GDPR – It’s a Train and It’s a Comin’

In the recent article about Oxford Ancestors shuttering, I briefly mentioned GDPR. I’d like to talk a little more about this today, because you’re going to hear about it, and I’d rather you hear about it from me than from a sky-is-falling perspective.

It might be rainy and there is definitely some thunder and the ground may shake a little, but the sky is not exactly falling. The storm probably isn’t going to be pleasant, however, but we’ll get through it because we have no other choice. And there is life after GDPR, although in the genetic genealogy space, it may look a little different.

And yes, one way or another, it will affect you.

What is GDPR?

GDPR, which is short for General Data Protection Regulation, is a European, meaning both EU and UK, regulation(s) by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU/UK and processing of data of residents of the EU/UK by non-EU/UK companies.

There are actually two similar, but somewhat different regulations, one for the UK and one for the EU’s 28 member states, but the regulations are collectively referred to as the GDPR regulation.

Ok, so far so good.

The regulations are directly enforceable and do not require any individual member government to pass additional legislation.

GDPR was adopted on April 27, 2016, but little notice was taken until the last few months, especially outside of Europe, when the hefty fines drew attention to the enforcement date of May 25, 2018, now just around the corner.

Those hefty fines can range from a written warning for non-intentional noncompliance to a fine of 20 million Euro or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is GREATER. Yea, that’s pretty jaw-dropping.

So, GDPR has teeth and is nothing to be ignored.

Oh, and if you think this is just for EU or UK companies, it isn’t. It applies equally to any company that possesses any data of any EU or UK resident in their data base or files, providing that person isn’t dead. The law excludes dead people and makes some exceptions for law enforcement and other national security types of applications.

Otherwise, it applies to everyone in a global economy – and not just for future sales, but to already existing data for anyone who stores, transmits, sells to or processes data of any EU resident.

What Does GDPR Do?

The intent of GDPR was to strengthen privacy and data protections, but there is little latitude written into this regulation that allows for intentional sharing of data. The presumption throughout the hundreds of pages of lawyer-speak is that data is not intended to be shared, thereby requiring companies to take extraordinary measures to encrypt and anonymize data, even going so far as to force companies to store e-mail addresses separately from any data which could identify the person. Yes, like a name, or address.

Ironic that a regulation that requires vendor language be written in plainly understood simple wording is in and of itself incredibly complex, mandating legal interpretation.

Needless to say, GDPR requirements are playing havoc with every company’s data bases and file structure, because information technology goals have been to simplify and unify, not chop apart and distribute information, requiring a complex network of calls between systems.

Know who loves GDPR? Lawyers and consultants, that’s who!

In the case of intentional sharing, such as genetic genealogy, these regulations are already having unintended consequences through their extremely rigid requirements.

For example, a company must appoint a legal representative in Europe. I am not a lawyer, but my reading of this requirement suggests that European appointed individual (read, lawyer) is absorbing some level of risk and could potentially be fined as a result of their non-European client’s behavior. So tell me, who is going to incur that level of risk for anything approaching a reasonable cost?

One of the concepts implemented in GDPR is the colloquially known “right to be forgotten.” That means that you can request that your data and files be deleted, and the company must comply within a reasonable time.

However, what does “the right to be forgotten” mean, exactly? Does it mean a company has to delete your public presence? What about their internal files that record that you WERE a customer. What about things like medical records? What about computer backups which are standard operating procedure for any responsible company? What happens when a backup needs to be restored? If the company tracks who was deleted, so they can re-delete them if they have to restore from backup, then the person isn’t deleted in the first place and they are still being tracked – even though the tracking is occurring so the person can be re-forgotten.

Did you follow that? Did it make sense? Did anyone think of these kinds of things?

Oh, and by the way, there is no case law yet, so every single European company and every single non-European company that has any customer base in Europe is scrambling to comply with an incredibly far-reaching and harsh regulation with extremely severe potential consequences.

How many companies do you think can absorb this expenditure? Who do you think will ultimately pay?

Younger people may not remember Y2K, but I assuredly do, and GDPR is Y2K on steroids and with lots of ugly teeth in the form of fines and penalties that Y2K never had. The worse scenario for Y2K was that things would stop working. GDPR can put you out of business in the blink of an eye.

Categories of “Processors”

GDPR defines multiple levels of “processors,” a primary controller and a secondary processor plus vaguely defined categories of “third party” and “joint controller.”

The “controller” is pretty well defined as the company that receives and processes the data or order, and a “processor” is any other entity, including an individual person, who further processes data on behalf of or as a result of the controller.

There appears to be no differentiation between a multi-million-dollar company and one person doing something as a volunteer at home for most requirements – and GDPR specifically says that lack of pay does not exempt someone from GDPR. The one possible exception that exists in that there is an exclusion for organizations employing less than 250 persons, ”unless processing is likely to result in a risk to the rights and freedoms of the data subject.” I’m thinking that just mentioning the word DNA is enough to eliminate this exemption.

