GDPR, DNAeXplain and DNA-Explained.com

GDPR, the General Data Protection Regulation enacted by the European Union as of May 25, 2018 is upon us. It’s important because GDPR applies to information held or processed about any European Union resident, and I know many of my customers and blog followers live in the EU or UK.

I recently wrote about GDPR in these articles:

GDPR sets forth both rights of individuals as to the processing and storage of their information and responsibilities of processors.

DNAeXplain.com and DNA-Explained.com are a genetic genealogy consulting business and associated blog, respectively, located in the United States and owned by Roberta Estes. You’re receiving this notification because you are a blog follower or subscriber to explain how I process and/or handle your information.

The DNAeXplain Website

Customers can place orders on the DNAeXplain website for Y DNA and Mitochondrial DNA Personalized Reports, along with consultations. The website itself does not collect any information about customers other than payment information which is processed through our shopping cart at PayPal, including credit card transactions. DNAeXplain is never in receipt of your financial or credit card information. We can process a refund through PayPal, subject to their terms and conditions, through a unique PayPal issued transaction ID, but PayPal is the sole recipient of your payment/financial information.

Please refer to the Paypal Privacy Policy here.

DNAeXplain only receives notification confirmation from PayPal that you have made a purchase, the amount paid, for what item and your e-mail address that you used when making the purchase to enable us to communicate with you.

Reports and Consulting Information

The customer must provide enough information to DNAeXplain in order to complete the purchased report or answer the question(s) posed in the consultation. This is accomplished through e-mail communication.

This information exchange is completely private and is not shared either publicly or privately outside of DNAeXplain. The completed report is subsequently e-mailed only to the purchaser of record.

GDPR requires me to explain how you have granted consent for me to process your information and when processing starts and stops. You grant consent when you purchase a Personalized DNA Report or when you purchase consulting and subsequently provide me with the information necessary to write the report or answer your questions. I begin processing your information when I answer your questions or begin your report, and I’m finished processing your information when I finish the report or the consultation. I’m sure you’ve already figured that out, but I’m required to tell you.

Completed reports are retained by DNAeXplain for some time after completion in case a customer misplaces their report and requests a replacement of the original. Although we will attempt to provide a replacement of the original report, at no cost, we do not guarantee availability beyond 30 days after delivery. Industry standard backup and security procedures are in place to protect customer information.

Customers may request the deletion of all reports and correspondence by sending an e-mail to roberta@dnaexplain.com and customer information will be entirely deleted within 30 days, except for the customer purchase record which we are required by law to maintain for accounting purposes.

The DNA-Explained.com Blog

You may simply be reading an article on the http://www.dna-explained.com blog, or you may be a subscriber.

DNA-Explained.com utilizes WordPress.com as our blogging platform, without any additional plugins like JetPack or others mentioned on the WordPress Resource site, here.

WordPress is owned by AUTOMATTIC. Their privacy notice for WordPress bloggers  explains more about WordPress and how AUTOMATTIC uses information.

AUTOMATTIC’s privacy policy for visitors to their users’ sites (DNA-Explained.com in this case) is available here.

Comments made to the blog are public and are shown publicly if approved along with the name you use to comment, but not your e-mail or any other identifying information. Some comments may be caught by the blog’s spam filter, and others may not be approved, but once approved and displayed, comments are visible publicly.

You may request to be notified of comments to blog articles, and if you do, you will receive notifications from WordPress, not from DNA-Explained directly.

You may unsubscribe at any time by clicking unsubscribe at the bottom of any e-mail notification or you may unsubscribe by managing your subscriptions at WordPress.

Your e-mail address used to subscribe to the blog is available to me, the blog owner, at WordPress and in each comment notification, along with your IP address and website, if you are commenting through your own website. I do not store or otherwise utilize your e-mail or other identifying information, with the exception of occasionally replying to a commenter personally. In some cases, if personal information is exposed within a comment, I reply to the commenter privately and do not approve the comment. I delete all comment notifications immediately upon approving or otherwise processing the comment.

If a comment contains any type of threatening, emergency or potentially harmful verbiage, towards me, the commenter themselves or another commenter, I will retain the comment and identifying information and report to the proper authorities without delay.

I do not share, sell or otherwise utilize your personal information.

You may request deletion of all of your personal information from the blog and from WordPress by contacting me at Roberta@dnaexplain.com or WordPress directly at privacypolicyupdates@automattic.com.

Have you contacted me and WordPress both and you’re still unhappy? EU residents have the right to make a complaint to a government supervisory authority. I know that’s not going to happen, but I have to tell you just the same!

Housekeeping

This information lives permanently on the Privacy tab on the DNA-Explained blog. In fact, it’s already there. Please refer to that location for updates and future developments.

