A promise…
This is it.
Today is the end of this.
After today, NO. MORE. GDPR.
Today, The Legal Genealogist will outline what’s been done at this website to try to be ready for today’s effective date of the European Union’s new General Data Protection Regulation, as a recap for readers — and maybe future regulators.
It’s also for whatever benefit it might provide to genealogists or genealogical societies that have a web presence and maybe aren’t quite as far along on the GDPR compliance path.
This isn’t intended as legal advice. For one thing, I don’t maintain a current law license, so any legal advice I gave would have me in hot water for practicing law without a license — not to mention the fact that I never did practice in the European Union — EU, for short — and its entire legal structure is utterly baffling.
And I’m not even 100% sure what I did here is good enough to meet all the steps for GDPR compliance. It’s just the best I can figure out to do.
So take this a grain of salt, or maybe even the whole salt lick, and if you have remaining concerns, talk to a licensed attorney who does understand EU law. Got that?
Here goes…
First, a recap. The GDPR is an EU data protection and privacy rule developed over a period of years. First published in 2016, and taking effect today, itās designed to protect the interests and privacy of EU citizens particularly with respect to data collected and stored by organizations, groups, and websites.1
Second, it aims to protect that privacy mainly by giving people certain rights over their personally-identifying information (including name, email or snail mail address, IP address when using the web, etc.). The protections cover things like the right to say what information is collected, to get errors corrected, or to say not to collect it any more.2 These are, for the most part, pretty much basic common-sense protections and the keystone of all the provisions really is consent.
Third, figuring out how to make the protections work isn’t basic or common sense at all. The requirements of the GDPR are complicated and confusing, particularly to Americans. The regulation has 99 articles arranged in 11 chapters, and requires 173 recitals to explain them3 — and it’s still essentially impossible to figure out what has to be done to comply.
Fourth, until the rule is applied in real-world situations, nobody knows exactly how it’ll work or how it’ll be enforced. Fines can be up to 10 million Euro for a violation4 — that’s $11,723,500 at the currency rates in effect yesterday at 4 p.m.
So yeah this can be scary stuff, and it explains why a lot of web service and information providers (this one included) have been bombarding you with information about new policies and even new email sign-ups.
But at the same time, here’s an all-important point: genealogists with family websites, individual hobbyists with blogs and even professional genealogists or societies that hope to earn money from their web presence are not the main targets of the EU, and some aren’t covered by this rule at all.5
I’m not saying website owners, bloggers or societies should do nothing (āI was waiting to see what you were going to do about enforcementā isn’t much of a defense if push comes to shove) — but a panicked Chicken-Little reaction isn’t warranted. Taking a slow, steady, careful look at things and trying to do things right should count a whole lot in the long run.
For whatever guidance it may be for you, here’s what I did here at The Legal Genealogist:
1. Reviewed what kinds of data were collected by the website and its platform — WordPress — plus add-ons and plug-ins to see what might be covered by GDPR, what was really necessary and what could be stopped without impacting site security or the user experience.
2. Reviewed the security systems in use by the website, its platform, and its host, and upgraded to modern standards including moving to Hyper Text Transfer Protocol Secure (HTTPS) from HTTP, a less secure web protocol.6
3. Ensured that the website’s privacy policy disclosed what data was collected, when-where-how it was kept, for what reason and with whom it might be shared (and why).7
4. Ensured that anyone coming to the website, including casual visitors, was alerted to the fact that this website, like all WordPress websites, uses cookies for some purposes. Accept cookies and everything works. Don’t accept cookies and you can read all the content but can’t do things like comment on a blog post.
5. Put tools in place to ensure that anybody who provides personally-identifying information (name, email, etc.) is alerted to the fact that it’s being collected and given a chance to say yes or no. So, for example, you can read any content including any blog post without disclosing your information; you can’t comment on a post without providing it.8
6. Determined that the consent-collection system in place for subscriptions to the blog by email did comply with the GDPR, but the processes used since the blog began years ago weren’t enough to prove it.
7. Put a new email system in place to ensure that every single person who gets the blog by email has the chance to say yes or no to receiving it in the future and, in the process, will create a record of the consent that does comply with the GDPR.
8. Bored the pants off of everybody all week explaining what was going on and what folks could expect to see.
I suspect that all of this may very well prove to be total overkill. One single free genealogy blog in the United States written by a blogger who’s trying to do what’s right really isn’t likely to attract the wrath of regulators even if I’m not doing every single thing right. But I do value your privacy… and my pocketbook… and so I am trying.
