario for Y2K was that things would stop working. GDPR can put you out of business in the blink of an eye.

Categories of “Processors”

GDPR defines multiple levels of “processors,” a primary controller and a secondary processor plus vaguely defined categories of “third party” and “joint controller.”

The “controller” is pretty well defined as the company that receives and processes the data or order, and a “processor” is any other entity, including an individual person, who further processes data on behalf of or as a result of the controller.

There appears to be no differentiation between a multi-million-dollar company and one person doing something as a volunteer at home for most requirements – and GDPR specifically says that lack of pay does not exempt someone from GDPR. The one possible exception that exists in that there is an exclusion for organizations employing less than 250 persons, ”unless processing is likely to result in a risk to the rights and freedoms of the data subject.” I’m thinking that just mentioning the word DNA is enough to eliminate this exemption.

Furthermore, GDPR states that controllers and processors must register.

Right about now, you’re probably asking yourself if this means you if you’re managing multiple DNA kits, working with genetic genealogy, either as a volunteer or professionally, or even managing a group project or Facebook group.

The answer to those questions is that but we really don’t know.

ISOGG has prepared a summary page addressing GDPR from the genetic genealogy perspective, here. The ISOGG working group has done an excellent job in summarizing the questions, requirements and potential effects of the legislation in the slide presentation, which I suggest you take the time to view.

This legislation clearly wasn’t written considering this type of industry, meaning DNA shared for genealogical purposes, and there has been no case law yet surrounding GDPR. No one wants to be the first person to discover exactly how this will be interpreted by the courts.

The requirements for controllers and processors are much the same and include very specific requirements for how data can be stored and what must be done in terms of the “right to be forgotten” requests within a reasonable time, generally mentioned as 30 days after the person who owns the data requests to be forgotten. This would clearly apply to some websites and other types of resources used and maintained by the genetic genealogy community. If you are one of the people this could affect, meaning you maintain a website displaying results of some nature, you might want to consider these requirements and how you will comply. Additionally, you are required to have explicitly given consent for every person’s results that are displayed.

For genetic genealogists, who regularly share information through various means, and the companies who enable this technology, GDPR is having what I would very generously call a wet blanket effect.

What’s Happening in the Genetic Genealogy Space?

So far, we’ve seen the following:

  • Oxford Ancestors has announced they are shuttering, although they did not say that their decision has anything to do with GDPR. The timing may be entirely coincidental.
  • Full Genomes Corporation has announced on social media that they are no longer accepting orders from EU or UK customers, stating that “the regulatory cost is too high for a small company” and is “excessive.” I would certainly agree with that. Update; On 3-31-2018 Justin Loe, CEO of Full Genomes says that they “will continue to sell into the EU via manual process.”
  • Ancestry has recently made unpopular decisions relative to requiring separate e-mails to register different accounts, even if the same person is managing multiple DNA kits. Ancestry did not say this had to do with GDPR either, but in reading the GDPR requirements, I can understand why Ancestry felt compelled to make this change.
  • Family Tree DNA recently removed a search feature from their primary business page that allowed the public to search for their ancestors in trees posted to accounts at Family Tree DNA. According to an e-mail sent to project administrators, this change was the result of changes required by GDPR. They too are working on compliance.
  • MyHeritage is as well.
  • I haven’t had an opportunity to speak privately with LivingDNA or 23andMe, but I would presume both are working on compliance. LivingDNA is a UK company.

One of my goals recently when visiting RootsTech was to ask vendors about their GDPR compliance and concerns. That’s the one topic sure to wipe the smile off of everyone’s face, immediately, generally followed by grimaces, groans and eye-rolls until they managed to put their “public face” back on.

In general, vendors said they were moving towards compliance but that it was expensive, difficult and painful – especially given the ambiguity in some of the regulation verbiage. Some expressed concerns that GDPR was only a first step and would be followed by even more painful future regulations. I would presume that any vendor who is not planning to become compliant would not have spent the money to have a booth at RootsTech.

The best news about GDPR is that it requires transparency – in other words, it’s supposed to protect customers from a company selling your anonymized DNA out the back door without your explicitly given consent, for example. However, the general consensus was that any company that wanted to behave in an unethical manner would find a loophole to do so, regardless of GDPR.

In fairness, hurried consumers bring this type of thing on themselves by clicking through the “consent,” or “agree” boxes without reading what they are consenting to. All the GDPR in the world won’t help this. The company may have to disclose, but the consumer doesn’t have to read, although GDPR does attempt to help by forcing you to actively click on agree.

I’m sure we’ll all be hearing more about GDPR in the next few weeks as the deadline looms ever closer.

May 25, 2018

Now you know!

There’s nothing you can do about the effects of GDPR, except hold on tight as the vendors on which we depend do their best to navigate this maze.

Between now and May 25th, and probably for some time thereafter, I promise to be patient and not to complain about glitches in vendors’ systems as they roll out new code as seamlessly as possible.