Furthermore, GDPR states that controllers and processors must register.

Right about now, you’re probably asking yourself if this means you if you’re managing multiple DNA kits, working with genetic genealogy, either as a volunteer or professionally, or even managing a group project or Facebook group.

The answer to those questions is that but we really don’t know.

ISOGG has prepared a summary page addressing GDPR from the genetic genealogy perspective, here. The ISOGG working group has done an excellent job in summarizing the questions, requirements and potential effects of the legislation in the slide presentation, which I suggest you take the time to view.

This legislation clearly wasn’t written considering this type of industry, meaning DNA shared for genealogical purposes, and there has been no case law yet surrounding GDPR. No one wants to be the first person to discover exactly how this will be interpreted by the courts.

The requirements for controllers and processors are much the same and include very specific requirements for how data can be stored and what must be done in terms of the “right to be forgotten” requests within a reasonable time, generally mentioned as 30 days after the person who owns the data requests to be forgotten. This would clearly apply to some websites and other types of resources used and maintained by the genetic genealogy community. If you are one of the people this could affect, meaning you maintain a website displaying results of some nature, you might want to consider these requirements and how you will comply. Additionally, you are required to have explicitly given consent for every person’s results that are displayed.

For genetic genealogists, who regularly share information through various means, and the companies who enable this technology, GDPR is having what I would very generously call a wet blanket effect.

What’s Happening in the Genetic Genealogy Space?

So far, we’ve seen the following:

  • Oxford Ancestors has announced they are shuttering, although they did not say that their decision has anything to do with GDPR. The timing may be entirely coincidental.
  • Full Genomes Corporation has announced on social media that they are no longer accepting orders from EU or UK customers, stating that “the regulatory cost is too high for a small company” and is “excessive.” I would certainly agree with that. Update; On 3-31-2018 Justin Loe, CEO of Full Genomes says that they “will continue to sell into the EU via manual process.”
  • Ancestry has recently made unpopular decisions relative to requiring separate e-mails to register different accounts, even if the same person is managing multiple DNA kits. Ancestry did not say this had to do with GDPR either, but in reading the GDPR requirements, I can understand why Ancestry felt compelled to make this change.
  • Family Tree DNA recently removed a search feature from their primary business page that allowed the public to search for their ancestors in trees posted to accounts at Family Tree DNA. According to an e-mail sent to project administrators, this change was the result of changes required by GDPR. They too are working on compliance.
  • MyHeritage is as well.
  • I haven’t had an opportunity to speak privately with LivingDNA or 23andMe, but I would presume both are working on compliance. LivingDNA is a UK company.

One of my goals recently when visiting RootsTech was to ask vendors about their GDPR compliance and concerns. That’s the one topic sure to wipe the smile off of everyone’s face, immediately, generally followed by grimaces, groans and eye-rolls until they managed to put their “public face” back on.

In general, vendors said they were moving towards compliance but that it was expensive, difficult and painful – especially given the ambiguity in some of the regulation verbiage. Some expressed concerns that GDPR was only a first step and would be followed by even more painful future regulations. I would presume that any vendor who is not planning to become compliant would not have spent the money to have a booth at RootsTech.

The best news about GDPR is that it requires transparency – in other words, it’s supposed to protect customers from a company selling your anonymized DNA out the back door without your explicitly given consent, for example. However, the general consensus was that any company that wanted to behave in an unethical manner would find a loophole to do so, regardless of GDPR.

In fairness, hurried consumers bring this type of thing on themselves by clicking through the “consent,” or “agree” boxes without reading what they are consenting to. All the GDPR in the world won’t help this. The company may have to disclose, but the consumer doesn’t have to read, although GDPR does attempt to help by forcing you to actively click on agree.

I’m sure we’ll all be hearing more about GDPR in the next few weeks as the deadline looms ever closer.

May 25, 2018

Now you know!

There’s nothing you can do about the effects of GDPR, except hold on tight as the vendors on which we depend do their best to navigate this maze.

Between now and May 25th, and probably for some time thereafter, I promise to be patient and not to complain about glitches in vendors’ systems as they roll out new code as seamlessly as possible.

Gluttons for Punishment

For those of you who are really gluttons for punishment, here are the actual links to the documents themselves. Of course, they are also guaranteed to put you to sleep in about 27 second flat…so a sure cure for insomnia.

_____________________________________________________________________

Standard Disclosure

This standard disclosure appears at the bottom of every article in compliance with the FTC Guidelines.

Hot links are provided to Family Tree DNA, where appropriate. If you wish to purchase one of their products, and you click through one of the links in an article to Family Tree DNA, or on the sidebar of this blog, I receive a small contribution if you make a purchase. Clicking through the link does not affect the price you pay. This affiliate relationship helps to keep this publication, with more than 900 articles about all aspects of genetic genealogy, free for everyone.

I do not accept sponsorship for this blog, nor do I write paid articles, nor do I accept contributions of any type from any vendor in order to review any product, etc. In fact, I pay a premium price to prevent ads from appearing on this blog.

When reviewing products, in most cases, I pay the same price and order in the same way as any other consumer. If not, I state very clearly in the article any special consideration received. In other words, you are reading my opinions as a long-time consumer and consultant in the genetic genealogy field.

I will never link to a product about which I have reservations or qualms, either about the product or about the company offering the product. I only recommend products that I use myself and bring value to the genetic genealogy community. If you wonder why there aren’t more links, that’s why and that’s my commitment to you.

Thank you for your readership, your ongoing support and for purchasing through the affiliate link if you are interested in making a purchase at Family Tree DNA, or one of the affiliate links below:

Affiliate links are limited to:

Oxford Ancestors Announces Closure – Plus How to Protect Your DNA

Dr. Bryan Sykes, founder of Oxford Ancestors has announced that Oxford Ancestors is withdrawing from the direct to consumer genetic marketplace as Bryan retires to live abroad.

Please note that you can click to enlarge any graphic.

Oxford Ancestors Began Testing in 1996

Oxford Ancestors was the first company to test mitochondrial DNA outside the academic environment available to the public after Dr. Sykes authored his book, Seven Daughters of Eve. Although the book is incredibly outdated today, it was at that time a groundbreaking book that introduced regular air-breathing humans, not scientists, to the DNA of their ancestors.

In essence, it started our love affair with our DNA that continues with millions having tested today.

In the back of the Seven Daughters book was an order form, and in 1999, I quickly ordered my first DNA test to find out which of Eve’s 7 daughters’ clans I belonged to. For about $900, I received a one page chart in the mail with a star placed on Jasmine’s node telling me that I was a member of Jasmine’s clan.

Such was the humble (and expensive) beginning of my two-decade fascination with genetic genealogy. It’s true that every journey of 1000 miles (or 18 years) begins with one tiny step.

Dr. Sykes later added a 10 marker Y DNA test for males along with a searchable data base that hasn’t been functional in years.

In essence Oxford Ancestors could have been the innovation force to lead the genetic genealogy revolution, but it wasn’t. Oxford Ancestors introduced a few new products here and there over the years, but seemed out of touch with the needs and desires of genetic genealogists.

One Last Time

I dug deeply into my own personal archives looking for my user name and password, hoping to check my matches at Oxford Ancestors one last time. I noted from a series of e-mails that there had been sign-in and password problems for years, and sure enough, none of my or my husband’s user names or passwords works today.

It really doesn’t matter much, given that only 400 mtDNA locations were tested, not even the full HVR1 region – compared to 16,569 locations in the full sequence test at Family Tree DNA.

My husband’s Y DNA tests are irrelevant too, with only 10 STR markers.

Hubby and I both retested years ago at Family Tree DNA, as did any other serious genealogist. I’m just incredibly, incredibly grateful that my deceased mother’s DNA was stored at Family Tree DNA who retains customers’ DNA for 25 years to afford the individual (or their legal heirs) the ability to upgrade with new tests as the technology improves. If mother’s DNA was at Oxford Ancestors, I’d probably be singing an entirely different song right now.

Sign In

If you’re interested in trying to sign in to Oxford Ancestors one last time, do so soon.  Dr. Sykes says the data base will remain online for a few months, but with the GDPR deadline looming on May 25th, I’d speculate that the data base might be taken offline just before that date.

It was difficult to find the location to sign in, but it looks to be in the green section of the Database Search Zone, (bottom option at left on the sidebar) that brings you to this page with the green sign-in box at right.

Genetic History of Early Testers Gone Forever

The saddest part of this obsolescence event is that because Dr. Sykes’ project began in 1996, he assuredly has samples from many individuals who have passed away. His data base, when no longer available in any capacity (even though it hadn’t been working correctly in years) will take with it the genetic results and genetic history of many individuals that will be irreplaceable. Never recoverable. Gone forever.

Even though only a few genetic locations were tested, in some cases, some knowledge is better than no knowledge – especially if those people didn’t test elsewhere and/or their line has died out.

I hope that some effort might be made to transfer ownership and stewardship of the database (perhaps) to a nonprofit type of entity (ISOGG?) who would strive to maintain the database in some format.

It’s heartbreaking to see 21 years of DNA samples from Oxford Ancestors join the defunct data bases of both Sorenson (purchased by Ancestry) and Ancestry’s own Y and mtDNA data bases – both of which met the same fate. Lost forever.

