Common Sense and GDPR

Recently, I wrote an article titled, GDPR – It’s a Train and It’s a Comin’ wherein I discussed exactly what GDPR is, and why companies have to comply or risk massive fines. If you’re thinking of the recent Facebook fiasco right about now, that’s exactly where this type of legislation is focused, and why.

That said, this European legislation affects genetic genealogy in ways that weren’t anticipated and in ways that may require changes on the part of our providers and ourselves. Every company has to comply, meaning all of the companies that provide services if they have any EU or UK clients, so GDPR affects anyone in this industry – vendor, project administrator and/or customer. Needless to say, it affects you too, one way or another.

One of the most difficult aspects of GDPR is that the true effect is unknown. There is no case law yet to unravel the confusion. And yes, there is confusion. Lots of confusion.

There will be life after GDPR, and there will be genetic genealogy too – although it may look a bit different in some ways.

Many vendors have been preparing for some time now, so we have knowingly or unknowingly already seen many changes that were either required or perhaps bumped up the priority list by GDPR legislation.

First and foremost, the companies MUST comply to protect themselves, or we, as their customers who have invested not just in our own tests, but often tests for many family members will suffer greatly. If the companies go out of business – and yes, the GDPR fines are potentially severe enough at 20 million euros to bankrupt companies – we could all be impacted in a devastating fashion.

No matter what pain-in-the-patoot changes the vendors feel required to make, it’s far more preferable to adapt and retain access to our investment and genetic genealogy tools. The alternative isn’t pretty and the vendors aren’t making the changes because they woke up one morning and decided to make our lives (and theirs) difficult – they are making the necessary changes to protect themselves and our investment in their products along with our DNA results.

The four guiding principles of GDPR in combination are:

• Transparency
• Simplicity
• Privacy
• Consent

I am very grateful to the testing companies for stepping up and taking care of business, even though the “solution” sometimes makes life more inconvenient for me personally. That’s life right now and we just have to suck it up and get used to the changes.

Therefore, those of us who work in various ways with DNA and genetic genealogy, especially the DNA of others, need to be aware of GDPR requirements. I’ve seen a lot of misinformation fueled by fear circulating, so I’d like to discuss what is required, along with what we do and don’t know.

I’m going to say this now and again at the end of this article, so please, please take special note.

In other words, your mileage may vary. Not to mention, it’s certainly possible that I’ve misinterpreted something. You will see a lot of “weasel words” like “seems to be” and “I think,” because in many cases, we really don’t know.

Yes, change is uncomfortable, but I will get through this and so will you. No need to hit the panic button and the sky is not falling although there is some rumbling.

How Do You Work With DNA?

You may work with DNA in a variety of ways:

• Your own results in any or all of the commercial data bases, or a public database like GedMatch
• Results of family members or friends whose accounts you manage in any of the commercial data bases or at GedMatch
• Results of Family Tree DNA project members as a project administrator at Family Tree DNA
• Results of Family Tree DNA project members on a private or third-party website
• As a search angel helping others as a volunteer
• As a paid researcher or professional in this field in some capacity

Different Situations

GDPR speaks to a variety of situations, so let’s take a look at some of the provisions and how they might affect you and others.

Dead People

Deceased individuals are explicitly exempted from GDPR.

Volunteers

Volunteers and unpaid individuals are explicitly NOT exempted from GDPR regulations simply because they are volunteers or unpaid. GDPR applies to volunteers and unpaid individuals in the same way as those who are compensated unless other exemptions apply.

Attempting to Uniquely Identify a Person

If you are working with your own DNA results, and only your own results, GDPR probably affects you less than others – unless you are trying to uniquely identify a living person.

GDPR contains the following verbiage:

“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”

To me, the most relevant part of this paragraph is, “for the purpose of uniquely identifying a natural person,” because I feel this relates to people searching for unknown biological parents.

Although GDPR does not apply to deceased people, you don’t know if your parent is deceased until you identify them. If the parent has submitted their own DNA for testing, this wouldn’t seem to be an issue, because the parent(s) intentionally, consensually, tested, entering their DNA into a genetic genealogy data base with the intention of matching and being seen by matches. In other words, you don’t have to “do” anything other than test to identify your parent – because that match is already waiting for you.

However, if an individual tests and then subsequently uses DNA results and other tools and techniques with the intention of uniquely identifying the parent, that seems to be “processing” that is prohibited.

I will not be attempting to track down and personally identify any person who could be living today, meaning certainly no one born within the last 100 years. That doesn’t mean I don’t think people searching for birth family shouldn’t test – I think the process of searching after testing could be problematic under GDPR.

Processors vs Controllers

In the GDPR documentation, controllers are very clearly companies doing the DNA tests and making decisions. Processors, however, are people or companies that perform additional functions as determined by the controllers. The definition and relationship of people who do genetic genealogy work is unclear. Certainly no one working on the GDPR legislation considered genetic genealogy whose intention IS to SHARE information.