World Families Network, Ysearch and Mitosearch Bite the Dust – Thanks So Much GDPR

It’s a sad month.

The core foundation of genetic genealogy is sharing.

GDPR is NOT about sharing easily, and the GDPR hoops are onerous, to be charitable. I wrote about GDPR in the articles GDPR – It’s a Train and It’s a Comin’ and Common Sense and GDPR.

One might say GDPR is at cross purposes with genealogy. It probably wasn’t intended that way, but so far, we’ve lost several resources due to GDPR, and it’s still not here yet.

Add to the death list World Families Network, Ysearch and Mitosearch.

The cost of GDPR compliance, necessary attorney fees along with with the risk of the horrific fines of up to 4 million Euro is just too much for a small business or a non-profit. Additionally, non-EU businesses are required to retain a European Representative company that agrees to absorb some level of the risk for non-compliance. Try finding a company to do that. Not to mention the pain-in-the-butt-factor of the hoops that they would have to jump through if so much as one person complained. Bottom line – not worth it.

Thanks so much GDPR.

World Families Network

Terry Barton, founder of World Families Network, a Y DNA project management company that consists primarily of Terry and his wife, sent an e-mail to the administrators of the projects they host saying that WFN is retiring and shutting down on May 23rd, two days before the GDPR date.

Here’s part of the e-mail to WFN administrators from Terry:

We will delete the project sections of the WorldFamilies site on May 23, 2018, so please copy any information that you wish to save. You may wish to make a copy of your Home, Results, Patriarch, Discussion or other project pages. We can provide an empty excel spread sheet with columns preset to copy/paste your results page on request. For the other pages, you may want to copy/paste your info into a Word document. (Note: we won’t be able to “rescue” you if you miss the deadline, so please don’t wait too long.)

The projects hosted at World Families Network (WFN) will revert to their project pages at Family Tree DNA, so all is not lost, BUT, the information on the Patriarch’s pages as well as some of the information on the actual DNA results pages at WFN does not come directly from Family Tree DNA. Some WFN sites are not fed from the Family Tree DNA project pages at all, so fields like “Earliest Ancestor” at WFN may be blank at Family Tree DNA. That, of course, can be remedied, but won’t happen automatically.

Many of the projects managed by WFN were abandoned, meaning they have no administrator. Some have administrators that preferred the WFN format to the Family Tree DNA format. One of the most popular features was the Patriarchs page where lineages of men with the project surname were listed. This feature was put in place before trees were available at Family Tree DNA – but the Patriarchs format serves as a one-glance resource and can be connected to the kit numbers on the DNA pages.

Please, please, please do two things:

  • Visit the WFN surname links here for projects and scan the projects shown with “project site,” meaning they are WFN hosted, to see if any include your ancestral surnames. If SO, visit that WFN project site by clicking the link and record any information relevant to your family.

  • Consider adopting projects relevant to your surname. Most of these projects will need to be spruced up at Family Tree DNA, meaning they will need to be grouped and the Patriarch’s page will need to be copied onto one of the several available project pages at Family Tree DNA. Many of these projects are small and you can easily preserve information. Terry provides a list of orphaned projects here, but I don’t know if it’s current. I would reach out to Family Tree DNA at groups@familytreedna.com about any project listed as having a project site at WFN. Some projects have an administrator listed, but they are no longer active.

For project administrators considering a private website, be aware per the GDPR requirements that you will constantly have to monitor the privacy settings at Family Tree DNA and assure that you are not displaying information for anyone who has selected, or changed their project setting from public to “project only.” Family Tree DNA automatically removes the project members data from a public display when they change settings or leave projects.

Ysearch and Mitosearch

On May 10th, on their Forum, a Family Tree DNA representative announced that Ysearch and Mitosearch will be shut down by month end. These databases were established in 2003 by Family Tree DNA for free, open sharing.

While this announcement doesn’t state that it’s because of GDPR, that correlation probably isn’t coincidence.

These two data bases have been on life support for some time now. They have been less immediately useful since other testing companies stopped Y and mitochondrial DNA testing, meaning that you could see all of your new matches at Family Tree DNA.

One of their biggest benefits, even for Family Tree DNA customers, was that these were the two databases where everyone could compare actual marker values, not just see if they matched and genetic distance.

Unfortunately, Ysearch and Mitosearch were the only locations left for people who uploaded from those now-defunct databases. Of the 219,410 records in the Ysearch database, 25,521 are from sources other than Family Tree DNA.

Originally, there were four public databases. The other two have been gone for some time, with these being the last two resources to go. This is truly a tragedy for the genetic genealogy community, because unlike the WFN departure where the projects are still available at Family Tree DNA – there is no alternative resource to Ysearch and Mitosearch. Gone is gone – especially for the 25,000+ results archived there from companies that are also gone meaning Relative Genetics, Oxford Ancestors, Ancestry’s now defunct Y DNA, Sorenson and others.

Recently, Family Tree DNA fixed the captcha issue, but the sites are still not fully functional. I tried to retrieve information by searching by surname at Ysearch, and the search failed with an error. I don’t know if the problem now is the actual data base or the fact that the site is overwhelmed by people trying to do exactly what I was trying to do.

As someone in the Family Tree DNA forum thread said:
GDPR: The gift from Europe that just keeps on giving.

Thank You

As sad as I am to see both of these resources go, I want to publicly thank Terry and Marilyn Barton for their 14 years of service to the genetic genealogy community and wish them well in their retirement. Hopefully they will have time to solve their own genealogy mysteries now.

I also want to thank Family Tree DNA for establishing both Ysearch and Mitosearch, and maintaining these sites as long as they have. Few companies would have established a platform for their customers to compare results with their competitors’ products which speaks to their early and ongoing commitment to genealogy.

_____________________________________________________________________

Standard Disclosure

This standard disclosure appears at the bottom of every article in compliance with the FTC Guidelines.

Hot links are provided to Family Tree DNA, where appropriate. If you wish to purchase one of their products, and you click through one of the links in an article to Family Tree DNA, or on the sidebar of this blog, I receive a small contribution if you make a purchase. Clicking through the link does not affect the price you pay. This affiliate relationship helps to keep this publication, with more than 900 articles about all aspects of genetic genealogy, free for everyone.

I do not accept sponsorship for this blog, nor do I write paid articles, nor do I accept contributions of any type from any vendor in order to review any product, etc. In fact, I pay a premium price to prevent ads from appearing on this blog.

When reviewing products, in most cases, I pay the same price and order in the same way as any other consumer. If not, I state very clearly in the article any special consideration received. In other words, you are reading my opinions as a long-time consumer and consultant in the genetic genealogy field.

I will never link to a product about which I have reservations or qualms, either about the product or about the company offering the product. I only recommend products that I use myself and bring value to the genetic genealogy community. If you wonder why there aren’t more links, that’s why and that’s my commitment to you.

Thank you for your readership, your ongoing support and for purchasing through the affiliate link if you are interested in making a purchase at Family Tree DNA, or one of the affiliate links below:

Affiliate links are limited to:

Common Sense and GDPR

Recently, I wrote an article titled, GDPR – It’s a Train and It’s a Comin’ wherein I discussed exactly what GDPR is, and why companies have to comply or risk massive fines. If you’re thinking of the recent Facebook fiasco right about now, that’s exactly where this type of legislation is focused, and why.

That said, this European legislation affects genetic genealogy in ways that weren’t anticipated and in ways that may require changes on the part of our providers and ourselves. Every company has to comply, meaning all of the companies that provide services if they have any EU or UK clients, so GDPR affects anyone in this industry – vendor, project administrator and/or customer. Needless to say, it affects you too, one way or another.

One of the most difficult aspects of GDPR is that the true effect is unknown. There is no case law yet to unravel the confusion. And yes, there is confusion. Lots of confusion.

There will be life after GDPR, and there will be genetic genealogy too – although it may look a bit different in some ways.

Many vendors have been preparing for some time now, so we have knowingly or unknowingly already seen many changes that were either required or perhaps bumped up the priority list by GDPR legislation.

First and foremost, the companies MUST comply to protect themselves, or we, as their customers who have invested not just in our own tests, but often tests for many family members will suffer greatly. If the companies go out of business – and yes, the GDPR fines are potentially severe enough at 20 million and 40 million euros to bankrupt companies – we could all be impacted in a devastating fashion.

No matter what pain-in-the-patoot changes the vendors feel required to make, it’s far more preferable to adapt and retain access to our investment and genetic genealogy tools. The alternative isn’t pretty and the vendors aren’t making the changes because they woke up one morning and decided to make our lives (and theirs) difficult – they are making the necessary changes to protect themselves and our investment in their products along with our DNA results.

The four guiding principles of GDPR in combination are:

  • Transparency
  • Simplicity
  • Privacy
  • Consent

I am very grateful to the testing companies for stepping up and taking care of business, even though the “solution” sometimes makes life more inconvenient for me personally. That’s life right now and we just have to suck it up and get used to the changes.

Therefore, those of us who work in various ways with DNA and genetic genealogy, especially the DNA of others, need to be aware of GDPR requirements. I’ve seen a lot of misinformation fueled by fear circulating, so I’d like to discuss what is required, along with what we do and don’t know.

