GDPR regulations effective 25 May 2018

FTDNA appears to be making sure that all their operations conform to the EU requirements and planned (potential) British ones.

There is a precedence, since before GDPR came into existence, FTDNA operations were already aligned to EU and Swiss privacy laws. FTDNA has policies others only noticed in GDPR, for example a right to remove one's data (which is not the same as the common "removal from our mailing list") or removal of medically relevant SNPs.


Using different privacy and security mechanisms would require tracking of citizenships and residency (EU based person can live in the US and test from the US!) and might generate unnecessary complexity. And you had just realized that... It is easier to have one good security and privacy policy.


I think another F....... company has to scramble.


Mr. W.


P.S.
European trivia: Switzerland is not a part of European Union. Britain still is, but regardless of Brexit happening or not(!) Britain wants to have even more stringent requirements.

Roberta Estes has posted today on her blog about "Common Sense and GDPR." It is definitely worth reading. Under the heading "Location," she has two comments (my bolding):
She also has posted caveats that what she says in this blog post is her own interpretation of the GDPR, and that she is not a lawyer.

OK, I am not a lawyer either...

First another quote from Roberta Estes:In general, I agree with the above interpretation.

On the other hand, I think she misinterpreted the location issue. And I subsequently clarified my earlier post.

Whether one is covered by GDPR or not depends on whether one is based in the EU. A concept known to many who pay taxes. One can live at some place, but for the purpose of taxation they are resident of another location.


I do not think that she had read my last month post, but clearly she came to the same realization that professional researchers in the fields of genealogy and genetic genealogy are going to be heavily impacted.


I cannot see into the future, but I would not be surprised if on the 25th of May 2018 FTDNA resets everybody (who did not modify their settings since the 10th of April!) to not show their results to public in the projects.


Mr. W.

email addresses

" Controllers and processors must store contact information separately from “results."

As administrator, I already see at least one issue that FTDNA will have to address. In ydna matches reporting, after opening the match list, the tester has the option to download the matches to csv. In that download, the email addresses of all matches appears in the spreadsheet.

Logically, this is how matches communicate with each other, but I wonder if FTDNA will have to resort to an internal mail system such as in 23andme and Ancestry.

Yes, but I had always thought that this was the purpose of the green release form: to specifically allow for associations between results and contact information.

The quote given means to me that GDPR is enforcing separation of any contact database from any other information; as in keeping (storing) them separate. However, GDPR does not preclude combining of contact information with anything else (results) for presentation purposes.

Historically, large enterprises knew for a very long time about security advantages of such a solution/separation, but some had legacy systems and were very slow in separating the two. (The customer credit card information should be in yet another database.) Small and medium size (we are talking European sizes here!) companies have often had just one database..., and GDPR would probably mean that everybody in Europe would from now on default to having separate databases - even if today they are on single PC.


Mr. W.

P.S.
The quoted requirement is not a frivolous one. In many circumstances, quite a lot of people have access to, for example, inventory or sales databases. Contact information, be it of vendors or customers, is not required for data mining or some other data analysis, although often some regional tagging is very useful if present.

access to member accounts by group administrators

another startling new message today when I signed into a member account selected Personal Information and then Manage Projects tab. Here is the statement above the list of projects:

"Important: Please review the settings below, any changes made will take effect on the 25th of May 2018.

Due to The General Data Protection Regulation (GDPR):

Any Group Project you have previously granted Limited Access or Full Access to will continue to have the granted access until the 24th of May 2018.
When joining a new Group Project, all Group Administrators within that project will be given No Access."

This issue becomes more complicated by the day. I sure hope we get some guidelines soon from FTDNA

I must admit all this is getting to the point of forcing project admins to end their efforts.... especially if they have public sites. I called ftdna several times, but i now see the various permissions are so interwoven as to be unpredictable.

I asked specifically about Any Group Project you have previously granted Limited Access or Full Access to will continue to have the granted access until the 24th of May 2018.... was told nothing changes. That is not what the sentence says. Also i asked if more info to admins is coming. Yes, but no idea of when. Or do we just see what hits the fan May 24?

Stevenson Surname project

I think we have to use our own good judgement until FTDNA gives us specifics. ie I removed the members contact name and email from our Pedigree page which is public. Contact will have to be made through me or my co admin.

Since some project administrators are still missing the e-mail updates, here is the link to the announcement FTDNA just made


Mr. W.

Any idea why FTDNA made it so Admins can't copy copy or download private results? Is it just to make it harder to share them with someone who is not an Admin?

Since the downloads would still be possible, to me that looks like a typical legal requirement.

It is easy to require the downloader to acknowledge some legalese before downloading. I think the same could be done for a select&copy action, but I do not recall sites doing that - maybe I am mistaken, maybe it does not work well in practice.


The important part of the announcement is that the downloaded data might be different from the displayed data!

And you had noticed that first!I bet the results you were missing in the downloads were from the kits with restrictive privacy settings. Would you be able to verify that ?


Mr. W.

Based on a quick check, it looks like download is missing not only the private ones but also some that aren't private. The "Export to Spreadsheet" function on the GAP results page seems to have everything except the private ones. Seems like download may just be plain broken.

Thank you for an instant response!

So we are closely watching FTDNA work in progress.

At least your observation has an answer.


Mr. W.