If one is working with an individual’s DNA in a professional capacity, the argument that the professional is “processing the information” and making decisions about that processing would seem to be pretty convincing, especially if they were uploading information, or working with matches to identify someone.

You be your own judge, but processors are bound in most cases by the same rules as controllers – and controllers are required to be sure that processors know what is expected of them if they are in any way involved in the transfer of information from the controller to the processor. Another category, “third parties” is largely undefined, as are their responsibilities.

To be safe, I’m presuming worst case here, meaning that all regulations apply, because I don’t want to be caught in an uncomfortable or even ugly situation.

GDPR Does Not Apply To

• GDPR does not apply to “a natural person in the course of a purely personal or household activity and thus with no connection to a commercial activity.”
• Clearly, the verbiage here suggests that individuals working with family data might not be subject to GDPR, but the verbiage about not uniquely identifying individuals would seem to pertain regardless.
• Yes, these two provisions might well be in conflict with each other. I have absolutely no idea which would be determined to be accurate nor under what circumstances. Nor do I know how people administering larger projects, such as regional or haplogroup projects would be viewed since their interest is beyond the “household” but is not connected to a commercial activity.

Location

• While GDPR applies to European residents, you may not be aware that someone is a European resident. I’m going to assume that everyone is a European resident and that way there is no possible mistake.
• GDPR does not appear to apply to European citizens living outside of the EU/UK.

Anonymization

• I would suggest that people not represent to others that they can be anonymous in data bases if or when they test. People are being identified daily based on autosomal tests by comparing the trees and genealogy information of who they match, especially related to parent search cases. That “anonymous” cow left the barn long ago.

Permission

Permission, also termed consent in GDPR, was always important, but is now even more so.

• Do not do anything with anyone’s information, meaning DNA information or other information they have provided without their express WRITTEN permission. I’m viewing e-mail as written permission, but that might not be strong enough, especially not for anyone doing research on behalf of others.
• People can only give consent for their own information, or the information for someone they have legal authority to given consent for (child, etc.) or someone whose permission they have obtained.
• You must inform someone whose information you have access to or that they have provided that they have the right to ask for their data to be corrected or removed and of the relevant address where to complain, and how, if they are not happy with a controller or processor.
• Do not expose anyone’s information, including their GedMatch or Family Tree DNA kit number, on a presentation slide, on Facebook or anyplace else without the person’s explicit permission.

Data

• GDPR says that one can’t continue to hold data longer than necessary to finish the processing for which the person has agreed.
• My personal assumption would be that this means that I would delete client reports when they are complete. However, I have in the past kept reports handy, because many clients have asked for a copy, even years later, after losing the original. This also begs the question, relative to DNA and genealogy projects, when is “done?”
• My interpretation would be that one would need permission to maintain the data or information in any format after you have “finished.” However, as we all know, genealogy is never finished, and our genealogical “best practices” are focused on retaining information, not disposing of it.
• GDPR isn’t about just genetic data. If other information is gathered, such as through a blog or newsletter, be sure that your usages are GDPR compliant, as are any tools that people utilize for your applications such as blogging platforms, website providers, etc.

Rules

• Controllers and processors must store contact information separately from “results.” I’m presuming this means in a separate spreadsheet for project administrators and people working with other people’s (genetic) information.
• Controllers and processors may be required to track when they are “processing” and what they are doing. Fortunately, for Group Project Administrators, Family Tree DNA provides a logging function which will help immensely.
• If a controller/processor receives a request to provide an individual with all of the information the controller/processor holds on the individual, the processor must comply in a reasonable time – mentioned in the GDPR documentation as within 30 days.
• Project administrators may want to post a privacy policy on their project website at FTDNA and/or elsewhere, especially if any project information is posted outside of the FTDNA project structure. Your project members will need to know that your project is separate from Family Tree DNA, and that they need to contact you directly for modification/removal of both posted data and anything they have personally sent you.
• Never release the names or e-mails of project members, or any other individual, without their express consent for every request. I tell the requesting person if they will compose an e-mail, I will simply forward it to the project member they are asking about. That removes the entire issue and leaves it in the hands of the project member.
• If a personal data breach occurs that results in either loss of or exposure of records, the controller or processor must report the breach within 72 hours to the supervisory authority. However, reporting is not required if the breach is “unlikely to result in risk to the rights and freedoms of natural persons.”

Right to Erasure aka Right to be Forgotten

• If an individual asks you to delete any information they have previously provided to you, it should be done within 30 days. There is some leeway, but minimally the person can expect timely communication from you.
• I would think this would be particularly important for project administrators, especially if the project website is maintained outside of the Family Tree DNA structure where the administrator has created a separate website.
• If a project member changes their privacy setting from a public to a project-only setting, that change is reflected in the project display automatically at Family Tree DNA. If an administrator maintains a separate website, they will need to devise a way to routinely coordinate the privacy settings of project members to reflect new changes. I’m very glad that I don’t maintain any projects outside of the Family Tree DNA structure. It’s still possible to miss some text you’ve put on a separate results page perhaps, but the former project member’s results will automatically be deleted from the project and social media feed, both, by Family Tree DNA.
• If a person has provided you with any information, and they request you to remove or correct it, do so quickly and thoroughly, within the 30 day window. This applies to both paper and computer files.
• In GDPR, there is no provision, consideration or discussion of situations where websites become abandoned over time. In my opinion, GDPR never considered a hobby type of environment where someone posting informational content might not have a registered domain name that would disappear if not paid for. Furthermore, information that has been posted to the web in reality cannot be entirely removed given tools like WayBackMachine. Nothing that has been published is ever really “deleted” from the internet or is entirely “forgotten,” regardless of GDPR.
• Be sure when obsoleting your computer to reformat or destroy your disk drive in a manner in which the data cannot be recovered by the next owner.

Guiding Principles

• I am not going to be providing any information to anyone about living people as a result of genetic or genealogy research beyond matches provided by a testing company. People can view their own matches for themselves, so that’s not information I need to provide.
• I am not going to recommend uploading to GedMatch or other “open” platform, should one exist, without a commensurate statement that the data base is open, and anyone whom the person matches and sees their kit number can also see whom they match, along with their ethnicity, etc. I’m personally fine with that scenario, but blanket recommendations to upload to GedMatch don’t take into consideration the informed consent necessary for people unfamiliar with the platform, especially relative to “sensitive information” that can identify someone’s racial makeup or religion.
• Do not change anyone’s anything unless you have explicit consent. This means not restricting what others can see or do and not making decisions for them unless you have been specifically designated/authorized to do so. Family Tree DNA has a methodology for a tester to explicitly grant a project administrator full access in order for that individual to grant an administrator more than read/view access. Ancestry also has provisions to allow others to manage a kit or share additional information.
• Do not share anyone else’s GedMatch kit number, especially not in any public forum.
• Do not add living people to your tree(s) and allow them to be seen publicly without their express consent.
• Never expose a minor’s information.
• I would suggest that it is unethical to attempt to “recreate” an autosomal kit representing the DNA of a living person who has declined to DNA test by utilizing the DNA of their other family members, in particular, their children. This does not apply to recreating the DNA profile of deceased family members – only living people who have exercised their right to refuse DNA testing.
• Do not order, transfer, upgrade or otherwise “process” the DNA of anyone without their permission unless it is your DNA, you are their legal guardian or they have granted you permission to do so.

In essence, kindergarten rules apply – do unto others, treat others respectfully and how you would want to be treated.

There’s a lot we don’t know about how GDPR will be interpreted in the long run. I don’t believe GDPR is targeting people like project administrators, unless they are incredibly negligent or intentionally violate the privacy of others. I suspect that, for the most part, being careful with other people’s information, respectful and perhaps more aware than in the past will keep us all safe.

And yes, I know…all it would really take is that one vindictive bad apple that might make your life miserable – especially given that we really don’t know how genetic genealogists will be viewed under GDPR.

I know the changes within projects at Family Tree DNA have upset some group project administrators, and while I don’t like change any better than the next person, I’m actually grateful that Family Tree DNA has implemented modifications that will prevent me (and others) from making errors in judgement or simply getting too busy to delete someone’s information.

I don’t host any projects outside of the Family Tree DNA framework, and if I did, I would revert at this point to Family Tree DNA hosted projects since they have invested the effort into modifications for GDPR compliance. I think that so long as I stay within their framework, and follow the rules, I should be fine.

If you have personal concerns, I would suggest that you read the GDPR documentation for yourself, view the ISOGGG slide presentation listed below, or contact your own lawyer, because as I said before:

Additional Resources

• ISOGG slide presentation
• www.eugdpr.org
• The EU document: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
• The UK document: https://www.gov.uk/government/collections/data-protection-bill-2017
• Parliament BIll HL Bill 66: https://publications.parliament.uk/pa/bills/lbill/2017-2019/0066/lbill_2017-20190066_en_1.htm
• Information Commissioner’s Office Website: https://ico.org.uk/
• Irish Data Protection Commissioner: https://www.dataprotection.ie/docs/gdpr/1623.htm
• Quick Access Document by intersoft consulting https://gdpr-info.eu/

______________________________________________________________

Disclosure

I receive a small contribution when you click on some of the links to vendors in my articles. This does NOT increase the price you pay but helps me to keep the lights on and this informational blog free for everyone. Please click on the links in the articles or to the vendors below if you are purchasing products or DNA testing.

Thank you so much.

DNA Purchases and Free Transfers

• Family Tree DNA
• MyHeritage DNA only
• MyHeritage DNA plus Health
• MyHeritage FREE DNA file upload
• AncestryDNA
• 23andMe Ancestry
• 23andMe Ancestry Plus Health
• LivingDNA

Genealogy Services

• MyHeritage FREE Tree Builder
• MyHeritage Subscription with Free Trial

Genealogy Research

• Legacy Tree Genealogists for genealogy research