I’m going to say this now and again at the end of this article, so please, please take special note.

In other words, your mileage may vary. Not to mention, it’s certainly possible that I’ve misinterpreted something. You will see a lot of “weasel words” like “seems to be” and “I think,” because in many cases, we really don’t know.

Yes, change is uncomfortable, but I will get through this and so will you. No need to hit the panic button and the sky is not falling although there is some rumbling.

How Do You Work With DNA?

You may work with DNA in a variety of ways:

  • Your own results in any or all of the commercial data bases, or a public database like GedMatch
  • Results of family members or friends whose accounts you manage in any of the commercial data bases or at GedMatch
  • Results of Family Tree DNA project members as a project administrator at Family Tree DNA
  • Results of Family Tree DNA project members on a private or third-party website
  • As a search angel helping others as a volunteer
  • As a paid researcher or professional in this field in some capacity

Different Situations

GDPR speaks to a variety of situations, so let’s take a look at some of the provisions and how they might affect you and others.

Dead People

Deceased individuals are explicitly exempted from GDPR.

Volunteers

Volunteers and unpaid individuals are explicitly NOT exempted from GDPR regulations simply because they are volunteers or unpaid. GDPR applies to volunteers and unpaid individuals in the same way as those who are compensated unless other exemptions apply.

Attempting to Uniquely Identify a Person

If you are working with your own DNA results, and only your own results, GDPR probably affects you less than others – unless you are trying to uniquely identify a living person.

GDPR contains the following verbiage:

“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”

To me, the most relevant part of this paragraph is, “for the purpose of uniquely identifying a natural person,” because I feel this relates to people searching for unknown biological parents.

Although GDPR does not apply to deceased people, you don’t know if your parent is deceased until you identify them. If the parent has submitted their own DNA for testing, this wouldn’t seem to be an issue, because the parent(s) intentionally, consensually, tested, entering their DNA into a genetic genealogy data base with the intention of matching and being seen by matches. In other words, you don’t have to “do” anything other than test to identify your parent – because that match is already waiting for you.

However, if an individual tests and then subsequently uses DNA results and other tools and techniques with the intention of uniquely identifying the parent, that seems to be “processing” that is prohibited.

I will not be attempting to track down and personally identify any person who could be living today, meaning certainly no one born within the last 100 years. That doesn’t mean I don’t think people searching for birth family shouldn’t test – I think the process of searching after testing could be problematic under GDPR.

Processors vs Controllers

In the GDPR documentation, controllers are very clearly companies doing the DNA tests and making decisions. Processors, however, are people or companies that perform additional functions as determined by the controllers. The definition and relationship of people who do genetic genealogy work is unclear. Certainly no one working on the GDPR legislation considered genetic genealogy whose intention IS to SHARE information.

If one is working with an individual’s DNA in a professional capacity, the argument that the professional is “processing the information” and making decisions about that processing would seem to be pretty convincing, especially if they were uploading information, or working with matches to identify someone.

You be your own judge, but processors are bound in most cases by the same rules as controllers – and controllers are required to be sure that processors know what is expected of them if they are in any way involved in the transfer of information from the controller to the processor. Another category, “third parties” is largely undefined, as are their responsibilities.

To be safe, I’m presuming worst case here, meaning that all regulations apply, because I don’t want to be caught in an uncomfortable or even ugly situation.

GDPR Does Not Apply To

  • GDPR does not apply to “a natural person in the course of a purely personal or household activity and thus with no connection to a commercial activity.”
  • Clearly, the verbiage here suggests that individuals working with family data might not be subject to GDPR, but the verbiage about not uniquely identifying individuals would seem to pertain regardless.
  • Yes, these two provisions might well be in conflict with each other. I have absolutely no idea which would be determined to be accurate nor under what circumstances. Nor do I know how people administering larger projects, such as regional or haplogroup projects would be viewed since their interest is beyond the “household” but is not connected to a commercial activity.

Location

  • While GDPR applies to European residents, you may not be aware that someone is a European resident. I’m going to assume that everyone is a European resident and that way there is no possible mistake.
  • GDPR does not appear to apply to European citizens living outside of the EU/UK.

Anonymization

  • I would suggest that people not represent to others that they can be anonymous in data bases if or when they test. People are being identified daily based on autosomal tests by comparing the trees and genealogy information of who they match, especially related to parent search cases. That “anonymous” cow left the barn long ago.

Permission

Permission, also termed consent in GDPR, was always important, but is now even more so.

  • Do not do anything with anyone’s information, meaning DNA information or other information they have provided without their express WRITTEN permission. I’m viewing e-mail as written permission, but that might not be strong enough, especially not for anyone doing research on behalf of others.
  • People can only give consent for their own information, or the information for someone they have legal authority to given consent for (child, etc.) or someone whose permission they have obtained.
  • You must inform someone whose information you have access to or that they have provided that they have the right to ask for their data to be corrected or removed and of the relevant address where to complain, and how, if they are not happy with a controller or processor.
  • Do not expose anyone’s information, including their GedMatch or Family Tree DNA kit number, on a presentation slide, on Facebook or anyplace else without the person’s explicit permission.

Data

  • GDPR says that one can’t continue to hold data longer than necessary to finish the processing for which the person has agreed.
  • My personal assumption would be that this means that I would delete client reports when they are complete. However, I have in the past kept reports handy, because many clients have asked for a copy, even years later, after losing the original. This also begs the question, relative to DNA and genealogy projects, when is “done?”
  • My interpretation would be that one would need permission to maintain the data or information in any format after you have “finished.” However, as we all know, genealogy is never finished, and our genealogical “best practices” are focused on retaining information, not disposing of it.
  • GDPR isn’t about just genetic data. If other information is gathered, such as through a blog or newsletter, be sure that your usages are GDPR compliant, as are any tools that people utilize for your applications such as blogging platforms, website providers, etc.

Rules

  • Controllers and processors must store contact information separately from “results.” I’m presuming this means in a separate spreadsheet for project administrators and people working with other people’s (genetic) information.
  • Controllers and processors may be required to track when they are “processing” and what they are doing. Fortunately, for Group Project Administrators, Family Tree DNA provides a logging function which will help immensely.
  • If a controller/processor receives a request to provide an individual with all of the information the controller/processor holds on the individual, the processor must comply in a reasonable time – mentioned in the GDPR documentation as within 30 days.
  • Project administrators may want to post a privacy policy on their project website at FTDNA and/or elsewhere, especially if any project information is posted outside of the FTDNA project structure. Your project members will need to know that your project is separate from Family Tree DNA, and that they need to contact you directly for modification/removal of both posted data and anything they have personally sent you.
  • Never release the names or e-mails of project members, or any other individual, without their express consent for every request. I tell the requesting person if they will compose an e-mail, I will simply forward it to the project member they are asking about. That removes the entire issue and leaves it in the hands of the project member.
  • If a personal data breach occurs that results in either loss of or exposure of records, the controller or processor must report the breach within 72 hours to the supervisory authority. However, reporting is not required if the breach is “unlikely to result in risk to the rights and freedoms of natural persons.”

Right to Erasure aka Right to be Forgotten

  • If an individual asks you to delete any information they have previously provided to you, it should be done within 30 days. There is some leeway, but minimally the person can expect timely communication from you.
  • I would think this would be particularly important for project administrators, especially if the project website is maintained outside of the Family Tree DNA structure where the administrator has created a separate website.
  • If a project member changes their privacy setting from a public to a project-only setting, that change is reflected in the project display automatically at Family Tree DNA. If an administrator maintains a separate website, they will need to devise a way to routinely coordinate the privacy settings of project members to reflect new changes. I’m very glad that I don’t maintain any projects outside of the Family Tree DNA structure. It’s still possible to miss some text you’ve put on a separate results page perhaps, but the former project member’s results will automatically be deleted from the project and social media feed, both, by Family Tree DNA.
  • If a person has provided you with any information, and they request you to remove or correct it, do so quickly and thoroughly, within the 30 day window. This applies to both paper and computer files.
  • In GDPR, there is no provision, consideration or discussion of situations where websites become abandoned over time. In my opinion, GDPR never considered a hobby type of environment where someone posting informational content might not have a registered domain name that would disappear if not paid for. Furthermore, information that has been posted to the web in reality cannot be entirely removed given tools like WayBackMachine. Nothing that has been published is ever really “deleted” from the internet or is entirely “forgotten,” regardless of GDPR.
  • Be sure when obsoleting your computer to reformat or destroy your disk drive in a manner in which the data cannot be recovered by the next owner.

Guiding Principles

  • I am not going to be providing any information to anyone about living people as a result of genetic or genealogy research beyond matches provided by a testing company. People can view their own matches for themselves, so that’s not information I need to provide.
  • I am not going to recommend uploading to GedMatch or other “open” platform, should one exist, without a commensurate statement that the data base is open, and anyone whom the person matches and sees their kit number can also see whom they match, along with their ethnicity, etc. I’m personally fine with that scenario, but blanket recommendations to upload to GedMatch don’t take into consideration the informed consent necessary for people unfamiliar with the platform, especially relative to “sensitive information” that can identify someone’s racial makeup or religion.
  • Do not change anyone’s anything unless you have explicit consent. This means not restricting what others can see or do and not making decisions for them unless you have been specifically designated/authorized to do so. Family Tree DNA has a methodology for a tester to explicitly grant a project administrator full access in order for that individual to grant an administrator more than read/view access. Ancestry also has provisions to allow others to manage a kit or share additional information.
  • Do not share anyone else’s GedMatch kit number, especially not in any public forum.
  • Do not add living people to your tree(s) and allow them to be seen publicly without their express consent.
  • Never expose a minor’s information.
  • I would suggest that it is unethical to attempt to “recreate” an autosomal kit representing the DNA of a living person who has declined to DNA test by utilizing the DNA of their other family members, in particular, their children. This does not apply to recreating the DNA profile of deceased family members – only living people who have exercised their right to refuse DNA testing.
  • Do not order, transfer, upgrade or otherwise “process” the DNA of anyone without their permission unless it is your DNA, you are their legal guardian or they have granted you permission to do so.

In essence, kindergarten rules apply – do unto others, treat others respectfully and how you would want to be treated.

There’s a lot we don’t know about how GDPR will be interpreted in the long run. I don’t believe GDPR is targeting people like project administrators, unless they are incredibly negligent or intentionally violate the privacy of others. I suspect that, for the most part, being careful with other people’s information, respectful and perhaps more aware than in the past will keep us all safe.

And yes, I know…all it would really take is that one vindictive bad apple that might make your life miserable – especially given that we really don’t know how genetic genealogists will be viewed under GDPR.

I know the changes within projects at Family Tree DNA have upset some group project administrators, and while I don’t like change any better than the next person, I’m actually grateful that Family Tree DNA has implemented modifications that will prevent me (and others) from making errors in judgement or simply getting too busy to delete someone’s information.

I don’t host any projects outside of the Family Tree DNA framework, and if I did, I would revert at this point to Family Tree DNA hosted projects since they have invested the effort into modifications for GDPR compliance. I think that so long as I stay within their framework, and follow the rules, I should be fine.

If you have personal concerns, I would suggest that you read the GDPR documentation for yourself, view the ISOGGG slide presentation listed below, or contact your own lawyer, because as I said before:

Additional Resources

_____________________________________________________________________

Standard Disclosure

This standard disclosure appears at the bottom of every article in compliance with the FTC Guidelines.

Hot links are provided to Family Tree DNA, where appropriate. If you wish to purchase one of their products, and you click through one of the links in an article to Family Tree DNA, or on the sidebar of this blog, I receive a small contribution if you make a purchase. Clicking through the link does not affect the price you pay. This affiliate relationship helps to keep this publication, with more than 900 articles about all aspects of genetic genealogy, free for everyone.

I do not accept sponsorship for this blog, nor do I write paid articles, nor do I accept contributions of any type from any vendor in order to review any product, etc. In fact, I pay a premium price to prevent ads from appearing on this blog.

When reviewing products, in most cases, I pay the same price and order in the same way as any other consumer. If not, I state very clearly in the article any special consideration received. In other words, you are reading my opinions as a long-time consumer and consultant in the genetic genealogy field.

I will never link to a product about which I have reservations or qualms, either about the product or about the company offering the product. I only recommend products that I use myself and bring value to the genetic genealogy community. If you wonder why there aren’t more links, that’s why and that’s my commitment to you.

Thank you for your readership, your ongoing support and for purchasing through the affiliate link if you are interested in making a purchase at Family Tree DNA, or one of the affiliate links below:

Affiliate links are limited to:

GDPR – It’s a Train and It’s a Comin’

In the recent article about Oxford Ancestors shuttering, I briefly mentioned GDPR. I’d like to talk a little more about this today, because you’re going to hear about it, and I’d rather you hear about it from me than from a sky-is-falling perspective.

It might be rainy and there is definitely some thunder and the ground may shake a little, but the sky is not exactly falling. The storm probably isn’t going to be pleasant, however, but we’ll get through it because we have no other choice. And there is life after GDPR, although in the genetic genealogy space, it may look a little different.

And yes, one way or another, it will affect you.

What is GDPR?

GDPR, which is short for General Data Protection Regulation, is a European, meaning both EU and UK, regulation(s) by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU/UK and processing of data of residents of the EU/UK by non-EU/UK companies.

There are actually two similar, but somewhat different regulations, one for the UK and one for the EU’s 28 member states, but the regulations are collectively referred to as the GDPR regulation.

Ok, so far so good.

The regulations are directly enforceable and do not require any individual member government to pass additional legislation.

GDPR was adopted on April 27, 2016, but little notice was taken until the last few months, especially outside of Europe, when the hefty fines drew attention to the enforcement date of May 25, 2018, now just around the corner.