It’s akin to deleting the lineage stories of our long deceased ancestors. Kind of like burning the genetic library. Travesty isn’t a strong enough word.

While this may be the best answer for Dr. Sykes personally, who undoubtedly deserves to be able to retire, it remains a tragedy for mankind (not to mention the testers’ families) to lose the earliest pieces of history collected and compiled in this field.

Nothing is Forever

Nothing is forever, unfortunately.

We all need to make preparations to protect our own DNA and genetic records.  However, because the strength of genetic genealogy is not individual results in isolation, but in comparison to others’ results, we still need the ability to compare.

Unfortunately, both YSearch and MitoSearch, formed as free public entities allowing people to upload their results and compare lost their reason d’etre when other companies stopped performing Y and mtDNA tests. There’s no reason to maintain an external site to allow comparisons from multiple companies when there is only one company testing Y and mitochondrial in this field now, and you can compare directly in their own data base.

Family Tree DNA maintained those services, for free, for years. They have graciously allowed the data bases to remain available, but they have not updated them in a long time and the code is exceptionally old.

Preventative Steps to Take NOW

If you don’t have your results elsewhere, either sign in to Oxford Ancestors or contact them, NOW, to obtain and archive your results.

Be sure to update your beneficiary form at Family Tree DNA, and be sure that your family knows about your DNA results, location, sign-in user name/password and your desires.

Other vendors don’t offer a beneficiary designation, so be sure that your family knows about your DNA locations and how to sign in. Instruct your executors as to how to deal with your DNA at locations that require a subscription. You may want to include a clause in your will providing direction.

Download your DNA results and raw data files for Y, mtDNA and autosomal. Label and date them carefully. Archive in multiple locations, on multiple computers and on multiple kinds of media. Be sure at least one copy is stored outside your home in case of disaster.

Upload your Y and mitochondrial results to YSearch and Mitosearch, if possible. If you download directly from Family Tree DNA (at the bottom of your matches page,) even though an error message is returned during that process, your results are still being added to the data base. You can confirm by clicking on the “Upload to YSearch (or MitoSearch)” button at the bottom of the Y (or mito) matching page again, and your YSearch (or MitoSearch) ID will be displayed. I would not suggest depending on this resource either, given its age and the fact that it is far beyond its anticipated lifespan.

One of the best things you can do with your autosomal results to assure availability is to be sure they are stored in different locations. Fortunately, several companies facilitate uploading information from other sites, which you can later download if need be. In other words, “spread the love” in the form of your DNA file. You benefit now by fishing in multiple pools for matches and later by making sure your DNA is not just in one place.

Download and transfer autosomal raw data files from:

To:

Of these, both Ancestry and MyHeritage either restrict the services or the size of your (free) tree utilized for matching, so unless your heirs maintain a paid subscription at some level, your results may not be able to be utilized to their full matching capacity. Both provide some level of free matching without full services.

Not every vendor accepts all results from the other vendors due to chip incompatibilities. You can see which vendors accept whose files, and versions, here.

To make your DNA results immortal and insure that they continue to reap benefits not just for you, but for your descendants and those who you match as well, transfer your results to as many (legitimate) places as possible and please, please upload or create a corresponding tree.

Genetic genealogy today and in the future relies on DNA test results compared to others AND genealogy. Preserve both!

Your DNA is the legacy that only you can provide. Don’t let a company’s data base closure rob your descendants.

_____________________________________________________________________

Standard Disclosure

This standard disclosure appears at the bottom of every article in compliance with the FTC Guidelines.

Hot links are provided to Family Tree DNA, where appropriate.  If you wish to purchase one of their products, and you click through one of the links in an article to Family Tree DNA, or on the sidebar of this blog, I receive a small contribution if you make a purchase.  Clicking through the link does not affect the price you pay.  This affiliate relationship helps to keep this publication, with more than 900 articles about all aspects of genetic genealogy, free for everyone.

I do not accept sponsorship for this blog, nor do I write paid articles, nor do I accept contributions of any type from any vendor in order to review any product, etc.  In fact, I pay a premium price to prevent ads from appearing on this blog.

When reviewing products, in most cases, I pay the same price and order in the same way as any other consumer. If not, I state very clearly in the article any special consideration received.  In other words, you are reading my opinions as a long-time consumer and consultant in the genetic genealogy field.

I will never link to a product about which I have reservations or qualms, either about the product or about the company offering the product.  I only recommend products that I use myself and bring value to the genetic genealogy community.  If you wonder why there aren’t more links, that’s why and that’s my commitment to you.

Thank you for your readership, your ongoing support and for purchasing through the affiliate link if you are interested in making a purchase at Family Tree DNA, or one of the affiliate links below:

Affiliate links are limited to: