GDPR – Birthing the 100 Pound Baby

GDPR – General Data Protection Regulation – Today’s the day of deliverance – May 25th. GDPR is finally enacted after MONTHS and MONTHS of agony.

Believe me, to those of us in the field, the GD does NOT stand for General Data – it stands for Gol Danged or something much, MUCH stronger.

And speaking of stronger, when I’m really stressed, I do one of three things:

  • Buy a bauble commensurate with my level of misery
  • Eat dark chocolate
  • Drink

In extreme cases, all three.

Actually, if you know me, you know I don’t drink. So item number 3 is really, REALLY a distant 3rd- – and I’m on my third bottle of wine this week. Good thing I only like muscato wine, ice wine and my rightful Irish legacy, Guinness.

I actually prefer to quilt, because you can stress-quilt wearing baubles and eating chocolate, but if you drink while quilting, your seams will be crooked as a dog’s hind leg.

So, how do you like my new GDPR-size blue bauble flanked by support “staff”?

Yes, it’s been one horrid, awful, miserable, give-me-a-case-of-wine and buy-chocolate-in-bulk six months or so.

Did I mention that it’s been horrid?

I equate dealing with GDPR to giving birth. Not being pregnant, mind you – just the miserable giving birth part – like being in labor for let’s say – 9 months or so. Then delivering a really ugly 100 pound baby that not even a mother can love. Not to mention, I broke my foot during this time too – and no, it wasn’t kicking anyone or anything. AND I was stone cold sober, at a quilt retreat.

For those of you who don’t know, I have 30+ years of technology consulting experience. While I’m “semi-retired,” I’m not entirely retired and I’ve spent the last many months wrestling with this monster known as GDPR. I’m glad to report that my clients are ready, but no one emerged unscarred. I have crooked-seam quilts that I’m claiming are a new art form, am walking like peg-leg the pirate in a very “special” shoe and I’ve gained 5 “chocolate” pounds.

Wonder why I haven’t been doing many DNA reports? Well – now you know!

I have tried, really tried, to maintain a positive outlook – but as the date has approached and I’ve seen how much we are cumulatively losing in the genetic genealogy community – any semblance of a positive perspective has disappeared.

You can read my GDPR articles:

Making it even worse are the hollow assurances of individuals on social media saying that “everything will be alright” because GDPR is really no big deal, or worse yet that people are “scaremongering.”

So, let me be extremely candid and not sugarcoat anything, because after being in GDPR-labor for several months, I have absolutely not one shred of patience left whatsoever.

What Is This Behemoth and Why Do I Care?

GDPR, was enacted by 28 EU member countries referred to as “states” to regulate information privacy. In and of itself, there is nothing wrong with that, and given the Facebook Cambridge Analytics fiasco and others, it’s much needed.

However, and this is a huge HOWEVER, the way this regulation was written and implemented is not only a massive overreach in regulation, it’s vague, poorly written and almost impossible to comply with. In many cases, there are no standards or definitions included and where there are, they are often draconian, misinformed or outdated in nature.

Furthermore, GDPR is enforced by the unnamed and unknown commissioners of the 28 different “member states” at their sole discretion – including how to leverage fines up to and including 20 million Euro or 4% of a company’s gross worldwide revenue – whichever is MORE.

And no, there is no, absolutely no indication of how that fine will be decided, the steps or processes, or if the penalty will be imposed based on the severity of the infraction or the size of the organization or individual.

How, you wonder, is the process of an investigation set in motion? By a malcontent complaining.

Now that malcontent may well be justified (read about Equifax breach here and here, and the Facebook fiasco here) or the malcontent might be someone who is simply vindictive – or someplace inbetween. Regardless, the person or company on the receiving end of the complaint is then obligated to defend themselves, to PROVE the malcontent is inaccurate or the fines can be levied at the discretion of the unnamed commissioner. Yes, the burden of proof is on the company, not the complainer.

There is no court involved, no appeal process – nothing.

Are these regulators going to make examples of people or companies? Is this a cash grab by the EU member states? Will there be GDPR chasers, like ambulance chasers? Who knows? I don’t, but it’s clearly a huge risk with zero, zip case law yet. Which is exactly why smaller entities are folding.

How does someone even defend themselves? They would hire a lawyer, of course. Know what lawyers that understand GDPR are charging right now?

I can tell you, from direct, personal experience. $1000/per hour, billable by the minute. So if you do manage to avoid the fines, your legal defense will bankrupt you instead. Well, that’s certainly a win!

Now you understand why several small businesses have closed their electronic doors, blogs have disappeared and some sites are blocking all EU IP addresses. Better safe than sorry, but not terribly conducive to genealogical sharing.

Not only that, the GDPR regulation is not just moving forward from May 25th into the future, it’s retroactive, meaning it applies not just to new sales but to any database worldwide that contains data of an EU resident. The more information, or the more openly they shared, the more difficult GDPR was to implement. Hence, many have closed.

How can you tell if someone is an EU resident from a gmail address, for example? You can’t. So as a business or even a blogger, you are left in the position of not knowing which individuals this regulation might apply to – so if you want to stay in business, or stay safe and NOT attract the notice of the EU commissioners who have the ability to function as GDPR fine-levying Gods – you must comply.

For those of you thinking that GDPR can’t be enforced in the US – maybe, and maybe not. How would we know before lawsuits are filed? And at $1000 an hour, who among us can afford to find out.

Raise your hands please…

Waiting….

Waiting…

I see no hands.

But GDPR created a solution for that too – because non-EU companies that function in Europe MUST appoint a European Representative – who absorbs some of the risk of non-compliance so that the EU commissioners know who to reach out to in order to get their hands on you.

Care to guess how much this service costs? Well, just start running that attorney’s per hour meter rapidly – and this has to be paid YEARLY – forever.

Now, care to guess ultimately who will pay for all of this?

Yes, YOU, the consumer – whether you live in the EU or not.

Sometimes I try to spare my readers from the under-the-hood nitty gritty – but this time, you really do need to know so that you can appreciate what vendors have dealt with to revamp their businesses and internal processes. Otherwise, we as a community stood to lose genetic genealogy and that would have been a mind-numbing tragedy.

What Does Comply Mean?

Some people are being very dismissive of GDPR, or hyper-critical of companies who are trying to change their products, features and websites to become compliant. It’s worth noting here that none of the major companies or vendors are EU companies.

Here’s an example of an e-mail update I received today from a US company:

After nearly two years of hard work and preparation, we are ready for May 25 — the start of “GDPR” in Europe. More than 500 employees from across our company have helped meet more than 1,500 project milestones.

The General Data Protection Regulation is a sweeping set of new and enhanced rules in the European Union. It covers how companies treat the personal data of customers and employees. Specifically, it makes sure an individual’s rights are enforced, personal data is inventoried, breaches are reported promptly, and privacy is baked into all products.

If someone tries to convince you that GDPR compliance is no big deal, they are either grossly uninformed about GDPR itself or don’t have any idea about the magnitude of the ramifications of GDPR on entities from large corporations down to (some) volunteers. Some people have opined that if the companies were “taking care of their customers’ data,” they wouldn’t have to do anything and “would have nothing to worry about in the first place.” That’s blatantly wrong.

For starters, every company had to undergo a specific compliance evaluation process, which was far from easy because GDPR doesn’t just tell you THAT you have to protect information, in some cases they specify how – keeping e-mails in a separate database for example. Data bases aren’t necessarily designed in that manner, nor is that the best solution for security or performance – not to mention genetic genealogy is about sharing.

However, if a company doesn’t comply and someone complains,they have to undergo an audit. If found out of compliance, they’re liable for a potentially astronomical fine by an unknown commissioner (each country has their own) who may or may not have a clue about technology or in this case, genetic genealogy and how it’s utilized.

I’ve made a list of a FEW of the GDPR requirements. Also, keep in mind, many of the requirements tell you in general terms what they want, but there are no examples of what they consider adequate, so you just have to guess and if an issue arises, the data commissioner gets to decide if you guessed correctly.

If not, you’ll get to pay up!

I have included the GDPR citation in the table below, so you can check for yourself if you think I’ve just made this up and am, well, scaremongering. In fact you can read the entire document here and here with the added schedules AND, if that’s not enough, you can then read the UK version here with explanatory notes available separately. Yes, it’s hundreds of pages of pure misery but if you have insomnia, it, guaranteed, will cure you immediately. Hey, there has to be a silver lining someplace.

I’ve briefly listed the requirement, summarized unless in quotes, and the reference citation from the first linked document above, published in the “Official Journal of the European Union.” So, your mission, should you choose to accept it, is to correlate the requirements of the first, second and third documents, together, and figure out how to resolve any conflicts. Good luck! Start now and you’ll exit the maze, dazed and confused, sometime around late summer😊

You will quickly see that I’m neither over-reacting nor making this up.