So, that’s it. That’s the end of this.
After today, NO. MORE. GDPR.
I promise.
Except maybe a little nudge occasionally if things start to go off the rails.
There is that minor little matter of that 10 million Euro fine after all… and we’re not at all sure about enforcement…
SOURCES
- See generally Danny Palmer, āWhat is GDPR? Everything you need to know about the new general data protection regulations,ā ZDNet, posted 23 May 2018 (https://www.zdnet.com/ : accessed 24 May 2018). ↩
- See generally āIndividual rights,ā Guide to the General Data Protection Regulation (GDPR), Information Commissioner’s Office (UK) (https://ico.org.uk/ : accessed 24 May 2018). ↩
- For the complete text in English, see General Data Protection Regulation, Intersoft Consulting (https://gdpr-info.eu/ : accessed 22 May 2018). ↩
- See e.g. GDPR Article 83(4). ↩
- See GDPR Recital 18: āThis Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity.ā ↩
- See generally āWhy HTTPS for Everything?,ā The HTTPS-Only Standard, Office of Federal Chief Information Officer (https://https.cio.gov/ : accessed 24 May 2018). ↩
- See āPrivacy Policy,ā The Legal Genealogist, last updated 22 May 2018 (https://www.legalgenealogist.com : accessed 24 May 2018). ↩
- That’s a major-league anti-spam feature, by the way. Anybody who isn’t willing to put his or her name and email address behind a comment has a very high likelihood of being a spammer… or an internet troll. ↩
Thanks, Judy. Very informative. I just googled “GDPR” and the first article that comes up is “Google and Facebook hit with serious GDPR complaints”. That took no time at all… Why am I not surprised?
Number 8 did not apply to me. I’ve been obsessed with this #webmastersnightmare.
I think the score is now 8,462 bored – 1 not. š
Though this process has had some challenges it has allowed our Society to take a good look at what data we have and how we manage it, access it, process it and who has access to information. We are in way better shape than we were 60 days ago and there is further work needed but I am thankful for those who have assisted and adapted to the changes.
Good going!! We all need to be more cognizant of data protection issues… and better stewards of data given to us. If this serves as a wake-up call to do just that, it’ll end up being a good thing. No matter how much we’ve whined in the meantime…
Bye, bye phone books. I have hundreds upon hundreds of city directories shelved in my library so I presume I will need to keep my library under lock.
Presumably the phone books only include people who chose to have listed phone numbers. So you can keep those… š
So for us casual bloggers using WordPress, what do we really need to do? That’s me, I have a blog but I don’t really post to it that often right now but I’m planning on it. I don’t want to be out of compliance, as I don’t have $11mil+, let along $11k, for the fine. Thanks in advance for any and all advice.
Theresina
I’m afraid I really really meant it when I said I can’t advise people how to comply with the GDPR. I can only tell you what I did, step by step, and that in my personal-non-legal-genealogist-to-genealogist-you-can’t-sue-me-if-I’m-wrong opinion, steps 1-5 in that order are what everybody should be doing as soon as they reasonably can, without going into Chicken-Little mode. And read footnote 5 if your blog is strictly as a hobbyist (in which case I’d still do steps 1-3 as a matter of good practice).
I read what our ICO in the UK wrote about fines and I think for individuals classed as small business they would work with them first. Fines are there to ensure those companies making money from using personal data comply and let individuals know what they are doing with their personal data. I also read that many of the emails bombarding inboxes recently were not needed as consent had already been given previously. The best bit is the need to be more transparent, which will be of benefit to everyone, not just EU citizens.
Your ICO in the UK said email consents had to have been collected using a system that met the GDPR and folks should refresh them if not (and, IMO, if they couldn’t prove that the system used met the GDPR). Since many folks like me who started blogging years ago had no clue this sort of proof might be required, we don’t have a choice.
ā….figuring out how to make the protections work isnāt basic or common sense at all…..ā How funny.
Iām sitting here listening to BBC Radio on-line and just heard a discussion between one of their presenters and an expert. The presenter ((no dummy by any means) admitted to being somewhat confused by all the consent notices, why they were necessary, and why some asked you to click, āYes, keep me on your list,ā while others asked you to click, āNo, donāt drop me from your list.ā
The expert started her response by saying,āThatās because āconsentā in the regulations doesnāt mean what you think it means.ā
Incidentally, she also said that statements coming from the regulators indicated that when it came to small businesses like the average mom and pop who seemed to have made a good faith attempt at compliance, they would more likely try to help them get into compliance before prosecuting them. Itās the big data aggregators and organizations like Facebook that have been busy monetizing the personal information they are collecting while riding roughshod over consumers who they wonāt even allow to see the information collected on them.
I’m not really worried about regulators from the UK. I’m a lot more concerned with some of the … um … more marginal member states of the EU.
If only our Australian prosecutors were the same for other issues. They know the little guy will not fight back, and the big companies will rapidly exhaust their government funding for litigation, so they go for the little guys, hoping they will scare the big fish into compliance. And building case law to use against those bigger fish.
Small mom and pop businesses where? Your comment seems to suggest that the EU has jurisdiction here in the US regarding small firms who do not interact with or conduct any business with any individual or firm within the EU. It seems to me that they have no jurisdiction over, for example, the small local firm who just installed a new HVAC system in my home here in Small Town USA. I’ve read the recitals and they are sufficiently vague to create honest misunderstanding by those attempting to comply, as well as abuse of authority by the EU regulators.
No, the regulation only applies to those who interact with or conduct business with people in the EU. Like those who happen to be (a) residents of the EU and (b) visitors to just about any website or blog that collects data (often by way of ordinary elements of WordPress or Blogger or the like) from even casual readers.
Hi, Suzanne:ā If youāre talking about the reference to small businesses in my post, I apologize for creating a misunderstanding. Obviously, the EU regs do not apply to local shopkeepers here in the US who donāt do any kind of business with people abroad.
I was comparing the perspective of two people discussing the same issue on a public affairs program being broadcast from a studio in Scotland with what Judy was saying in her article and assumed without thinking (never a good idea) that everyone would automatically recognize BBC Radio as one of the UK radio stations owned by the massive British Broadcasting Corporation that people in other countries can listen to on line via live-streaming.
The participants were talking about local mom and pop shopkeepers in The UK who have apparently been freaking out because theyāre worried theyāll have to trash their customer contact lists or face these big fines. The US didnāt even come into the discussion.
Judy if you’re confused, there is not much hope for the rest of us.
š
I have a personal genealogy web site. I collect no information on the web. I share information people send me by email. As far as I can tell from what I have read I don’t fall under the GDPR. Am I wrong?
Iām afraid I really really meant it when I said I canāt advise people about legal compliance with the GDPR. I can only tell you that, in my personal-non-legal-genealogist-to-genealogist-you-canāt-sue-me-if-Iām-wrong opinion, (a) most websites collect some personal information (if for example they allow comments or use Google Analytics or almost anything else) but (b) you really should read GDPR Recital 18: āThis Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity.ā
Thank you so much Judy for your words of wisdom, albeit non-legal-advice. The whole business is quite baffling. Iāve put notices etc on two of my blogs and two more today especially since they have particular relevance to two EU countries. I can only hope Iāve done okay.
In my personal-non-legal-genealogist-to-genealogist-you-canāt-sue-me-if-Iām-wrong opinion š — anybody who makes a good faith effort is not gonna get slammed here. Most genealogists aren’t ever going to show up on the regulators’ radar.
This is a great list of action items, but there are two more that I would add:
9) If there is no real need for EU users to access your site, block access from EU IP addresses. Most web application firewalls (WAF) allow you to do geographic blocking in their paid versions, and though it is not 100% accurate, it will reduce exposure both from compliance and security perspectives.
Based upon the scanning that I see on my sites, I expect that there will be blackmail scams based upon GDPR compliance within a couple of months.
If you don’t have a WAF (Wordfence is the one I’ve used for WordPress sites and Akeeba is a common choice for Joomla sites) you really should install one for security reasons. Reducing the exposure to a data breach is always a good thing
10) Review the compliance of the analytics provider you use and verify that your settings have been updated for GDPR if necessary. For Google Analytics this is probably pretty easy, but for other analytics providers, it may be more involved. In most cases, this is mainly an exercise in making sure that your privacy policy references the analytics tools that you use.
I consider it a real mistake to simply block off a part of the world from my reach.
I absolutely agree that some sites (yours included) are global resources and that it would be tragic to restrict access. I make the suggestion for bloggers who are considering taking sites down completely; in that case, the alternative of blocking access from some geographic areas may not be the worst alternative.
Oh I agree absolutely that if the choice is between no information and some limits on information, some limits make sense.