Recently, I wrote an article titled, GDPR – It’s a Train and It’s a Comin’ wherein I discussed exactly what GDPR is, and why companies have to comply or risk massive fines. If you’re thinking of the recent Facebook fiasco right about now, that’s exactly where this type of legislation is focused, and why.
That said, this European legislation affects genetic genealogy in ways that weren’t anticipated and in ways that may require changes on the part of our providers and ourselves. Every company has to comply, meaning all of the companies that provide services if they have any EU or UK clients, so GDPR affects anyone in this industry – vendor, project administrator and/or customer. Needless to say, it affects you too, one way or another.
One of the most difficult aspects of GDPR is that the true effect is unknown. There is no case law yet to unravel the confusion. And yes, there is confusion. Lots of confusion.
There will be life after GDPR, and there will be genetic genealogy too – although it may look a bit different in some ways.
Many vendors have been preparing for some time now, so we have knowingly or unknowingly already seen many changes that were either required or perhaps bumped up the priority list by GDPR legislation.
First and foremost, the companies MUST comply to protect themselves, or we, as their customers who have invested not just in our own tests, but often tests for many family members will suffer greatly. If the companies go out of business – and yes, the GDPR fines are potentially severe enough at 20 million euros to bankrupt companies – we could all be impacted in a devastating fashion.
No matter what pain-in-the-patoot changes the vendors feel required to make, it’s far more preferable to adapt and retain access to our investment and genetic genealogy tools. The alternative isn’t pretty and the vendors aren’t making the changes because they woke up one morning and decided to make our lives (and theirs) difficult – they are making the necessary changes to protect themselves and our investment in their products along with our DNA results.
The four guiding principles of GDPR in combination are:
I am very grateful to the testing companies for stepping up and taking care of business, even though the “solution” sometimes makes life more inconvenient for me personally. That’s life right now and we just have to suck it up and get used to the changes.
Therefore, those of us who work in various ways with DNA and genetic genealogy, especially the DNA of others, need to be aware of GDPR requirements. I’ve seen a lot of misinformation fueled by fear circulating, so I’d like to discuss what is required, along with what we do and don’t know.
I’m going to say this now and again at the end of this article, so please, please take special note.
In other words, your mileage may vary. Not to mention, it’s certainly possible that I’ve misinterpreted something. You will see a lot of “weasel words” like “seems to be” and “I think,” because in many cases, we really don’t know.
Yes, change is uncomfortable, but I will get through this and so will you. No need to hit the panic button and the sky is not falling although there is some rumbling.
How Do You Work With DNA?
You may work with DNA in a variety of ways:
- Your own results in any or all of the commercial data bases, or a public database like GedMatch
- Results of family members or friends whose accounts you manage in any of the commercial data bases or at GedMatch
- Results of Family Tree DNA project members as a project administrator at Family Tree DNA
- Results of Family Tree DNA project members on a private or third-party website
- As a search angel helping others as a volunteer
- As a paid researcher or professional in this field in some capacity
GDPR speaks to a variety of situations, so let’s take a look at some of the provisions and how they might affect you and others.
Deceased individuals are explicitly exempted from GDPR.
Volunteers and unpaid individuals are explicitly NOT exempted from GDPR regulations simply because they are volunteers or unpaid. GDPR applies to volunteers and unpaid individuals in the same way as those who are compensated unless other exemptions apply.
Attempting to Uniquely Identify a Person
If you are working with your own DNA results, and only your own results, GDPR probably affects you less than others – unless you are trying to uniquely identify a living person.
GDPR contains the following verbiage:
“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”
To me, the most relevant part of this paragraph is, “for the purpose of uniquely identifying a natural person,” because I feel this relates to people searching for unknown biological parents.
Although GDPR does not apply to deceased people, you don’t know if your parent is deceased until you identify them. If the parent has submitted their own DNA for testing, this wouldn’t seem to be an issue, because the parent(s) intentionally, consensually, tested, entering their DNA into a genetic genealogy data base with the intention of matching and being seen by matches. In other words, you don’t have to “do” anything other than test to identify your parent – because that match is already waiting for you.
However, if an individual tests and then subsequently uses DNA results and other tools and techniques with the intention of uniquely identifying the parent, that seems to be “processing” that is prohibited.
I will not be attempting to track down and personally identify any person who could be living today, meaning certainly no one born within the last 100 years. That doesn’t mean I don’t think people searching for birth family shouldn’t test – I think the process of searching after testing could be problematic under GDPR.
Processors vs Controllers
In the GDPR documentation, controllers are very clearly companies doing the DNA tests and making decisions. Processors, however, are people or companies that perform additional functions as determined by the controllers. The definition and relationship of people who do genetic genealogy work is unclear. Certainly no one working on the GDPR legislation considered genetic genealogy whose intention IS to SHARE information.
If one is working with an individual’s DNA in a professional capacity, the argument that the professional is “processing the information” and making decisions about that processing would seem to be pretty convincing, especially if they were uploading information, or working with matches to identify someone.
You be your own judge, but processors are bound in most cases by the same rules as controllers – and controllers are required to be sure that processors know what is expected of them if they are in any way involved in the transfer of information from the controller to the processor. Another category, “third parties” is largely undefined, as are their responsibilities.
To be safe, I’m presuming worst case here, meaning that all regulations apply, because I don’t want to be caught in an uncomfortable or even ugly situation.
GDPR Does Not Apply To
- GDPR does not apply to “a natural person in the course of a purely personal or household activity and thus with no connection to a commercial activity.”
- Clearly, the verbiage here suggests that individuals working with family data might not be subject to GDPR, but the verbiage about not uniquely identifying individuals would seem to pertain regardless.
- Yes, these two provisions might well be in conflict with each other. I have absolutely no idea which would be determined to be accurate nor under what circumstances. Nor do I know how people administering larger projects, such as regional or haplogroup projects would be viewed since their interest is beyond the “household” but is not connected to a commercial activity.
- While GDPR applies to European residents, you may not be aware that someone is a European resident. I’m going to assume that everyone is a European resident and that way there is no possible mistake.
- GDPR does not appear to apply to European citizens living outside of the EU/UK.
- I would suggest that people not represent to others that they can be anonymous in data bases if or when they test. People are being identified daily based on autosomal tests by comparing the trees and genealogy information of who they match, especially related to parent search cases. That “anonymous” cow left the barn long ago.
Permission, also termed consent in GDPR, was always important, but is now even more so.
- Do not do anything with anyone’s information, meaning DNA information or other information they have provided without their express WRITTEN permission. I’m viewing e-mail as written permission, but that might not be strong enough, especially not for anyone doing research on behalf of others.
- People can only give consent for their own information, or the information for someone they have legal authority to given consent for (child, etc.) or someone whose permission they have obtained.
- You must inform someone whose information you have access to or that they have provided that they have the right to ask for their data to be corrected or removed and of the relevant address where to complain, and how, if they are not happy with a controller or processor.
- Do not expose anyone’s information, including their GedMatch or Family Tree DNA kit number, on a presentation slide, on Facebook or anyplace else without the person’s explicit permission.
- GDPR says that one can’t continue to hold data longer than necessary to finish the processing for which the person has agreed.
- My personal assumption would be that this means that I would delete client reports when they are complete. However, I have in the past kept reports handy, because many clients have asked for a copy, even years later, after losing the original. This also begs the question, relative to DNA and genealogy projects, when is “done?”
- My interpretation would be that one would need permission to maintain the data or information in any format after you have “finished.” However, as we all know, genealogy is never finished, and our genealogical “best practices” are focused on retaining information, not disposing of it.
- GDPR isn’t about just genetic data. If other information is gathered, such as through a blog or newsletter, be sure that your usages are GDPR compliant, as are any tools that people utilize for your applications such as blogging platforms, website providers, etc.
- Controllers and processors must store contact information separately from “results.” I’m presuming this means in a separate spreadsheet for project administrators and people working with other people’s (genetic) information.
- Controllers and processors may be required to track when they are “processing” and what they are doing. Fortunately, for Group Project Administrators, Family Tree DNA provides a logging function which will help immensely.