In the following table, a controller is the primary entity working with information. For genetic genealogy, that would be a DNA testing company or a third party vendor. A processor is any other entity, which could be a lab doing the actual processing, a third party working with a vendor or project administrators who also “process” information.

Processing is defined basically as anything you do with someone’s information:

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;…

A controller is defined in L119/33 article 4.7 and a processor in L119/33 article 4.8.

GDPR Requirement Reference/Comment
“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not and regardless of whether the controller is in the EU or not.” L119/32 article 3.1, 3.2, 3.3 – This EU document’s effects are worldwide.

L119/4 item 22

Controllers must carry out a GDPR “data protection impact” assessment that includes mapping data flow and security and must be able to demonstrate compliance with GDPR. L119.50 article 28.4

L119/14 item 74

L119/16 item 84

L119/16 item 83

Consent must be given by a clear affirmative action for each thing consented to and everything processed. Silence, pre-selected boxes or inactivity is not consent. L119/6 item 32 – I actually like this, but if you’re irritated by being asked to reconsent or reconfirm, this is why. As a business or person “processing” information, you must be able to PROVE they gave informed consent.
You must explain to the person how they gave consent for what you are doing with their information and be able to demonstrate that in fact, they did consent. L119/7 item 39
Person must be not suffer negative consequences for not granting consent. L119/8 item 43
Information must be concise, east to understand and easily accessible. L119/11 item 58 – Actually, as a consumer I love this requirement because too many companies hid behind verbiage that was impossible to understand without a law degree.
Person has right to be forgotten, or to correct data, and processor must comply or respond within one month. Furthermore, the controller (the main entity processing information) must inform any secondary processors, who also must comply. L119/11 item 59 – If you’re wondering why FTDNA suggests that administrators remove any data they’ve put on any site about FTDNA customers who leave projects, within 30 days, this answers your question.

L119/13 item 66

L119/5 item 29

L119.12 item 65

Person must be informed when data is transferred between entities, especially to entities outside of the EU. L119/12 item 61
Person can request any information held about themselves. L119/13 item 68, L119/45 article 20

L119/45 article 20

Any controller/processor outside of the EU must designate an EU representative who “will cooperate with a supervisory authority with regard to any action taken to ensure compliance with this regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.” L119/15 item 80, also L119/48 article 27.1 – Yep, just try to find someone in the EU willing to do this. Costs are astronomical.

 

Processors must be bound to controllers by contract and must delete data when finished processing and GDPR requirements of controller must be passed on to processors. L119/16 item 81 – This is probably why the Family Tree DNA administrators must sign the new agreement and are instructed to delete project member information when members leave projects.

L119.50 article 28.4

Controllers and processors must maintain records of processing and make those records available on demand to the supervisory authority. L119/16 item 82
Processors must adhere to an approved code of conduct. L119.50 article 28.5 – And no, in case you were wondering, there is no suggestion about that code of conduct.
Required security includes pseudonymisation and encryption of personal data, assessing risks of disclosure, loss, alternation, adherence to approved codes of conduct and prohibits keeping e-mail address in same file as test results. L119/51/52 article 32 inclusive
ʺSensitive processingʺ means processing of personal data revealing racial or ethnic origin (and other things)…or processing genetic data for the purpose of uniquely identifying an individual. HL Bill 66: Chapter 2 Principles 7a/b
Some personal data is considered “sensitive” including any that reveals…racial or ethnic origin. L119/10 item 51

L119.12 item 65

Volunteers are not excluded because they are not paid. L119.5 item 23
Does not apply to dead people or research for genealogy. L119/30 item 160 – Don’t get excited. Genetics is considered in a special category of sensitive information.