Those hefty fines can range from a written warning for non-intentional noncompliance to a fine of 20 million Euro or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is GREATER. Yea, that’s pretty jaw-dropping.

So, GDPR has teeth and is nothing to be ignored.

Oh, and if you think this is just for EU or UK companies, it isn’t. It applies equally to any company that possesses any data of any EU or UK resident in their data base or files, providing that person isn’t dead. The law excludes dead people and makes some exceptions for law enforcement and other national security types of applications.

Otherwise, it applies to everyone in a global economy – and not just for future sales, but to already existing data for anyone who stores, transmits, sells to or processes data of any EU resident.

What Does GDPR Do?

The intent of GDPR was to strengthen privacy and data protections, but there is little latitude written into this regulation that allows for intentional sharing of data. The presumption throughout the hundreds of pages of lawyer-speak is that data is not intended to be shared, thereby requiring companies to take extraordinary measures to encrypt and anonymize data, even going so far as to force companies to store e-mail addresses separately from any data which could identify the person. Yes, like a name, or address.

Ironic that a regulation that requires vendor language be written in plainly understood simple wording is in and of itself incredibly complex, mandating legal interpretation.

Needless to say, GDPR requirements are playing havoc with every company’s data bases and file structure, because information technology goals have been to simplify and unify, not chop apart and distribute information, requiring a complex network of calls between systems.

Know who loves GDPR? Lawyers and consultants, that’s who!

In the case of intentional sharing, such as genetic genealogy, these regulations are already having unintended consequences through their extremely rigid requirements.

For example, a company must appoint a legal representative in Europe. I am not a lawyer, but my reading of this requirement suggests that European appointed individual (read, lawyer) is absorbing some level of risk and could potentially be fined as a result of their non-European client’s behavior. So tell me, who is going to incur that level of risk for anything approaching a reasonable cost?

One of the concepts implemented in GDPR is the colloquially known “right to be forgotten.” That means that you can request that your data and files be deleted, and the company must comply within a reasonable time.

However, what does “the right to be forgotten” mean, exactly? Does it mean a company has to delete your public presence? What about their internal files that record that you WERE a customer. What about things like medical records? What about computer backups which are standard operating procedure for any responsible company? What happens when a backup needs to be restored? If the company tracks who was deleted, so they can re-delete them if they have to restore from backup, then the person isn’t deleted in the first place and they are still being tracked – even though the tracking is occurring so the person can be re-forgotten.

Did you follow that? Did it make sense? Did anyone think of these kinds of things?

Oh, and by the way, there is no case law yet, so every single European company and every single non-European company that has any customer base in Europe is scrambling to comply with an incredibly far-reaching and harsh regulation with extremely severe potential consequences.

How many companies do you think can absorb this expenditure? Who do you think will ultimately pay?

Younger people may not remember Y2K, but I assuredly do, and GDPR is Y2K on steroids and with lots of ugly teeth in the form of fines and penalties that Y2K never had. The worse scenario for Y2K was that things would stop working. GDPR can put you out of business in the blink of an eye.

Categories of “Processors”

GDPR defines multiple levels of “processors,” a primary controller and a secondary processor plus vaguely defined categories of “third party” and “joint controller.”

The “controller” is pretty well defined as the company that receives and processes the data or order, and a “processor” is any other entity, including an individual person, who further processes data on behalf of or as a result of the controller.

There appears to be no differentiation between a multi-million-dollar company and one person doing something as a volunteer at home for most requirements – and GDPR specifically says that lack of pay does not exempt someone from GDPR. The one possible exception that exists in that there is an exclusion for organizations employing less than 250 persons, ”unless processing is likely to result in a risk to the rights and freedoms of the data subject.” I’m thinking that just mentioning the word DNA is enough to eliminate this exemption.

Furthermore, GDPR states that controllers and processors must register.

Right about now, you’re probably asking yourself if this means you if you’re managing multiple DNA kits, working with genetic genealogy, either as a volunteer or professionally, or even managing a group project or Facebook group.

The answer to those questions is that but we really don’t know.

ISOGG has prepared a summary page addressing GDPR from the genetic genealogy perspective, here. The ISOGG working group has done an excellent job in summarizing the questions, requirements and potential effects of the legislation in the slide presentation, which I suggest you take the time to view.

This legislation clearly wasn’t written considering this type of industry, meaning DNA shared for genealogical purposes, and there has been no case law yet surrounding GDPR. No one wants to be the first person to discover exactly how this will be interpreted by the courts.

