Select Page

A promise…

This is it.

Today is the end of this.

After today, NO. MORE. GDPR.

GDPR red tapeToday, The Legal Genealogist will outline what’s been done at this website to try to be ready for today’s effective date of the European Union’s new General Data Protection Regulation, as a recap for readers — and maybe future regulators.

It’s also for whatever benefit it might provide to genealogists or genealogical societies that have a web presence and maybe aren’t quite as far along on the GDPR compliance path.

This isn’t intended as legal advice. For one thing, I don’t maintain a current law license, so any legal advice I gave would have me in hot water for practicing law without a license — not to mention the fact that I never did practice in the European Union — EU, for short — and its entire legal structure is utterly baffling.

And I’m not even 100% sure what I did here is good enough to meet all the steps for GDPR compliance. It’s just the best I can figure out to do.

So take this a grain of salt, or maybe even the whole salt lick, and if you have remaining concerns, talk to a licensed attorney who does understand EU law. Got that?

Here goes…

First, a recap. The GDPR is an EU data protection and privacy rule developed over a period of years. First published in 2016, and taking effect today, itā€™s designed to protect the interests and privacy of EU citizens particularly with respect to data collected and stored by organizations, groups, and websites.1

Second, it aims to protect that privacy mainly by giving people certain rights over their personally-identifying information (including name, email or snail mail address, IP address when using the web, etc.). The protections cover things like the right to say what information is collected, to get errors corrected, or to say not to collect it any more.2 These are, for the most part, pretty much basic common-sense protections and the keystone of all the provisions really is consent.

Third, figuring out how to make the protections work isn’t basic or common sense at all. The requirements of the GDPR are complicated and confusing, particularly to Americans. The regulation has 99 articles arranged in 11 chapters, and requires 173 recitals to explain them3 — and it’s still essentially impossible to figure out what has to be done to comply.

Fourth, until the rule is applied in real-world situations, nobody knows exactly how it’ll work or how it’ll be enforced. Fines can be up to 10 million Euro for a violation4 — that’s $11,723,500 at the currency rates in effect yesterday at 4 p.m.

So yeah this can be scary stuff, and it explains why a lot of web service and information providers (this one included) have been bombarding you with information about new policies and even new email sign-ups.

But at the same time, here’s an all-important point: genealogists with family websites, individual hobbyists with blogs and even professional genealogists or societies that hope to earn money from their web presence are not the main targets of the EU, and some aren’t covered by this rule at all.5

I’m not saying website owners, bloggers or societies should do nothing (ā€œI was waiting to see what you were going to do about enforcementā€ isn’t much of a defense if push comes to shove) — but a panicked Chicken-Little reaction isn’t warranted. Taking a slow, steady, careful look at things and trying to do things right should count a whole lot in the long run.

For whatever guidance it may be for you, here’s what I did here at The Legal Genealogist:

1. Reviewed what kinds of data were collected by the website and its platform — WordPress — plus add-ons and plug-ins to see what might be covered by GDPR, what was really necessary and what could be stopped without impacting site security or the user experience.

2. Reviewed the security systems in use by the website, its platform, and its host, and upgraded to modern standards including moving to Hyper Text Transfer Protocol Secure (HTTPS) from HTTP, a less secure web protocol.6

3. Ensured that the website’s privacy policy disclosed what data was collected, when-where-how it was kept, for what reason and with whom it might be shared (and why).7

4. Ensured that anyone coming to the website, including casual visitors, was alerted to the fact that this website, like all WordPress websites, uses cookies for some purposes. Accept cookies and everything works. Don’t accept cookies and you can read all the content but can’t do things like comment on a blog post.

5. Put tools in place to ensure that anybody who provides personally-identifying information (name, email, etc.) is alerted to the fact that it’s being collected and given a chance to say yes or no. So, for example, you can read any content including any blog post without disclosing your information; you can’t comment on a post without providing it.8

6. Determined that the consent-collection system in place for subscriptions to the blog by email did comply with the GDPR, but the processes used since the blog began years ago weren’t enough to prove it.

7. Put a new email system in place to ensure that every single person who gets the blog by email has the chance to say yes or no to receiving it in the future and, in the process, will create a record of the consent that does comply with the GDPR.

8. Bored the pants off of everybody all week explaining what was going on and what folks could expect to see.

I suspect that all of this may very well prove to be total overkill. One single free genealogy blog in the United States written by a blogger who’s trying to do what’s right really isn’t likely to attract the wrath of regulators even if I’m not doing every single thing right. But I do value your privacy… and my pocketbook… and so I am trying.

So, that’s it. That’s the end of this.

After today, NO. MORE. GDPR.

I promise.

Except maybe a little nudge occasionally if things start to go off the rails.

There is that minor little matter of that 10 million Euro fine after all… and we’re not at all sure about enforcement…

GDPR humor


SOURCES

  1. See generally Danny Palmer, ā€œWhat is GDPR? Everything you need to know about the new general data protection regulations,ā€ ZDNet, posted 23 May 2018 (https://www.zdnet.com/ : accessed 24 May 2018).
  2. See generally ā€œIndividual rights,ā€ Guide to the General Data Protection Regulation (GDPR), Information Commissioner’s Office (UK) (https://ico.org.uk/ : accessed 24 May 2018).
  3. For the complete text in English, see General Data Protection Regulation, Intersoft Consulting (https://gdpr-info.eu/ : accessed 22 May 2018).
  4. See e.g. GDPR Article 83(4).
  5. See GDPR Recital 18: ā€œThis Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity.ā€
  6. See generally ā€œWhy HTTPS for Everything?,ā€ The HTTPS-Only Standard, Office of Federal Chief Information Officer (https://https.cio.gov/ : accessed 24 May 2018).
  7. See ā€œPrivacy Policy,ā€ The Legal Genealogist, last updated 22 May 2018 (https://www.legalgenealogist.com : accessed 24 May 2018).
  8. That’s a major-league anti-spam feature, by the way. Anybody who isn’t willing to put his or her name and email address behind a comment has a very high likelihood of being a spammer… or an internet troll.