Some people eat, sleep and chew gum, I do genealogy and write...

Monday, May 28, 2018

The GDPR and Genealogy
If you have signed in or registered for a number of different websites and online services, you have probably received a number of email notifications about the European Union's General Data Protection Regulation or GDPR. What is going on?

If you buy, sell or rent any service or goods in the United States or elsewhere, you probably have provided personal information to the provider in some form or another. For example, if you have a credit card, you filled out a signed application form to obtain the credit card. If you then used the credit card to buy goods or services, the number on the card was used to transfer money from you to the provider. As we all engage in these ever increasingly complicated transactions, especially now as many of these transactions take place online through the internet, we each accumulate a significant online information presence.

This online information is also gathered by websites that use your personal information for other purposes. For example, if you make a purchase on or any other online retail or wholesale sales website, detailed information about your purchase is recorded and used to target you with advertising. In addition, in recent times there have been numerous spectacular data breaches where information about individuals and companies has been accessed by illegal means.

In an attempt to control the flow of data about individuals, labeled "natural persons," the EU GDPR was created and became actively enforced on 23 May 2018. The Regulation applies to any entity doing business or storing information about "natural persons" living in the EU. Here is a short summary of the Regulation from Wikipedia: General Data Protection Regulation.
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area(EEA). It also addresses the export of personal data outside the EU and EEA. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1] 
Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements pertaining to the processing of personally identifiable information of data subjects inside the European Union, and applies to all enterprises, regardless of location, that are doing business with the European Economic Area. Business processes that handle personal data must be built with data protection by design and by default, meaning that personal data must be stored using pseudonymisation or full anonymisation, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done under a lawful basis specified by the regulation, or if the data controller or processor has received explicit, opt-in consent from the data's owner. The data owner has the right to revoke this permission at any time.
I have included all the links and footnotes. From my perspective, given the data breaches constantly being reported in the media, it is strange that the United States Congress has not passed a similar law protecting personal information online. Those companies that had to scramble (over two years) to come into compliance because they are doing business in the EU, should have had these types of protections all along.

By the way, dead people are not included in this Regulation, so unless you are commercially storing or using personal information about living people, you probably will not be affected by this Regulation. That said, the Regulation is complicated, very detailed, long, and subject to all sorts of interpretation. It also imposes some huge fines for noncompliance. The Regulation also has some less restrictive requirements for businesses of less than 250 employees.

If you think you might fall under the provisions of the Regulation, I suggest you read the entire text including its 173 Recitals. You may also want to find a competent international attorney to help you interpret and make the proper adjustments to your business as required by the Regulation.  European Union's General Data Protection Regulation or GDPR

1 comment:

  1. Another very, very, very important thing to say about the GDPR: IT DOES NOT APPLY TO THINGS WHICH ARE PURELY PRIVATE AND DOMESTIC IN NATURE. That means that even if genealogists are collecting information about living individuals then they are fine if they are doing it for family genealogy. It is only if they are doing work on behalf of commercial clients that they might have to worry.