- If a controller/processor receives a request to provide an individual with all of the information the controller/processor holds on the individual, the processor must comply in a reasonable time – mentioned in the GDPR documentation as within 30 days.
- Never release the names or e-mails of project members, or any other individual, without their express consent for every request. I tell the requesting person if they will compose an e-mail, I will simply forward it to the project member they are asking about. That removes the entire issue and leaves it in the hands of the project member.
- If a personal data breach occurs that results in either loss of or exposure of records, the controller or processor must report the breach within 72 hours to the supervisory authority. However, reporting is not required if the breach is “unlikely to result in risk to the rights and freedoms of natural persons.”
Right to Erasure aka Right to be Forgotten
- If an individual asks you to delete any information they have previously provided to you, it should be done within 30 days. There is some leeway, but minimally the person can expect timely communication from you.
- I would think this would be particularly important for project administrators, especially if the project website is maintained outside of the Family Tree DNA structure where the administrator has created a separate website.
- If a project member changes their privacy setting from a public to a project-only setting, that change is reflected in the project display automatically at Family Tree DNA. If an administrator maintains a separate website, they will need to devise a way to routinely coordinate the privacy settings of project members to reflect new changes. I’m very glad that I don’t maintain any projects outside of the Family Tree DNA structure. It’s still possible to miss some text you’ve put on a separate results page perhaps, but the former project member’s results will automatically be deleted from the project and social media feed, both, by Family Tree DNA.
- If a person has provided you with any information, and they request you to remove or correct it, do so quickly and thoroughly, within the 30 day window. This applies to both paper and computer files.
- In GDPR, there is no provision, consideration or discussion of situations where websites become abandoned over time. In my opinion, GDPR never considered a hobby type of environment where someone posting informational content might not have a registered domain name that would disappear if not paid for. Furthermore, information that has been posted to the web in reality cannot be entirely removed given tools like WayBackMachine. Nothing that has been published is ever really “deleted” from the internet or is entirely “forgotten,” regardless of GDPR.
- Be sure when obsoleting your computer to reformat or destroy your disk drive in a manner in which the data cannot be recovered by the next owner.
- I am not going to be providing any information to anyone about living people as a result of genetic or genealogy research beyond matches provided by a testing company. People can view their own matches for themselves, so that’s not information I need to provide.
- I am not going to recommend uploading to GedMatch or other “open” platform, should one exist, without a commensurate statement that the data base is open, and anyone whom the person matches and sees their kit number can also see whom they match, along with their ethnicity, etc. I’m personally fine with that scenario, but blanket recommendations to upload to GedMatch don’t take into consideration the informed consent necessary for people unfamiliar with the platform, especially relative to “sensitive information” that can identify someone’s racial makeup or religion.
- Do not change anyone’s anything unless you have explicit consent. This means not restricting what others can see or do and not making decisions for them unless you have been specifically designated/authorized to do so. Family Tree DNA has a methodology for a tester to explicitly grant a project administrator full access in order for that individual to grant an administrator more than read/view access. Ancestry also has provisions to allow others to manage a kit or share additional information.
- Do not share anyone else’s GedMatch kit number, especially not in any public forum.
- Do not add living people to your tree(s) and allow them to be seen publicly without their express consent.
- Never expose a minor’s information.
- I would suggest that it is unethical to attempt to “recreate” an autosomal kit representing the DNA of a living person who has declined to DNA test by utilizing the DNA of their other family members, in particular, their children. This does not apply to recreating the DNA profile of deceased family members – only living people who have exercised their right to refuse DNA testing.
- Do not order, transfer, upgrade or otherwise “process” the DNA of anyone without their permission unless it is your DNA, you are their legal guardian or they have granted you permission to do so.
In essence, kindergarten rules apply – do unto others, treat others respectfully and how you would want to be treated.
There’s a lot we don’t know about how GDPR will be interpreted in the long run. I don’t believe GDPR is targeting people like project administrators, unless they are incredibly negligent or intentionally violate the privacy of others. I suspect that, for the most part, being careful with other people’s information, respectful and perhaps more aware than in the past will keep us all safe.