The requirements for controllers and processors are much the same and include very specific requirements for how data can be stored and what must be done in terms of the “right to be forgotten” requests within a reasonable time, generally mentioned as 30 days after the person who owns the data requests to be forgotten. This would clearly apply to some websites and other types of resources used and maintained by the genetic genealogy community. If you are one of the people this could affect, meaning you maintain a website displaying results of some nature, you might want to consider these requirements and how you will comply. Additionally, you are required to have explicitly given consent for every person’s results that are displayed.

For genetic genealogists, who regularly share information through various means, and the companies who enable this technology, GDPR is having what I would very generously call a wet blanket effect.

What’s Happening in the Genetic Genealogy Space?

So far, we’ve seen the following:

  • Oxford Ancestors has announced they are shuttering, although they did not say that their decision has anything to do with GDPR. The timing may be entirely coincidental.
  • Full Genomes Corporation has announced on social media that they are no longer accepting orders from EU or UK customers, stating that “the regulatory cost is too high for a small company” and is “excessive.” I would certainly agree with that. Update; On 3-31-2018 Justin Loe, CEO of Full Genomes says that they “will continue to sell into the EU via manual process.”
  • Ancestry has recently made unpopular decisions relative to requiring separate e-mails to register different accounts, even if the same person is managing multiple DNA kits. Ancestry did not say this had to do with GDPR either, but in reading the GDPR requirements, I can understand why Ancestry felt compelled to make this change.
  • Family Tree DNA recently removed a search feature from their primary business page that allowed the public to search for their ancestors in trees posted to accounts at Family Tree DNA. According to an e-mail sent to project administrators, this change was the result of changes required by GDPR. They too are working on compliance.
  • MyHeritage is as well.
  • I haven’t had an opportunity to speak privately with LivingDNA or 23andMe, but I would presume both are working on compliance. LivingDNA is a UK company.

One of my goals recently when visiting RootsTech was to ask vendors about their GDPR compliance and concerns. That’s the one topic sure to wipe the smile off of everyone’s face, immediately, generally followed by grimaces, groans and eye-rolls until they managed to put their “public face” back on.

In general, vendors said they were moving towards compliance but that it was expensive, difficult and painful – especially given the ambiguity in some of the regulation verbiage. Some expressed concerns that GDPR was only a first step and would be followed by even more painful future regulations. I would presume that any vendor who is not planning to become compliant would not have spent the money to have a booth at RootsTech.

The best news about GDPR is that it requires transparency – in other words, it’s supposed to protect customers from a company selling your anonymized DNA out the back door without your explicitly given consent, for example. However, the general consensus was that any company that wanted to behave in an unethical manner would find a loophole to do so, regardless of GDPR.

In fairness, hurried consumers bring this type of thing on themselves by clicking through the “consent,” or “agree” boxes without reading what they are consenting to. All the GDPR in the world won’t help this. The company may have to disclose, but the consumer doesn’t have to read, although GDPR does attempt to help by forcing you to actively click on agree.

I’m sure we’ll all be hearing more about GDPR in the next few weeks as the deadline looms ever closer.

May 25, 2018

Now you know!

There’s nothing you can do about the effects of GDPR, except hold on tight as the vendors on which we depend do their best to navigate this maze.

Between now and May 25th, and probably for some time thereafter, I promise to be patient and not to complain about glitches in vendors’ systems as they roll out new code as seamlessly as possible.

Gluttons for Punishment

For those of you who are really gluttons for punishment, here are the actual links to the documents themselves. Of course, they are also guaranteed to put you to sleep in about 27 second flat…so a sure cure for insomnia.

_____________________________________________________________________

Standard Disclosure

This standard disclosure appears at the bottom of every article in compliance with the FTC Guidelines.

Hot links are provided to Family Tree DNA, where appropriate. If you wish to purchase one of their products, and you click through one of the links in an article to Family Tree DNA, or on the sidebar of this blog, I receive a small contribution if you make a purchase. Clicking through the link does not affect the price you pay. This affiliate relationship helps to keep this publication, with more than 900 articles about all aspects of genetic genealogy, free for everyone.

I do not accept sponsorship for this blog, nor do I write paid articles, nor do I accept contributions of any type from any vendor in order to review any product, etc. In fact, I pay a premium price to prevent ads from appearing on this blog.

When reviewing products, in most cases, I pay the same price and order in the same way as any other consumer. If not, I state very clearly in the article any special consideration received. In other words, you are reading my opinions as a long-time consumer and consultant in the genetic genealogy field.

I will never link to a product about which I have reservations or qualms, either about the product or about the company offering the product. I only recommend products that I use myself and bring value to the genetic genealogy community. If you wonder why there aren’t more links, that’s why and that’s my commitment to you.

Thank you for your readership, your ongoing support and for purchasing through the affiliate link if you are interested in making a purchase at Family Tree DNA, or one of the affiliate links below:

Affiliate links are limited to: