GDPR – General Data Protection Regulation – Today’s the day of deliverance – May 25th. GDPR is finally enacted after MONTHS and MONTHS of agony.
Believe me, to those of us in the field, the GD does NOT stand for General Data – it stands for Gol Danged or something much, MUCH stronger.
And speaking of stronger, when I’m really stressed, I do one of three things:
- Buy a bauble commensurate with my level of misery
- Eat dark chocolate
In extreme cases, all three.
Actually, if you know me, you know I don’t drink. So item number 3 is really, REALLY a distant 3rd- – and I’m on my third bottle of wine this week. Good thing I only like muscato wine, ice wine and my rightful Irish legacy, Guinness.
I actually prefer to quilt, because you can stress-quilt wearing baubles and eating chocolate, but if you drink while quilting, your seams will be crooked as a dog’s hind leg.
So, how do you like my new GDPR-size blue bauble flanked by support “staff”?
Yes, it’s been one horrid, awful, miserable, give-me-a-case-of-wine and buy-chocolate-in-bulk six months or so.
Did I mention that it’s been horrid?
I equate dealing with GDPR to giving birth. Not being pregnant, mind you – just the miserable giving birth part – like being in labor for let’s say – 9 months or so. Then delivering a really ugly 100 pound baby that not even a mother can love. Not to mention, I broke my foot during this time too – and no, it wasn’t kicking anyone or anything. AND I was stone cold sober, at a quilt retreat.
For those of you who don’t know, I have 30+ years of technology consulting experience. While I’m “semi-retired,” I’m not entirely retired and I’ve spent the last many months wrestling with this monster known as GDPR. I’m glad to report that my clients are ready, but no one emerged unscarred. I have crooked-seam quilts that I’m claiming are a new art form, am walking like peg-leg the pirate in a very “special” shoe and I’ve gained 5 “chocolate” pounds.
Wonder why I haven’t been doing many DNA reports? Well – now you know!
I have tried, really tried, to maintain a positive outlook – but as the date has approached and I’ve seen how much we are cumulatively losing in the genetic genealogy community – any semblance of a positive perspective has disappeared.
You can read my GDPR articles:
- GDPR – It’s a Train and It’s a Comin’
- Common Sense and GDPR
- World Families Network, Ysearch and Mitosearch Bite the Dust – Thanks So Much GDPR
- GDPR, DNAeXplain and DNA-Explained.com
Making it even worse are the hollow assurances of individuals on social media saying that “everything will be alright” because GDPR is really no big deal, or worse yet that people are “scaremongering.”
So, let me be extremely candid and not sugarcoat anything, because after being in GDPR-labor for several months, I have absolutely not one shred of patience left whatsoever.
What Is This Behemoth and Why Do I Care?
GDPR, was enacted by 28 EU member countries referred to as “states” to regulate information privacy. In and of itself, there is nothing wrong with that, and given the Facebook Cambridge Analytics fiasco and others, it’s much needed.
However, and this is a huge HOWEVER, the way this regulation was written and implemented is not only a massive overreach in regulation, it’s vague, poorly written and almost impossible to comply with. In many cases, there are no standards or definitions included and where there are, they are often draconian, misinformed or outdated in nature.
Furthermore, GDPR is enforced by the unnamed and unknown commissioners of the 28 different “member states” at their sole discretion – including how to leverage fines up to and including 20 million Euro or 4% of a company’s gross worldwide revenue – whichever is MORE.
And no, there is no, absolutely no indication of how that fine will be decided, the steps or processes, or if the penalty will be imposed based on the severity of the infraction or the size of the organization or individual.
How, you wonder, is the process of an investigation set in motion? By a malcontent complaining.
Now that malcontent may well be justified (read about Equifax breach here and here, and the Facebook fiasco here) or the malcontent might be someone who is simply vindictive – or someplace inbetween. Regardless, the person or company on the receiving end of the complaint is then obligated to defend themselves, to PROVE the malcontent is inaccurate or the fines can be levied at the discretion of the unnamed commissioner. Yes, the burden of proof is on the company, not the complainer.