Gluttons for Punishment

For those of you who are really gluttons for punishment, here are the actual links to the documents themselves. Of course, they are also guaranteed to put you to sleep in about 27 second flat…so a sure cure for insomnia.



I receive a small contribution when you click on some of the links to vendors in my articles. This does NOT increase the price you pay but helps me to keep the lights on and this informational blog free for everyone. Please click on the links in the articles or to the vendors below if you are purchasing products or DNA testing.

Thank you so much.

DNA Purchases and Free Transfers

Genealogy Services

Genealogy Research

36 thoughts on “GDPR – It’s a Train and It’s a Comin’

  1. Well, Roberta, you’ve done it again. You waded into the refuse of lawyers that they leave every time they open their mouths. Of course, I’m one of those who gives up on trying to understand what new wheel the lawyers think they are inventing. Thank you for at least telling us that it is a real thing and is coming.

  2. The GDPR is basically pretty complex Regulatory Affairs. Given the debacle with 23andMe, folk who work with DNA will understand they work in a politically sensitive environment and need to be aware of the regulatory changes.

    We now have the ability to de-anonymise folk through triangulation, either with Y-DNA or autosomal DNA, whether they consent or not. So the right of a person to know and access their own DNA, and DNA signature – and uplift it anywhere they want, can conflict with the rights of others to remain hidden.

    For obvious political historical reasons this has more emphasis in Germany, and to some extent in France than it does with Britain or Sweden. Outside of the EU, I wonder how many folk track with the regulatory situation is with Israel. For genetic informed consent forms in my time in the pharmaceutical industry – they were the most demanding country I had to deal with.

    Personally, I think this will run and run, as it all gets tied up in folks ideas about informed consent, DNA in medical diagnostics, CRISPR and other complex societal issues – and could run as long as Roe vs Wade – which still rumbles on in America and in Ireland.


  3. Under this regulation what would have happened to the young UK boy who came to the center of the United States for cancer treatment because he couldn’t get what he needed over there? Or the numerous children who have come here for other medical treatment? Granted genealogy is nowhere near as critical, but some is done for medical reasons.

    • Or the millions of tourists each year.
      Surely the example you have given would be subject to the laws of the USA.
      And the hospital involved in your example would not do business in Europe so would not be subject to its jurisdiction.
      In a jurisdictional fight I can’t see Uncle Sam giving leeway.
      Not under previous inhabitants of the Oval Office and certainly not now.
      The case of needing medical information via genealogy posits the benefits of an apparent few against protecting the records of 100s of millions of European citizens. Again, there is only one way that will go.
      And the expectation is that a clinical DNA test can find the answers needed anyway.

      • While I have not read the legislation, based instead on several decades of dealing with jurisdictional conflict cases in Europe and the United States, it is highly unlikely personal jurisdiction could be secured against any person in this country who acts as an administrator of a DNA project. But assuming I am wrong, even if personum jurisdiction existed, the applicable law would be foreign to the US and the chances of some outrageous monetary award would likely be minimum unless it involved some truly egregious conduct.

        By the way, I take offense to the statement only a lawyer would love this law. Lawyers may have drafted the provisions, but it is the governments adopting this sort of legislation that should bear the responsibility for their creation.

        • However, the costs of defending against the litigation quicksand age up to thousands and 10s of thousands. Which is exactly why lawsuits are settled. “Winning” isn’t exactly winning if you go bankrupt in the process.

  4. The Ancestry email thing is a pain in the butt when you’ve already spent too much time trying to convince your elderly relatives to test. Some of my relatives don’t have cell phones, and I’m lucky if they only call me once a month with a TV remote problem. Computers and email, not gonna happen. The first time I encountered this problem, I took an unorthodox approach, and figure out how to get around the registration process. A friend of mind took the time and inconvenience of doing it the right way. I’ll review both methods the next time I have to register an Ancestry test kit under my care.

    • You have to visit them to do it.
      Australia is a big country too, and that is what we do. Sometimes twice – once to introduce the topic and once to get their online approval. A friend has a remarkable record of being able to do it in one visit.
      If you have ever done serious oral history with full permissions, then it’s like that.
      It’s just respecting the other individual.
      I come from a background in the pharmaceutical industry like Brian Swann above, and am used to obtaining informed consent. This is similar.
      Show the proposed person your own DNA results and how their additional contribution can assist with your goal – and not just you, other family also.
      Explain the data protection involved.
      Get back to them later with the results.
      Yes, it is more work. But people who do a lot of it find it very rewarding this way.

  5. Thanks for the heads-up, Roberta. Wet blanket is right! No wonder countries are leaving or threatening to leave the EU. It has become the epitome of a “we know what’s best for you” overly-bureaucratic micro-managing government organization.

  6. Another aspect with the “right to be forgotten,” is that how does that apply to an individual who has compiled a list of their matches, and the matching segments, etc., and then a match asks the company to delete their data. Without the company doing what I would think would be things that would violate my privacy, how they can assure another customer that ALL references to their test results have been deleted? They can only assure them that they’ve been deleted off of their own servers/databases/whatever, but they can’t assure them that their matches don’t have copies on their home computers. I still have downloads of my 23andMe matches from 2010, and can look at them and do all kinds of analysis on them even now. A company can’t send out a broadcast e-mail to each and every customer informing them that “Jane Doe” has asked to be removed, so you should all delete anything pertaining to her” (or using her kit number, if applicable) – that would be a more blatant privacy violation (in my opinion, anyway).

    I don’t really see this applying to, or harming something like triangulation, as the major players in the DNA testing field do ask for consent to be given by the customer, so if there was an issue, it would be with the “right to be forgotten,” and how that would apply with triangulation done after a person has requested to have their information/results deleted.

  7. If I understand well, they want to avoid another Equifax fiasco. I would guess a lot of our data are indeed poorly protected and easily hackable. A good thing FTDNA doesn’t keep the credit card numbers from one transaction to the next.

    That being said, there should be room in the law for services where to be identified is the very purpose of the entreprise. I would guess dating services are also in trouble for the same reason.

  8. Interesting but only a threat if your bread & butter comes from this food trough. Genealogy existed long before computers and DNA geeks and will still be around when computers and DNA geeks are not.

  9. How will this affect those who administer many kits on FTDNA with all the testers being from the U.S and no living relatives from Europe?

  10. I have similar questions to one above. Everywhere where you write “company” in the post, can that also apply to Group Administrators who may have created their own files for better administration? Is there any known exception for “hobbiest” organizations?

    • No, there is not an exception for hobbyist organizations unless they are dealing exclusively with dead people. It’s unclear at this point how this will eventually apply to group administrators, but for now, yes, I think they will be required to abide by the same rules as anyone else, including companies. Take a look at the link to the ISOGG slide presentation.

      • GDPR Article 2(c) and Recital 18 provide some provision for “hobbyists”. Project administrators and professional genealogists retain a link to a commercial activity, however, so whether their processing counts as “personal” or “professional” may need interpretation by the Regulator.
        “(18) This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. […]”

      • I don’t blame them. It is just a sad day for y-DNA genealogy. I personally administrate projects there. Going strictly to using the FTDNA hosted site greatly decreases the value of those projects. I had to pull teeth to get members to provide me with an earliest ancestor, which are displayed on the World Family pages. Many (most) members have not added an earliest ancestor on their personal pages, so they will just show as blank on the FTDNA pages. There is also the loss of the displayed pedigrees on the World Family pages under Patriarch’s. Displaying an earliest ancestor without a pedigree also greatly decreases the value of y-DNA projects. I am greatly discouraged and wonder if it is even worth continuing to administrate projects. It seems like the death of y-DNA genealogy. Many of the projects of surnames in my ancestry are also hosted there.

  11. I don’t need to copy the Patriarch’s Page, as it is a page I uploaded from an html file. Of course, where the projects are at present (or fairly recently) are also preserved in the Wayback machine. My concern is with the FTDNA results pages. In one project, one lineage all has 6 values on DYS464, and in some cases 8. Since FTDNA originally only reported 4 values for early testers, the additional values for those early testers were only confirmed from additional tests. FTDNA only shows 4 values for those on their pages, even though they have 6 (or 8) which will make displayed results confusing. FTDNA also does not allow for arranging participant’s results in the order you want, where I have highlighted what are branch markers for certain branches, where with the lineages and markers, I know with which generation the mutation occurred. I feel like all the work and time I spent of these projects has just been wasted.

    • You can group participants in any way you want, unless you mean in a specific order within projects. You might create a list of suggestions that can be submitted to improve the FTDNA project pages for administrators.

      • Yes, I mean a specific order within a Lineage (meaning a preferred order **within** each group. in a project). You can’t do that on FTDNA, or highlight branch markers in a different color from regular mutations. I’ve never liked the FTDNA pages, which is why I have always used the World Family pages, so I could do things the way I thought a project should be done. I have had many members ask me why other project pages don’t look like the way I have done them, as they prefer the way I did them.

    • This is a new regulatory law in Europe that affects every database worldwide that includes people who live in Europe. The penalties are 20 million, 40 million, or 4% of a companies worldwide revenue, and the penalties are imposed by commissioners at their discretion. It’s onerous.

  12. IMO all those cloud genealogy services could close their shops, it would be bright day! I’ve multiple times found myself in some public trees and it’s nothing I’ve ever asked for, but someone somewhere thought it was a good idea just because we coincidently share genes. I’m fine with genealogists keeping their data offline for research and who share it with close family only, but I’m so fed up with all these services like MyHeritage which make people believe they can find their whole history with a click of a button by sharing their DNA or all this private information with a company that commercialize it. I’m so sick of it. The lawyers are bloodthirsty and hopefully GDPR will, if not making violators close their shops, at least start respecting peoples need for privacy. There’s so many companies that claim they do, but who certainly don’t.

  13. Pingback: Common Sense and GDPR | DNAeXplained – Genetic Genealogy

Leave a Reply