L119/5 item 27

Does not apply to individuals in a purely personal or household activity with no connection to a professional or commercial activity…but does apply to controllers or processors which provide the means for processing personal data. L119/3 item 18 – Ironic isn’t it that the very document that requires straightforward non-legal understandable language is so vague and uses confusing language subject to very different interpretation.
Information must be pseudonymized and additional information for attributing the information to a specific individual must be kept separate. L119/5 item 29
Person must be able to withdraw consent as easily as it was given. L119/5 item 29

L119.37 article 7.3

Personal data breaches must be reported within 72 hours if the breach is determined to be damaging to the rights and freedoms of the individuals and communicate to the people affected that a data breach has occurred. L119.50 article 28.4

L119/16 item 85

L119/6 item 86

Must hire or assign a data protection officer focused on GDPR. L119/55 article 37-39 inclusive, also L119/34 item 4.17, also 119/15 #80
“Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.” L119/81 article 82.4
“Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.” 119/83 article 83.6, also HL Bill 66 page 83 #150

119/82 article 83.4

L119/27 items 146-150

Criminal penalties and liability are discussed along with individuals’ right to compensation. L119/81 article 82 inclusive

Over these next few days and weeks, when we’re tempted to be critical or impatient with a genetic genealogy vendor who has made changes instead of closing up shop and throwing in the proverbial towel – let’s try to be patient, grateful and cognizant of their effort. They have collectively been slaving away in the hot kitchen now for many months, trying to get ready to birth this 100 pound baby, while smiling, with as little disruption as possible to the rest of us.

I know we are all frustrated, but until we’ve walked that proverbial mile, we really have no idea what they’ve been through. From my experiences, I can tell you it was bloody painful.

Vendors’ GDPR compliance is much like an iceberg with a smiley face stuck on top. You’re only seeing the tippy top of the effort involved and it’s an entirely different picture underneath where everyone has been rowing like crazy.

Design By Committee

If you are thinking to yourself that this regulation looks a lot like it was designed by a committee, you’re right, it was. That negotiation process took 4 years, and the regulation took effect another 2 years later – meaning today.

Glory halleluiah, the birthing is FINALLY over, and the baby looks a lot like a….camel.

Huh?

What?

A camel?

Have you heard the analogy that a camel is a horse designed by a committee?

The idea was sound, but the outcome was not at all what was intended or expected. Indeed, the law of unintended consequences. GDPR’s effect on genetic genealogy certainly fits that bill.

In fact, here’s our new a-mazing GDPR horse.

For another perspective, head on over and read what Judy Russell, The Legal Genealogist has to say on the matter.

Now, for me, back to genealogy – a much needed respite!

34 thoughts on “GDPR – Birthing the 100 Pound Baby

  1. I am seriously considering resigning from the 5 dna projects I administer. It is ridiculous to expect a lay person to understand every ramification of the new law, and it will handcuff me from being able to do my job as a facilitator trying to help members make a connection, which is the basic goal of the project after all; not to mention that it will stymie or kill recruiting efforts. This is not what I signed up for when I agreed to create the projects.

      • I understand they have no choice, but the level of protection they offer to the administrators is a matter of choice, but again, it appears the aim is to protect their bottom line and cover their behinds before they offer any practical support. I sent out an email asking all my members to give me full access so I could at least see their contact information and the name of their beneficiary, should they pass away; and, if not full, then limited. Bless them, almost all of them have done that. With a few exceptions, the “group access only” people are autosomal members whose results don’t show up publicly anyway. If I understand the new law, which I probably don’t, since I don’t have an international law degree, I cannot make non-participation a reason to ask them to leave the group. This 100 pound baby is becoming more and more odoriforous.

  2. I’m very confused and not sure how this affects me, but, I am very impressed by your interpretation and grateful for your help. TV nbc showed how to turn off access to Amazon, Google and to FB. In general I think it would be good to not be tracked but for genealogy, I do want to share. Any suggestions for what settings to change and which ones to leave “on”?

  3. And you can bet that Facebook and the other social sites, Amazon and the other massive online sites will skate away unscathed leaving the rest with this ghastly, insane, typically European committee behemoth to deal with. It could be very simple, however, that is too sensible and easy. Now that this monster has emerged, Roberta, go take a well deserved rest.

  4. You’re awesome, Roberta. I have been so thankful for your coverage of the GDPR, especially this latest piece. It says so much that I have been feeling and wanting people to understand.

  5. Newspapers online found a solution to the problem. They no longer allow European residents to see their papers!

    • You’ll just have to forgive me if I think that’s funny. Although there area a lot of individuals in the EU that had nothing to do with this and will suffer, just like we have.

  6. Sounds like the Parties who wrote this are trying to close all access to research of family genealogy. Will it hurt the individual from researching, too. Thanks Roberta. You do such a wonderful amount of work and we all know it.

  7. I do sympathize with all who are having to comply with this (or what?). In my case it would be the (or what?) that would drive me crazy.

    One positive point in this post! I am so glad to find another genealogist who is also a quilter. Hang in there, and pardon me. “This too shall pass.” We just don’t know when or how.

  8. What are the 28 EU countries? Is there a list posted somewhere? Should we avoid matches from those countries. Sounds like it might be best not to answer if they contact you. What do we face as individuals who have matches from EU. Some sites let us download all of our matches. Is there a potential problem there?

    • I don’t think you’re going to have any issues with individuals who want contact. The only issue will be if you are a project administrator and you don’t remove information of someone who requests that you do.

  9. speaking as someone who’s dna information has been freely shared without consent or knowledge. this change cannot come fast enough. about time the rights of the public were actually protected by something.

  10. Thanks once more Roberta. As one of my projects focuses on a geographic region of GB, I have been keeping an eye on your articles. I have also decided to find something else to do to occupy my mind to keep it from dwelling on GDPR too much. Unfortunately for me, that something else has been DNA Painter. I am now totally hooked, again, thanks to you.

  11. Thank you Roberta but as an individual I am having a difficult time wrapping my mind around it.

    As an individual what about ancestors in our tree who were from a European country? Or does this only concern the living?

    What about companies like People Search, White Pages and others like them?

    How will this affect private messages on Ancestry from someone in the EU ? Will Ancestry cut off all email accounts from the EU? On Ancestry emails are not seen by the individual. Will Ancestry begin controlling individual accounts in order to protect themselves?

    Will Ancestry’s subscription fees go up because of this? Will Family Tree’s charges for tests increase?

    Argh and will my favorite, Gedmatch, have to close down?

    • Thus only concerns living people. I don’t have the answers for any companies and their plans, but if GedMatch was going to close, they would already have done so before the 25th.

  12. I rate this article as “excellent squared” in line with one of my engineering professors in the 1970’s!

  13. Great coverage, Roberta. As we’ve come to expect from you, you’ve analyzed the problem every which way possible. I wonder if the US gov’t could be lobbied (genealogy is the most popular hobby in the US!) to declare that US citizens and US companies (except those who actually operate in the EU) are exempt from any prosecution by the GDPR.

    • I think we should all phone our Congressman on Tuesday and give it a try! “No foreign laws in the US!” The US has sovereignty over its own people for crying out loud.

        • Exactly! And it even looks like our OWN government is guilty of the same types of tyranny (in corrupted government bureaucracies) that we fought against England for……but THAT is another story. May God help us all. Thanks for everything.

  14. I have living Europeans in my Brother’s Keeper family tree, including all sorts of salacious information about them.

    I assume I am ‘processing’ their data and must ask their permission or face jail.

    If I upload a GEDCOM to Ancestry or Family Search, I wonder if they go to jail.

    I assume the law of tiny probabilities/little fish will protect me, though.

  15. GDPR is the best regulation from EU ever!
    It is not regulating curviness of cucumber for the I and II class, GDPR is really giving people the right to decide how their personal data is used. It is really good!
    Considering gedmatch, it should the next target for GDPR. GEDmatch is not giving choice to me as a user. They state that their purpose is genealogy, but require to accept LE use. And that is not ok.
    Do you want to collect and sell user data – tell about it and get a specific consent for this from the user!
    GDPR is not 100 pound baby, it is our privacy and the right for our genealogical research that is 100 pound baby.
    Think about Hitlers famlily – they have decided to not have children. What should people that discover they are connected to GSK or this second case to do? What moral dilemmas have they to solve now? Should we applaud to them deciding to not spread the “killer genes”? Should other stay out of establishing families if they find out they are related to a killer or a rapist?
    GDPR is really much more then upgrading a site’s privacy policy, law and fines! Vendors and people processing genetic data should think a bit more, than this.

  16. “Those who like laws and sausages should never see either being made”.

    If you like the EU, then go reside in any of those European States and enjoy living under their laws, rules and regulations.

    As for the EU – it remands me of something I once heard on the old Jay Leno show when Jay made some mildly disparaging remarks about the Queen of England, to which the audience groaned. To which Jay replied: “Oh yeah, as if I should be worried about the Queen coming here to appear on my show”.

  17. That explain why you were so quiet, I’m relieved, I was fearing something more sinister.

    Although this kind of law had to come, after the Equifax and Facebook fiasco, it sounds like this one wasn’t too well written.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s