There is no court involved, no appeal process – nothing.
Are these regulators going to make examples of people or companies? Is this a cash grab by the EU member states? Will there be GDPR chasers, like ambulance chasers? Who knows? I don’t, but it’s clearly a huge risk with zero, zip case law yet. Which is exactly why smaller entities are folding.
How does someone even defend themselves? They would hire a lawyer, of course. Know what lawyers that understand GDPR are charging right now?
I can tell you, from direct, personal experience. $1000/per hour, billable by the minute. So if you do manage to avoid the fines, your legal defense will bankrupt you instead. Well, that’s certainly a win!
Now you understand why several small businesses have closed their electronic doors, blogs have disappeared and some sites are blocking all EU IP addresses. Better safe than sorry, but not terribly conducive to genealogical sharing.
Not only that, the GDPR regulation is not just moving forward from May 25th into the future, it’s retroactive, meaning it applies not just to new sales but to any database worldwide that contains data of an EU resident. The more information, or the more openly they shared, the more difficult GDPR was to implement. Hence, many have closed.
How can you tell if someone is an EU resident from a gmail address, for example? You can’t. So as a business or even a blogger, you are left in the position of not knowing which individuals this regulation might apply to – so if you want to stay in business, or stay safe and NOT attract the notice of the EU commissioners who have the ability to function as GDPR fine-levying Gods – you must comply.
For those of you thinking that GDPR can’t be enforced in the US – maybe, and maybe not. How would we know before lawsuits are filed? And at $1000 an hour, who among us can afford to find out.
Raise your hands please…
I see no hands.
But GDPR created a solution for that too – because non-EU companies that function in Europe MUST appoint a European Representative – who absorbs some of the risk of non-compliance so that the EU commissioners know who to reach out to in order to get their hands on you.
Care to guess how much this service costs? Well, just start running that attorney’s per hour meter rapidly – and this has to be paid YEARLY – forever.
Now, care to guess ultimately who will pay for all of this?
Yes, YOU, the consumer – whether you live in the EU or not.
Sometimes I try to spare my readers from the under-the-hood nitty gritty – but this time, you really do need to know so that you can appreciate what vendors have dealt with to revamp their businesses and internal processes. Otherwise, we as a community stood to lose genetic genealogy and that would have been a mind-numbing tragedy.
What Does Comply Mean?
Some people are being very dismissive of GDPR, or hyper-critical of companies who are trying to change their products, features and websites to become compliant. It’s worth noting here that none of the major companies or vendors are EU companies.
Here’s an example of an e-mail update I received today from a US company:
After nearly two years of hard work and preparation, we are ready for May 25 — the start of “GDPR” in Europe. More than 500 employees from across our company have helped meet more than 1,500 project milestones.
The General Data Protection Regulation is a sweeping set of new and enhanced rules in the European Union. It covers how companies treat the personal data of customers and employees. Specifically, it makes sure an individual’s rights are enforced, personal data is inventoried, breaches are reported promptly, and privacy is baked into all products.
If someone tries to convince you that GDPR compliance is no big deal, they are either grossly uninformed about GDPR itself or don’t have any idea about the magnitude of the ramifications of GDPR on entities from large corporations down to (some) volunteers. Some people have opined that if the companies were “taking care of their customers’ data,” they wouldn’t have to do anything and “would have nothing to worry about in the first place.” That’s blatantly wrong.
For starters, every company had to undergo a specific compliance evaluation process, which was far from easy because GDPR doesn’t just tell you THAT you have to protect information, in some cases they specify how – keeping e-mails in a separate database for example. Data bases aren’t necessarily designed in that manner, nor is that the best solution for security or performance – not to mention genetic genealogy is about sharing.
However, if a company doesn’t comply and someone complains,they have to undergo an audit. If found out of compliance, they’re liable for a potentially astronomical fine by an unknown commissioner (each country has their own) who may or may not have a clue about technology or in this case, genetic genealogy and how it’s utilized.
I’ve made a list of a FEW of the GDPR requirements. Also, keep in mind, many of the requirements tell you in general terms what they want, but there are no examples of what they consider adequate, so you just have to guess and if an issue arises, the data commissioner gets to decide if you guessed correctly.
If not, you’ll get to pay up!
I have included the GDPR citation in the table below, so you can check for yourself if you think I’ve just made this up and am, well, scaremongering. In fact you can read the entire document here and here with the added schedules AND, if that’s not enough, you can then read the UK version here with explanatory notes available separately. Yes, it’s hundreds of pages of pure misery but if you have insomnia, it, guaranteed, will cure you immediately. Hey, there has to be a silver lining someplace.
I’ve briefly listed the requirement, summarized unless in quotes, and the reference citation from the first linked document above, published in the “Official Journal of the European Union.” So, your mission, should you choose to accept it, is to correlate the requirements of the first, second and third documents, together, and figure out how to resolve any conflicts. Good luck! Start now and you’ll exit the maze, dazed and confused, sometime around late summer😊
You will quickly see that I’m neither over-reacting nor making this up.
In the following table, a controller is the primary entity working with information. For genetic genealogy, that would be a DNA testing company or a third party vendor. A processor is any other entity, which could be a lab doing the actual processing, a third party working with a vendor or project administrators who also “process” information.
Processing is defined basically as anything you do with someone’s information:
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;…
A controller is defined in L119/33 article 4.7 and a processor in L119/33 article 4.8.
|“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not and regardless of whether the controller is in the EU or not.”||L119/32 article 3.1, 3.2, 3.3 – This EU document’s effects are worldwide.
L119/4 item 22
|Controllers must carry out a GDPR “data protection impact” assessment that includes mapping data flow and security and must be able to demonstrate compliance with GDPR.||L119.50 article 28.4
L119/14 item 74
L119/16 item 84
L119/16 item 83
|Consent must be given by a clear affirmative action for each thing consented to and everything processed. Silence, pre-selected boxes or inactivity is not consent.||L119/6 item 32 – I actually like this, but if you’re irritated by being asked to reconsent or reconfirm, this is why. As a business or person “processing” information, you must be able to PROVE they gave informed consent.|
|You must explain to the person how they gave consent for what you are doing with their information and be able to demonstrate that in fact, they did consent.||L119/7 item 39|
|Person must be not suffer negative consequences for not granting consent.||L119/8 item 43|
|Information must be concise, east to understand and easily accessible.||L119/11 item 58 – Actually, as a consumer I love this requirement because too many companies hid behind verbiage that was impossible to understand without a law degree.|
|Person has right to be forgotten, or to correct data, and processor must comply or respond within one month. Furthermore, the controller (the main entity processing information) must inform any secondary processors, who also must comply.||L119/11 item 59 – If you’re wondering why FTDNA suggests that administrators remove any data they’ve put on any site about FTDNA customers who leave projects, within 30 days, this answers your question.
L119/13 item 66
L119/5 item 29
L119.12 item 65
|Person must be informed when data is transferred between entities, especially to entities outside of the EU.||L119/12 item 61|
|Person can request any information held about themselves.||L119/13 item 68, L119/45 article 20
L119/45 article 20
|Any controller/processor outside of the EU must designate an EU representative who “will cooperate with a supervisory authority with regard to any action taken to ensure compliance with this regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.”||L119/15 item 80, also L119/48 article 27.1 – Yep, just try to find someone in the EU willing to do this. Costs are astronomical.
|Processors must be bound to controllers by contract and must delete data when finished processing and GDPR requirements of controller must be passed on to processors.||L119/16 item 81 – This is probably why the Family Tree DNA administrators must sign the new agreement and are instructed to delete project member information when members leave projects.
L119.50 article 28.4
|Controllers and processors must maintain records of processing and make those records available on demand to the supervisory authority.||L119/16 item 82|
|Processors must adhere to an approved code of conduct.||L119.50 article 28.5 – And no, in case you were wondering, there is no suggestion about that code of conduct.|
|Required security includes pseudonymisation and encryption of personal data, assessing risks of disclosure, loss, alternation, adherence to approved codes of conduct and prohibits keeping e-mail address in same file as test results.||L119/51/52 article 32 inclusive|
|ʺSensitive processingʺ means processing of personal data revealing racial or ethnic origin (and other things)…or processing genetic data for the purpose of uniquely identifying an individual.||HL Bill 66: Chapter 2 Principles 7a/b|
|Some personal data is considered “sensitive” including any that reveals…racial or ethnic origin.||L119/10 item 51
L119.12 item 65
|Volunteers are not excluded because they are not paid.||L119.5 item 23|
|Does not apply to dead people or research for genealogy.||L119/30 item 160 – Don’t get excited. Genetics is considered in a special category of sensitive information.
L119/5 item 27
|Does not apply to individuals in a purely personal or household activity with no connection to a professional or commercial activity…but does apply to controllers or processors which provide the means for processing personal data.||L119/3 item 18 – Ironic isn’t it that the very document that requires straightforward non-legal understandable language is so vague and uses confusing language subject to very different interpretation.|
|Information must be pseudonymized and additional information for attributing the information to a specific individual must be kept separate.||L119/5 item 29|
|Person must be able to withdraw consent as easily as it was given.||L119/5 item 29
L119.37 article 7.3
|Personal data breaches must be reported within 72 hours if the breach is determined to be damaging to the rights and freedoms of the individuals and communicate to the people affected that a data breach has occurred.||L119.50 article 28.4
L119/16 item 85
L119/6 item 86
|Must hire or assign a data protection officer focused on GDPR.||L119/55 article 37-39 inclusive, also L119/34 item 4.17, also 119/15 #80|
|“Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.”||L119/81 article 82.4|
|“Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.”||119/83 article 83.6, also HL Bill 66 page 83 #150
119/82 article 83.4
L119/27 items 146-150
|Criminal penalties and liability are discussed along with individuals’ right to compensation.||L119/81 article 82 inclusive|
Over these next few days and weeks, when we’re tempted to be critical or impatient with a genetic genealogy vendor who has made changes instead of closing up shop and throwing in the proverbial towel – let’s try to be patient, grateful and cognizant of their effort. They have collectively been slaving away in the hot kitchen now for many months, trying to get ready to birth this 100 pound baby, while smiling, with as little disruption as possible to the rest of us.
I know we are all frustrated, but until we’ve walked that proverbial mile, we really have no idea what they’ve been through. From my experiences, I can tell you it was bloody painful.
Vendors’ GDPR compliance is much like an iceberg with a smiley face stuck on top. You’re only seeing the tippy top of the effort involved and it’s an entirely different picture underneath where everyone has been rowing like crazy.
Design By Committee
If you are thinking to yourself that this regulation looks a lot like it was designed by a committee, you’re right, it was. That negotiation process took 4 years, and the regulation took effect another 2 years later – meaning today.
Glory halleluiah, the birthing is FINALLY over, and the baby looks a lot like a….camel.
Have you heard the analogy that a camel is a horse designed by a committee?
The idea was sound, but the outcome was not at all what was intended or expected. Indeed, the law of unintended consequences. GDPR’s effect on genetic genealogy certainly fits that bill.
In fact, here’s our new a-mazing GDPR horse.
For another perspective, head on over and read what Judy Russell, The Legal Genealogist has to say on the matter.
Now, for me, back to genealogy – a much needed respite!