And yes, I know…all it would really take is that one vindictive bad apple that might make your life miserable – especially given that we really don’t know how genetic genealogists will be viewed under GDPR.
I know the changes within projects at Family Tree DNA have upset some group project administrators, and while I don’t like change any better than the next person, I’m actually grateful that Family Tree DNA has implemented modifications that will prevent me (and others) from making errors in judgement or simply getting too busy to delete someone’s information.
I don’t host any projects outside of the Family Tree DNA framework, and if I did, I would revert at this point to Family Tree DNA hosted projects since they have invested the effort into modifications for GDPR compliance. I think that so long as I stay within their framework, and follow the rules, I should be fine.
If you have personal concerns, I would suggest that you read the GDPR documentation for yourself, view the ISOGGG slide presentation listed below, or contact your own lawyer, because as I said before:
- ISOGG slide presentation
- The EU document: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
- The UK document: https://www.gov.uk/government/collections/data-protection-bill-2017
- Parliament BIll HL Bill 66: https://publications.parliament.uk/pa/bills/lbill/2017-2019/0066/lbill_2017-20190066_en_1.htm
- Information Commissioner’s Office Website: https://ico.org.uk/
- Irish Data Protection Commissioner: https://www.dataprotection.ie/docs/gdpr/1623.htm
- Quick Access Document by intersoft consulting https://gdpr-info.eu/
I receive a small contribution when you click on some of the links to vendors in my articles. This does NOT increase the price you pay but helps me to keep the lights on and this informational blog free for everyone. Please click on the links in the articles or to the vendors below if you are purchasing products or DNA testing.
Thank you so much.
DNA Purchases and Free Transfers
- Family Tree DNA
- MyHeritage DNA only
- MyHeritage DNA plus Health
- MyHeritage FREE DNA file upload
- 23andMe Ancestry
- 23andMe Ancestry Plus Health
- Legacy Tree Genealogists for genealogy research
I do not understand who or what entities are going to regulate/monitor all of this; and I do not understand how it is even possible to regulate. Who designates the gatekeepers? What are the penalities for infractions and who imposes this?
I do not see how regulation is possible on a broad scale.
The EU data protection agencies if they receive complaints.
Can you imagine what all of this will cost in terms of money and manpower?
The biggest gotcha I see here for on individual researcher is requiring permission to share information on living people. I have shared my Ancestry tree with many people who I have also given the ability to see living people. I have not always asked all those living people if I can add them to the tree, especially not in writing. This would seem to be a violation of GDPR.
I’m not a lawyer either. However, I believe that no consumer-grade DNA test suffices for “uniquely identifying a natural person”. The word “unique” is important. All of the available consumer-grade tests identify groups of persons–very large groups. Even the Y-DNA and mtDNA tests involving large numbers of markers yield genetic information that is shared by thousands of living persons–not a unique one.
Autosomal DNA testing through who you match uniquely identifies unknown parents every day.
Was this EU/UK legislation intended primarily for Technology companies and their data bases i.e. Cambridge / Facebook type situation with the Genealogy community just collateral damage? Does USA show any interest in creating similar laws here? Is it possible that vendors are considering legislation to better define their (our) needs for future research? What will this do to the medical research field?? It would seem that some modification or exemptions will need to be spelled out in the future for use in a lot of areas and as is always the case, unintended consequences have resulted from the actions of one group on all.
Very nice article about GDPR. Only problem I have is WHAT IS IT? I looked up a couple other older articles and can’t find the whole words.
General Data Protection Regulation. Click on the several links, especially near the end of the article.
My background is in data warehousing and metrics-reporting in the healthcare industry, so I share your questions regarding how one deals with medical records, data backups, being able to provide copies of reports from 5 years ago, etc. etc. This is not just Y2K on steroids, but HIPAA on steroids! Potentially plenty of work ahead for IT folks as well, not just lawyers, lol!
That said, this is a DNA/genealogy blog, so to your point about not sharing anyone else’s kit number (especially in public forums), I’m wondering if, in the end, you can’t even share your own kit number since by doing so, you’re essentially sharing all the kits of your matches. (Personally, I try to avoid sharing it in, say, Facebook groups, but in the past I was less careful since i thought of it as “my” dna)
It will be interesting to see how all this plays out. It would be sad to see, for example, a volunteer effort like GedMatch potentially decide to heck with it, while companies for whom the law is arguably “meant” simply work around it. Case in point — Responsibility for Facebook’s 1.5 billion users outside the EU/US/Canada will now be under US auspices and US laws, rather than their international headquarters in Ireland. http://www.bbc.com/news/technology-43822184 and
Often the comments section of Roberta’s articles has as valuable info as her articles. Your comment is an example. As a systems specialist, I worked over 20 years in a data center where we came in contact with data warehousing professionals. I have the greatest respect for your expertise and comments. Thank you for contributing.
Yes, Ron, the comments are greatly appreciated and I look forward to reading them in addition to Roberta’s vaulable articles.. Thank you Roberta for providing the comments section.
I really enjoy the comments too and the information people share. Sometimes the comments are more useful than the article, especially to me. That’s how I’ve met people who have been extremely generous and helpful.
Thanks very informative!
Sent from my iPad
Thank you Roberta for your very thoughtful and thorough reply. Each time I read something on GDPR, I learn something new. Your perspective on citizenship made me rethink my perspective. Of course! Someone I know as a US citizen could easily have dual citizenship unbeknown to me. So, as a project administrator, taking the approach that everyone is an EU citizen is really the safest approach with GDPR. And I appreciate your guidance to avoid telling a project member that they can remain anonymous in a matching database with associated genealogies.
I feel this may leave people open to breaking European law without knowing they are doing this, Including me. In particular, there are Mt-DNA and Y-DNA matches outside the USA shown at Family Tree DNA. I am still not sure what I am suppose to do to deal with this? I have invested good money, and do not want all info private, as it defeats the purpose of testing for genealogy research. I guess I will have to leave this up to Family Tree DNA to sort out, because it is beyond me
They have consented for you to see their information.
I viewed a y-DNA Project results page for a surname (a little over 200 members) on FTDNA just a couple of days ago. Today, the page is listed as available to “members only.” If this becomes a trend, it will greatly hamper research. No longer will a person be able to look at a results page and see two lines are not related (assuming the paper trails are correct), or see which lines are related to an ancestral line, for clues to earlier residences within the USA.
It’s up to the administrators how they display the pages.
I wonder about the privacy at gedmatch; I would at least suggest that they hide the mail addresses behind a “contact” button.
Fascinating. This discussion seems to center around organizations and professional genealogists, or even amateurs doing research for non-relatives. What about those of us who are amateurs, privately researching to determine how a match relates to us and is clearly only in the US? What about asking a known cousin to take a DNA test that will help with the ancestor search, but will also prove parentage of another DNA cousin who doesn’t know his/her parentage? Would it be a requirement to disclose that it might prove that he or she is a parent or sibling of an unknown child? Obviously a woman would know if she’d had a child that was given up for adoption and doesn’t want others to know, but a man could be a father without knowing it. Then there are all of the egg and sperm donors.How far can a private individual go to help a DNA cousin find his/her heritage?
I always tell people that they could encounter surprises. As for the actual legislation, we don’t know, but in the US it’s not relevant between people if they are not EU/UK citizens.
Does a SNP test actually fully ID a natural person? It is not a ‘full genome test’ and may identify an ancestor now dead! For example, my R1b-A476 currently only identifies close family in descent from my g-grandfather who died in 1865. This has been proven in a living descendant of a g-Uncle ie my grandfather’s brother – all dead. Therefor an SNP would only ID a small or larger group of people – not specifically individual ‘natural person’. But GDPR is to protect individuals but we in effect are identifying people long dead so why should GDPR apply to us volunteer citizen researchers?
It’s not just about that. It’s also about privacy and autosomal tests do identify people.
With respect that does not clarify the point I was making. I did not mention autosomal and what do you mean by ‘people’ (that is not a ‘natural person’)! I asked about a particular mutation in this case A476 carried by perhaps many individuals in the past (long dead) in the public domain as a scientific fact and therefore GDPR should not apply. What could possibly be ‘private about it’?
You can’t divide DNA into little boxes. GDPR applies in a specific way to DNA because DNA is so personal. The same person may have also tested for autosomal, so how you handle their privacy is very relevant. I can’t defend GDPR, but what I can tell you is what is required. GDPR is horribly written far overreaching legislation, but it’s a fact.
Perhaps Labs should stop selling ‘autosomal’ then if it deals only with ‘living people’? Is there a public database that shows Kit Nos. etc for those that are interested in ‘autosomal’ and leave us researchers to continue our identification of mutations of those ‘long dead’ via their descendants. We must have some sort of database to be able to continue doing research ‘by comparison’. Surely all that is required is for those interested in a database listing, can do so by ‘giving permission’ by invoking some means of ‘charitable status’. I agree GDPR of 17 pages of rambling ‘do’s and don’ts’ is an ‘OTT nightmare’ and its us Taxpayers who are forced to pay for it in the EU!
Roberta, somehow, some way, I have fallen off your mailing list. i tired to re-subscribe but get an automated message that i am “already subscribed”. I haven’t received your regular blog since entry dated April 20, 2018. Hated to have to write you in the Comments section but missing your words are akin to losing a lifeline! OK, almost. 🙂
Check your spam folder. If that doesn’t work, unsubscribe then resubscribe.
How about if companies and others just prohibit use by EU citizens?
The problem is that it applies to people already in the database.
Exactly, in many surname projects linked to Kit Nos. have long been in the ‘public domain’ whatever that may mean. Its really too late to ‘repress this data’ just to satisfy some jumped up official who is scared of a minority that may complain!
A kit number does not specifically identify an individual. Still, kit numbers should not be revealed without permission. Joining a project constitutes permission at the level the joiner gives. The penalties for willfully disregarding the requirements are onerous.
So joining a DNA research group would automatically give the group administrator permission to use ones data to ‘meet the goals’ of all members of said group? That would mean every member has agreed to ‘share data’ using ‘Kit Nos.and/or any associated DNA’ for research comparison purposes? Thus each member could use any of the Kit Nos to illustrate progress and promulgating new data to all of the group and post it on the appropriate group forum? Why would GDPR want to change that existing free means of communication already in the public domain? If it repress an existing means of research it would damage knowledge harking back to the dark days of repression of ‘Da Vincie’.
Roberta, thank you for your insight and clarifications on this GDPR crapola. And @ Peter D. Beattie … if you were a preacher, I’d be sitting in the front pew shouting out “Amen brother!”
Yea, I think wars were fought over this kind of stuff…back in 1776, right?
I do not understand why you/we cannot talk about ‘Kit Numbers’ as they are already in the ‘public domain’ ie shared by ‘User Groups’ under the ‘permission’ given by a testee as part of ‘condition of joining’ a group. Anyway, who actually owns the ‘rights of a Kit No.’. Its not the personal property of a testee as they have not ‘originated it’! Its issued by the Testing Lab. to help them process ‘the product’ and that would in most cases be a single mutation that would already be in the general ‘gene pool’ so it belongs to our environment/culture for many generations and not just a ‘natural person’ as defined under GDPR!
A kit number is part of the identification of a person, in this case.
I absolutely will fight this stupid directive and circumvene every single aspect of it, such as changing all my family address in the EU to my US address. If enough people do the same, this Orwelian directive, which comes directly from the brain of the unelected European Commission, would become as irrelevant as all the ones that try to stop the flow of information on the internet. Also I read somewhere that it applies not only to EU residents but also to EU nationals, if they start to make extra-territorial laws, I might actually renounce my dual-citizenship and only keep my US one… But there is hope: I am absolutely convinced that the Eurozone, and the EU itself will disintegrate when the upcoming monetary crisis will hit.
Thank you for your very informative articles on GDPR, which I have read with great interest. I have to correct a minor detail, though. You have omissioned EEA/ EFTA countries in your articles. – I am sorry to tell you that GDPR also is implemented i Norway, where I live.
Pingback: 2018 – The Year of the Segment | DNAeXplained – Genetic Genealogy