 Thank you very much. Excellent. It gives me great pleasure to introduce our next speaker, ladies and gentlemen. This is James Urban. James is the project administrator for the Tlan Irwin DNA Project. He's done a huge amount of work on YDNA projects in the past and has presented on his own project at previous sessions of Genetic Genealogy Ireland. But he's also done a huge amount of work on GDPR and he has been instrumental in producing the interim draft guidelines for ISOC in relation to GDPR. So it gives me great pleasure to introduce to you James Urban. Thank you Morris. Is that too loud? I'm going to try that. It's a bit loud. How about that? Yeah, I love it. I'd love to see you all, a few old friends, some new faces. Before I forget, the most important thing, I need a bit of feedback from the audience. How many of you are the Tlan Irwin DNA Project administrators? Fair. More than half. That's good. Because I'm aiming principally, the first half of my talk, to administrators. For those who aren't administrators, I hope I carry you as well. It's certainly not specifically. But I'm looking at it primarily from that point of view. I also have to make an apology. I only arrived yesterday afternoon at 3 o'clock. So I missed the two, the lecture and the panel discussion on this on Friday. But I did manage to watch Barbara's talk at half past six in my hotel bedroom in Perthshire yesterday morning. And I watched the panel discussion of Friday here in the Faith in the Hotel at 3 o'clock this morning. And I went to sleep again at 5 o'clock. I've got a good night of sleep. Would you just sleep? Well, I know it didn't. So I hope I can tune in. Unfortunately, I would have made some alterations in my talk. I think Dovetails fairly neatly into following on from those. I could have practically asked who was here on Friday for Barbara's presentation and most good. So this will be a follow on, a little bit of catch up, but basically taking the debate a bit further on. So let's get cracking. I'm principally going to talk about GDPR and the interim guidance that Morris has mentioned very much from the genetic genealogy point of view. And then Morris has asked me to spend the second half of my talk on some of the wider issues that were touched on Friday, taking that a step further on. So the two fit together quite neatly, but the first bit is primarily on the genetic genealogy bit. The second bit is on the wider issues and in particular, the forensic side of it, which I've had to do some homework on and I think I can contribute a bit. So I think the first thing we have to digest is that there's all sorts of different types of DNA databases and I wouldn't claim that this is the only way of analyzing them. It is original because I couldn't find anybody else that had done it before. Certainly different ways of doing it, but the way these different types of DNA databases are handled is important. We've got to understand the difference. Direct consumer tests, it's a bit of jargon that you have to use, but this is where the public pay and you actually pay to do something. The paternity tests were the first on the map. France has banned them for some time and Germany has recently banned them as well earlier this year. I'd love to know the reason why Germany has banned them. Is this political something to do with the EU or is it something that's grown from the Second World War and so forth, but no idea. Then the one we're all familiar with, Ancestry and Adoptions to some extent. And here, even before GDPR, all the companies selling kits had done a lot to protect privacy. And they've had to re-examine it and so forth, but GDPR didn't come out of the blue. And then there's the health, that word health and the road research should be a little to the left. Morris has different databases, but you can spend a lot of money, particularly 23 and me, for example. You pay to find out whether you've got a 5% chance of getting leukemia or whatever it is. And Morris and I, they've been to a presentation where the woman stood up, and tested, and we saw her personal chance of getting every disease you ever heard of. And she'd put herself in public display, which I thought was pretty brave. But it's a completely different world, but it's the same sort of, same basis. And then the medical side, I've discovered this from somewhere, Morris persuaded me into, we're all 100% behind DNA databases if it helps with our health, if we've got any kind of cancer, DNA, there's no need to ask our consent. Why didn't they get on with it even before asking our consent? Whereas if it's medical research, that's a bit different. Is my family's DNA going to be used for some esoteric thing? It's a bit like body parts. What the DNA database is used for, it depends very much on how it was collected and so forth. Then there's the more innocent things like ancient DNA and military remains quite legitimate, but they do raise privacy issues. And then the forensic applications I'll talk on a bit more at length. And then Morris has introduced, quite logically, the mandatory things that Q8 tried with Q8 Government tried to introduce legislation that every Q80 and every visitor to Q8 had their DNA taken and it failed. China's doing it, not all of China, I gather, just one province, it may come to all of China, but the UK tried it, Tony Blair decided it'd be a good idea from an anti-terrorism point of view that every brick would have his DNA taken and it was just killed at birth, but it was a non-starter. I'm not suggesting that it won't come if it does come, it'll come through the back door. It won't come through legislation saying everybody in this western country, France or UK or Ireland will be mandatorily tested. I don't think that'll happen. We may end up all being tested, but that's different. So problems across the board and they all need different answers. There are two ways of coming to the answer and this is sort of my conclusion but I'm putting it in the front so you can see where I'm going. There's legislation that governments are good at and there's codes of practice and this is the point I want to hammer home today, the codes of practice route. They're not mandatory, they're not necessarily effective. It's like the highway code. We all know what the highway code is. It tells you roughly how fast you should go. It doesn't prevent accidents, it doesn't mean that we all adhere to it, but at least there's a set of rules that quite adhere to the highway code. You're not necessarily either involved in an accident or a criminal, but it's a behavior sort of guidance and this can be done at the international level and the national level and in America and Germany in particular at the state level as well. So you can have this whole matrix of different inputs to what the regimes can be. I'll come back to that. Right, now I'm going to start off with this one. It's a very esoteric thing. I never heard of it until I started doing the homework but two years ago, UNCTAD, the United Nations Conference in Trade and Development came up with this set of regulations on data protection and if you look at them, not bad. What's wrong with any of that? It's all common sense. I think we'd all say I could live with all of that. This is the United Nations. It's the sort of middle of the road, the principles and once you look at GDPR and all that. So legislators they live in their own world. They like to follow footsteps that other people are doing and politicians may say I'm not going to follow that precedent but the civil servants love being conformist and fitting into a mould and a big sort of establishment and this is the sort of thing that's in the background. We're not aware of it. I certainly wasn't aware of it. I've never heard of anybody talking about it but we're going. And the other thing that preceded GDPR which I'll come to next is these genetic genealogy standards which were brought up in 2015 in America. 12 of them were wonderful Barbara would have been on it that sort of person, plus perhaps and they came up with a pretty robust set of guidance for handling privacy issues. It's only three pages. I've listened to it these days but it's now history and in fact it's interesting that ISOG did advocate FTDNA did have it in the previous terms and conditions that you had to comply with it and they dropped it. Not because it's anything wrong with it but I think it's been overtaken by events. This isn't criticism but it's an example at the other end of the spectrum in one country so you've got everything from the United Nations at one end right down to an American set of 12 individuals drawing attention to the problem and then Brussels comes along and comes up with this thing sorry I've gone the wrong way, haven't I? Here we are. This GDPR which I had never heard of this time a year ago is Gerard here. There he is at the front. He said James haven't you heard the GDPR I don't know what the hell it stood for GDP is gross domestic product and that's the way I remember it and then had an hour at the end and in general they are, oh god you know and then I looked at it when I went home and it is a nightmare. There it is there's that much it's just bureaucracy gone mad so if you're apprehensive that I'm going to tell you this is a good thing to stop worrying on the other hand I can't ignore it. It's that middle road I'm going to try and get over to you. So what is it? It applies in 28 different countries including the UK and going down a bit even if the UK leaves Brexit we've shot ourselves in the foot in the UK it will still apply so we can leave the politics behind. The objective is quite worthy is to protect the EU citizens their private data absolutely marvellous concept and it has been enforced for five months four months and a bit like Y2K those of you who remember Y2K the end of the term of the huge apprehension about the world is going to come to an end anti-climax and that's what GDPR has been not that it was a storm in the teacup it wasn't a teacup but it was significant but the preparation was put in and to the best of my knowledge I'm not aware of any formal complaint any formal data breach that has occurred anywhere in Europe in the last five months and I thought there might be some malicious ones with some nasty people out there causing trouble but we haven't even had those so far as I'm aware if anybody is aware of an incident an official incident of the GDPR I'd love to hear about it you are? The influence of GDPR resulted in Facebook indirect consequence is enormous I'll come to that so it's in force now it's a funny bit of legislation a lot of the stuff that comes out of Brussels forgive the slang the paperwork that is produced by the leaders in Brussels it comes out as directives and it has to go through the national parliament before it comes to law GDPR isn't like that it came into force regardless for all 28 countries on the 25th of May and Ireland was very sensible they said that's the end of it Dale is it? Dove didn't have to even discuss it it's now Irish law that's not true I stand corrected in that case but it went through the rubber stamping thing it was a page or two long that sort of thing I stand corrected in that case I'm not an expert I'm just preaching half a jump ahead of you but I imagine it was just two or three pages and a little bit about the implementation thick oh right ok well the other end, perhaps about the UK the UK one makes that look like a kindergarten thing the UK one is about much over twice as thick and it is impenetrable to read it's written by civil servants who have kept themselves a job for lifetime because it all refers to subsection C paragraph D do this and if this applies subsection 42 paragraph 14 and if that doesn't apply then you go to regulation 4 part 6 part 3 oh my god if you've got it online it's not too bad but if you've got it hard copied it really is hopeless and it doesn't at the end of the day it doesn't add anything to the genetic genealogy problems so you've got all this lot of paper and in fact we're lucky we're even more complicated so we've got 88 pages it's divided into recitals and articles so that's the recitals and that's the articles it's a bit of jargon and you'll see that I've got superscripts and subscripts so you can actually not today but if you wanted to you can refer to what I'm talking about now the first thing is that it's primarily primary attention is to focus on individuals admins or companies or facebook or everything the rights of the individual that's what it's basically about and it's basically good news it gives you 7 statutory rights all of us here if we live in the European Union we have these rights by statute law they're not common law they're not paragraph 42 of something that was done here and all of this this is now the law right across so it's got to be transparent law for all the rest of it so it's critical we'll come to later on in the talk where consent isn't involved but it's got to be each person has the right to withhold consent and if they've given consent to withdraw it absolutely fundamental and there's all sorts of small print about the consent right to be informed right to access rectification the right to be forgotten so if you want to get out your whole paper trail or electronic trail has got to be well we all know perfectly well you can't rewrite what's gone on the web it's there forever more and there's a there's a Google page I find recently way back so if you want to know what Facebook was saying two years ago on something there's a fair chance you can go and find it even a man in the street you don't need to get into the dark web or anything to find it, it's there everything that's on the web is there in perpetuity almost certainly perhaps not literally but so you can't kill it so there's a conflict in the reality and the law I'll come back to that in a few minutes and the most important one is the right to complain direct to the supervisory authority so if I as a private member of a genetic project group don't like the admin and I'm all causing trouble I just write a two-liner to the ICO in London in theory I don't think it would happen in practice but in theory the ICO would write to me and ask me to explain myself as a... sorry write the project admin and ask them to explain themselves so it's a nasty tool it hasn't been used and I think people got more common sense than Kevin's but in theory even if you're storing the DNA you're caught by this new regulation some people interpret it differently I'll come to that in a minute now Morris has asked me to put this one in that's why I've stumbled a bit in addition to all the things that we're talking about the statutory rights if you're really worried that you can do other things the companies have done a fair number of things the most important which of course is to give you a number a kick number instead of your name so your results are posted publicly but without your name or your email address and you can ask your project admin or as an admin you don't share email addresses there is a convenience that the matches include the email address administrator you can say well that means all those matches I can put them in touch with each other and I personally have never done that and I've said if you want to talk to one of your matches do it through me and I'll forward the email rather than give the email address and of course you can do what many admins do not do any more than what FTD and I give you not go to public my project I do go public I take on a lot more risks now I'm learning to live with it and manage it and I'll come back to that in a minute but it doesn't stop it but it's one way of extra purpose and as an individual you can not tick these boxes FTD and I give you about sharing about access of the administrators to your data many of us use our kit number as our password to get into our FTD and A page I think it's by default is it yeah but you don't have to do that you can change it and of course if you are using a kit number and somebody really wants to dig into your page it's the obvious place to start you can use a false name I've got some people in my project they're deliberately given a false name I don't think I know their true name but they've given a false name or another one is I've got quite a few people in my project that use my email address on the FTD and A data bank I wanted their DNA they didn't want to reveal their email address to FTD and A so it goes through me so I'm their contact point I could abuse that but they trust me and having taken that trust then I'm not going to in no way am I going to tell anybody that I'm doing it rather than cursesly but I certainly don't give them the email address like the chief of the clan for example he doesn't want 15 people bringing him up saying you know I think I'm your 14th cousin so that all goes through me and they get pushed back I want to see your family tree and they send it and I say well if you go back there I can show you exactly where you've gone wrong it's another fable that you've all inherited you thought it was Gospel of the rubbish and the other one you can do is to not join Jetcom or Jetmatch and I personally don't use Jetcom or Jetmatch but I've got nothing against them and we've heard how terrifically advantageous they can be in a societal sense in the forensic application but if you're really worried then don't go down that route it's a step you can take now the definitions are this is where it gets tricky because GDPR tries very hard to be very specific but it fails miserably in the objective so what is personal data well it's the data that relates to the project member in our case and the first thing is it doesn't apply to dead people it says this categorically GDPR does not apply to dead people so all our family trees provided you get rid of the bottom line metaphorically that's all fine it's not covered by GDPR which means a lot of our genealogical stuff is fine on the other hand if you are running a one name study that's done a lot of bottom up research and the key on living people it's a bit more than difficult what is genetic data well it's not quite clear but they do they are very worried about genetic data they call it the special category and they've got in theory an extra layer of concern about it but it's the wording is sort of face value it's okay but when you go into it it's a bit iffy when you get on to the physiology it's an awful word something like that? you can read it and it wasn't clear but that's all that is giving the kick number in practice and FTDNA have confirmed that that's what they interpreted it as so we've got round all that already before GDPR came along so there's nothing new in that processing, this is the tricky one processing includes the storage of data so everything you have on your laptop even if you don't give it to anybody you are processing the personal data of somebody, if he lives in the European Union, who comes under this. So even if you don't use it, you are actually caught. Some exceptions we'll come to in a second, but that's where you start from. And then the processing may be done by one of three groups, controllers, and they're FTDNA and my heritages are obviously controllers. Processors, which is very vague, but one of the bits I picked that was your contractors are the controller, and we don't have a formal contract, so I think we wriggle out there, but it's a bit iffy. And then the third party is, what an awful term, but it says under the direct authority of the controller. And if you read the new terms and conditions of FTDNA, they say admins are under their direct authority to run their projects. So the wording is now back to back. That doesn't mean the lawyers would buy it, but at least prima facie. There is a link there that we can hang on that. And it's back to back. And then there's this business about consent freely given and do you really understand it? And this morning we heard of an example that, you know, it's not just your consent, you're not just committing yourself, but it's your whole family because they're sharing your DNA. And are you authorised to speak on their behalf? If you've got a troublesome brother, you know, should you ask him before you do it? It's a very grey area. And then the supervisory authority, that's just jargon for the government agency in the country you live in. So it's all going to be translated. The applicability to administrators, there's the extra territorial thing. It applies right around the world. So if you're an American member of a, no, if you're an American administrator of a project and you have European members, which of course is the vast majority of FTDNA's projects, then in theory GDPR applies. How they would enforce it, we don't know. There is a case, apparently, I learnt of the UK government, the ICO was the UK supervisory authority, is now trying to find an American company for a breach on something, nothing to do with genetics, something in the medical field. They've imposed a fine, but whether the American company will choose to pay the fine and what the British authority will do if they don't pay, we don't know. It's a very complex area. And in particular DNA they're worried about and the consent sort of thing, but there are exceptions and one of them is in the small print says GDPR doesn't apply in the course activities involved by an individual in purely personal household activities with no connection to a commercial authority. Now there's two ways of interpreting that and we don't know which is right and which isn't. And in fact I'm sure if you asked any authority they wouldn't know either. But does it mean we shouldn't be processing data when we're charging the customers, our members for money? Of course we're not doing that. One or two people get on the fringe of it, Morris. You charge people occasionally for the work you do. For professionals. Yeah, yeah, but then you can't, you obviously do have a commercial involvement and you can't declare excuse. On the other hand, I interpret it in a more precautionary way that all the consents that we as administrators are working from arise from a commercial activity between FTDA, FTDNA and its customer. Now that's an ultra cautious interpretation and in fact the practical answer it doesn't make any difference. But I would rather not incur the risk of me being wrong on that and assuming I can put two fingers to the whole thing to put it crudely and in excess because I'm not suggesting people take that interpret and treat it that way. But there's a gray area that we will won't get clarity on for years. And it will depend on each individual project. So one project will will be in one camp and another project will be another depending on how deep they are. And the Irish government may decide they're going to interpret it this way and the German government may interpret it that way. So there's a huge quagmire ahead if we are not respectful of the underlying principles. This is a complicated table, I won't show you, but there's five different ways you can interpret these things and the red boxes is the ones we want to avoid. Joint controller and processor FTDNA would have to be party to a legal contract with us as administrators and I can't see them touching that with a barge bolt. So to go down that route is difficult. If we say we're controllers, we're wholly of them bow even more cautious than I am. And sometimes I am being a controller, then you take on a whole role of extra responsibilities and you're going to be in, can I say deep shit, but you're liable to be in more trouble. So one of the first two and in fact, you'll see the small print of what you have to comply with. When you go for the first one and second one, it doesn't make a lot of difference. It would be nice to know which category you're in. But in practice, provided you adhere to the few things you have to do as a third party, it's not very different to what you do if you decided you had no commercial involvement. Well, I've gone Facebook. I think Facebook is rather thick on our skin, not to be worried about the likes of me. Now the sanctions if you go wrong, compensation. So if you if you if you're caught under this and and your phone guilty in inverted commas, your liable for making good all the damages you cause, they could be extensive. For a project administrator, probably pretty negligible. But of course, for your Facebook, they could be and on top of that, 4% of your total worldwide turnover. Now this is what worried ancestry and FT DNA. This is why we have layers and layers and layers of small print. Now in our relationship with these testing companies, they've got to protect themselves against a 4% of the world turnover. It is scary. For them, it is very real. And it took FT DNA some time for the penny to drop just the extent of their potential exposure. I don't think in practice, they'd ever get anywhere near that. They're not stupid. The authorities aren't going to be that jealous. But the threat is there. And then there's something called penalties, which arise in the case of a disproportionate burden on a natural person. Now, in family history, a natural person, I was brought up in Scotland, that's a legitimate person. But here it is you and me, a natural person is a human and individual that lives in the EU. And we're liable to get a referendum. This is UK language, not GDPR language, a reprimand or a corrective order. In other words, you're at school, you misbehave, you get a wrap on the knuckles and a bit of detention and don't do it again. And that's the world we're living in in practice. I think if things goes wrong, if you're sensible, if you say, I don't think the law applies to me, they'll start ratcheting up. But if you can show you've gone along with it, this is the sort of thank you we're going to get. The ICO website, and I thank Debbie for this, you really carefully, they've got a very extensive website. They're very keen on a soft approach. They're word in carrot and stick. They're a lot of carrot. Please conform with the law. Please be sensible and all the rest of it. That's what they're effectively saying. If you're silly, we'll jump on you. It turns out I think the resources for jumping are getting fairly, it's anecdotal, but I hear a lot of their staff left because they get better salaries with commercial companies as data protection officer than they're paid to be a policeman in the ICO. How true that is, I don't know. I have to be careful how I put it. But there is an element of that. It's like the speed cameras with no film in them. I think there's an element of that. But I don't want to trust that. I want to keep within the speed limit roughly. I'm not aware of any sanctions arriving in the last five months. So it was a storm and a teacup, but it was a real teacup. It wasn't an imaginary teacup. If you do get in trouble, I am happy to try to help privately, but it could be. It's going to be the, I gather if you write to ICO and ask for some help on a technical issue, it's two months before you get a reply. The short staff, they've got to think of the precedents they set. They've got to go through the lawyers before they reply. So a dialogue is going to take years to sort out. And you're going to live this with this every time you go to bed. And it's the post tomorrow morning going to worry me. That's the sort of threat that I'm worried about. Unfortunately in America, and I'm generalising, they've taken a different view because when you interpret the law in America, you look at the letter of what is said. You don't look at the spirit behind it, what the objective was so much. And if you look at it in an American context, then this really is scary. And that's why we've seen some pretty herculean consequences. So looking at it from an ICOG point of view, four things we had to do as members of ICOG to help Catherine, we have a look at ICOG's its own exposure. And that was largely in the American issue. And eventually I left it to Catherine's American advisors to look after that. I think it's been done probably satisfactorily. I put a lot of pressure, we put a lot of pressure on FTD&A to get on with it. They were a bit slow on the uptake. To minimise from our point of view the risk of complaints, because it's the complaints and the data breaches that will trigger consequences. And if they could do anything to minimise themselves getting in trouble, it would be to our benefit. It's not my job to write their small print far from it. Even though there's a little bit of that as well. But that's by the by. And then for individual members of course we've got to respect their rights. ICOG has got to say. But for the project administrators caught in some of this grey area, I felt and put together a study group of whom most of the members are here. Gerard, Debbie, Morris, Catherine and we've got a couple of others who should come to my mind immediately. But we put together a little working group and came up with some guidance. And that's what I'm going to talk about now. I'm already running out of time. Let's crack on. So we put this group together. We published in March, which was a bit far on the hand. It's a sort of middle-of-the-road approach. It's on the web. It hasn't come under any criticism. One or two private questions, but it's survived four months without any criticisms. It's been endorsed by FTDNA and we didn't ask for their support but they volunteered to endorse it. It complies with the best practices thing I'll be talking about in a minute. And it's now gone six months without criticism. That doesn't mean we've got it right, but it suggests we haven't got it completely wrong. So it comprises this interim guidance and it's very well that it was worded interim guidance because it'll be, I thought it would take a few weeks. It's actually going to take several months before we can move to something beyond the interim. We've got to digest the consequence a bit more. The list of don'ts, I'll go through the list of do's, a privacy statement, and then actions in case of things going wrong. And if you have a public website then there's some additional precautions you have to take as well. So the don'ts. Now the first four there I'm not going to go through. We wouldn't do them at any rate that they're supplied before GDPR. Nothing new there. But now if we do get a query from a member, if you're going to be in the side of the angels we've got to reply within a month. Now it's pretty easy isn't it? But of course on the other hand if you're going to six-week holiday and you haven't sort of delegated this to your admin, it's getting a bit gray, but I'm not going to sleep over that. But this is the sort of thing that you begin to have to worry about a little bit. One thing I had to do, I've got a database and I had all my email addresses alongside the same database as all my DNA data. The kick number in the middle was the leak. Now if I pressed the wrong button I could transmit that to all my members and that of course was a risk. But thank God I never got caught on but I sometimes sweated over it. Now I keep them separately so I don't accidentally broadcast all my members email addresses to everybody else. And that's a sensible caution. It's a bit inconvenient from the way I was but that's the sort of practical thing that hints fairly clearly that you shouldn't do. And if they ask to be removed from your project then you got to remove the data. I'll come back to how you interpret that in a minute. And just bear in mind that what you may have worked out what you think is right and proper now, but in six months time it may be history. These things aren't standing still. There will be precedents that come up that we may have to react to. What you do do, again there's some fairly obvious things, it's not very difficult, but you should tell your members what they are holding, why you're holding them. And you can do this in a woolly way just saying I'm doing, I'm holding your data so I can apply with the goals of the project. It's a sort of circular argument, but you don't have to reinvent the wheel and spend a mountain about it, spend them up and make a mountain out of a mill hill. You've got to keep it up to date and so forth. Your database should have password protection, common sense. Most of us have it built in at any rate. So if you leave your laptop lying around downstairs and somebody picks it up and spots your emails, I'll get that one. And there's no password, you've been negligent. If your password is Johnny123, you've not been quite so negligent. If it's five digits long or five miles long, you've been very careful. But of course we live in the real world and we all forget our passwords. So just common sense applies. But the big thing is, and this I would stress, every project admin now should have a privacy statement. It doesn't have to be very long, it doesn't have to be very detailed, but if you do get caught, you can say, this is my privacy statement. When I wrote it, it was the best I could think of. I tried to adhere to it and I'm sure the authorities will then say, if you're caught in a complaint, OK, well, that was what you did then. Now you'll think about this. So you're taking a step in the right direction. It's an insurance policy, minimum premium. This is an example of a second edition, that this is a slightly better one than what appears on the web. I'm very happy you take photographs of it. I've now used that one on my private website. It's a bit more sophisticated in detail than the ones in the interim guidance. And when we come to a next generation, elements of that will be in the next one. I'm not going to go through it, but it's just reiterating what was in the first two previous slides. But the point is, it's an undertaking by you as the administrator and your co-admins that you will do this, and it's signed off by you and your co-admins with your name and email address and their email and address. And they've got to buy into that before you publish it. It's the undertaking, it's the contract you make with your members. So conceptually it's very important. The detail is much less important, but you should be tackling that sort of issue. Now I'm going to digress a little bit. It's a personal copyhorse of mine. I run a public, a secondary website to use FTDNA's wording, and I've now got to take very careful extra precautions because I publish all my members' data. And they've got a tick that I've got to make sure that the box is ticked, opt into sharing. Now if you look at my website at the minute, I haven't quite got there, but in a few weeks' time I will have got there. It's a very difficult level to achieve. But the benefits of doing this are much greater than I'd appreciated. I run a big project, the small, not particularly prominent surname. I've never understood how I got so many members because I don't go proactively recruiting them. I now realise the reason I've got so many members is there's a fully public website integrated in my discussion of how it works and all this process. It's not dependent on the FTDNA format and navigation or a split, and it's much more transparent. And I think that's how it succeeded. But it's high in today's environment, it's high risk. And I think if Mike Milligan was here, he'd say James, be very careful. So the swings and roundabouts coming back to underlying premise is the compromise between accessibility and privacy. And if you don't want to go down this route, that's absolutely fine. But I am still determined to go down this route. And we'll see in five years' time whether I was justified. But it takes a lot more work and you've got to update it regularly. I've always done both. Now, if things go wrong, there's three things that can go wrong under GDPR, a complaint, somebody in our context, a member complaints against you as administrator, or they can ask for data, or you can make a mistake. Like I get a potential example, you can publish all your email addresses, your member's email address, or you can lose your laptop, or it can be stolen. That's a data breach. You know, somebody will spend the time, they're going to crack it and get into all the data. Now, if that happens and you've called yourself a controller, you've got to tell your supervisory authority within 72 hours, you've lost your laptop. Anybody who volunteers to be a controller has opened the noose for that pitfall. You lose your laptop, you're going to be in administrative trouble at least. So to me, calling yourself a controller is mad. If you're an American lawyer, you come up with a different answer. How can you wriggle out of it? You are proactively playing with data the way you do it, the way I do it. But thankfully, I don't think that's what's going to apply in Europe. That's where we have a dichotomy. I mean, if you're an American lawyer on the defense side, of course, you'll argue the opposite. So it's not every American lawyer would argue that, but that's the level they look at it. I think in Europe, we take a slightly more benign approach to it. So this is why I'm much keener on the third party interpretation, which actually doesn't address these problems in the first place. So if the law doesn't address it, you didn't worry. Right. What's going to happen in the future? ICO, the UK Supervisory Authority, have promised us a newsletter on DNA and studentization. They've just done one on exemptions and frankly, oh, I mean, what an anti-climax. There's four pages of waffle. They've just re-quoted GDPR backwards, forwards, inside, upside down at a sort of even sub-university level. A high school student could have written the thing. It is pathetic. I want air. But it doesn't do it. In other words, if you ask for guidance, you're not going to get it. And I'm going to skip the rest of it. You've read it. I want to get on to the next bit and I'm running way behind it. This one, the first line I gather, is wrong. Thank you very much for your correction. UK, I think I've talked about this. Germany, much more stringent. And the USA, they're coming up with a completely different interpretation. Okay, what happened elsewhere? Now, if you can read that first paragraph, it's thanks to our chairman, but these are some of the casualties of GDPR already. We've lost Y-search, we've lost Mito-search, we've lost access to journals. I even hear at the back this morning that you can no longer get the New York Times online in Ireland. I wasn't aware of that, but this is one of the consequences of GDPR. It's way over the top. That was never the intention of anybody in Brussels for that sort of thing to happen. But that's the way the ultra-cautious have interpreted it, the other side of the Atlantic. Not every newspaper, I suspect, but that's the way it appears, New York Times and several others have done it. Most of the companies came up with new material. Maurice, I'm going to run for half past, if you don't mind. That's okay. Yeah, that gives me enough in 10 minutes, but I'm still going to rattle on. And particularly JEDCOM and JEDMATCH, I've tightened up their procedures considerably because they are actually more exposed because they're sharing data in a more public forum than the testing companies. So they've all upped their ante with small print. James, what do you mean by JEDCOM? Yeah, I was wondering that. So DNA in JEDCOM? Sorry? What's JEDCOM? JEDCOM is when you share your ancestry trees, isn't it? Yeah, but JEDCOM is the file, but it's not a company. But it's got a website that has a privacy statement, isn't it? That's DNA in JEDCOM. Sorry, I meant DNA in JEDCOM. Beg your pardon. Sorry, no, I do mean DNA. I'm not familiar with that activity. That's why I've got it slightly wrong. Thank you for pointing that out, Debbie. Another mistake. Fair enough. Good point. Now, there's a think tank in Washington, advocacy, or we here would call it another word, we use another word for advocacy. It's got membership of a lot of big companies. So, you know, what is it? Is it really worth it? Facebook are members and ancestry and 23andMe? Not FTDNA. I suspect because they just haven't got the resources to indulge in this sort of thing and it's in Washington and they're in Houston. It's probably something like that. But they've come out with a 19-page document, the Code of Practice, which is actually, when you look at it, it's very good. It's quite recent. It only came out in July, which is sort of, you know, way post FTDNA, but it takes account of FTDNA. And they are saying, for example, that all these companies are signed up to Code of Practice, that the data shouldn't be shared for purposes other than that it was collected. Now, you can immediately snigger and say some of these big companies are not abiding by that at all. But the senior management has said that's where they want to go. And that's a surely a step in the right direction. But it's a Code of Practice. So, of course, you can. Everybody can break Code of Practice. It's only pointing in the direction. The other technical thing is that they've come up with this question of deletion. I think it's very interesting. They're recognizing on paper that when somebody wants to leave a project, you can delete them from the current paper. You can stop researching them. But it's saying you can't get rid of the paper trail completely. What you must do is prevent access to it. So you don't have to destroy all your old backup files and hard call hard drives that you kept kept somewhere when you ditched your old computer, because technically it's too difficult. Now, this is only their interpretation. But it's the most intelligent interpretation of this right to be forgotten that I've seen. And if it ever comes up, I think we can say, well, if that's what all these companies are saying, why do you expect little me to do more? Right, going on a bit from the genetic genealogy to the wider issues. Yesterday, the day before yesterday, these were my summary of the two tests that Maurice introduced before the discussion on Friday. I put them into two halves, the police ones and then the other ones. And you'll see that all of them are the exception of nonviolent crime, a way over 50%. So the good will for let's restrict data, most of the population is saying this is a good idea. Another example of this, and this isn't a poll, but this is what is actually happening on actually in the context of some other aspects that we haven't been talking about within America. 15% of the American states prohibit discrimination in long-term care insurance. And if you go through the list right up to health insurance, 94% of the states have laws saying that, for example, our genetic genealogy, DNA, can't be used for health insurance purposes. And that's the actual law. But the discrepancies between state by state is considerable. So we can't say American states prohibit this or don't prohibit that. They're all different. And the matrix of it all isn't clear. And I'm sure in a year's time those numbers will all change as they all try to play catch-up and all the rest of it. There's also GINA in America, which I think is federal level, is it? Yes, and this example is just looking at a few at state level. Federal level is even more fuzzy. They've got some laws, but they haven't got others, I think. GDPR, on the other hand, is very clear. You cannot use under GDPR law in Europe. Data cannot, personal data, cannot be used for the purpose other than which it was connected, collected without consent or if the legal, if the police come along, there's that data. That's what I want to come on to next. So I've talked about the ones in orange and red. And you can see in black there are other ones I could talk about. I'm not going to spend the time on it. It's a real fog of different regulations and codes of practice. But what I wanted to get over with this slide is that there's an awful lot of work being done. So when Donna made the point on Friday, she didn't know what the law was, what the what the policy was. Of course she did. None of us have got our finger on that thought. And even with quite a bit of homework, I wouldn't claim to be a master of it. It's a very complex thing. But it's not nothing. A lot of work is being done to try and coordinate these things. All right, going into the frenzy, there's another initiative that's been taken. This is one is much bigger by various sort of mid-level organizations in the top line to address the imbalance between, and this is in the forensic side now I'm moving on to, between individual rights and law enforcement. And they deliberately state there's a middle ground between on the one hand the needs of the criminal regime to protect ourselves as citizens and the other the private rights. And they produced this code of practice from which I've got this slide. That's why I put it first. You can see the world is already pretty well covered by legislation on the use of forensic, use of DNA data forensic databases. Got China down here as planning. China by 2017 was well past the planning stage. India wasn't even mentioned, but India in fact is in there as well. So there's a huge amount going on already. The growth of forensic databases, here you can see what is happening in China. But the point I want to bring out here, it took the UK, the blue one at the bottom, they took a dip in 2013. It's almost been lost, but this is when it was decided by the law case that the police couldn't keep databases for cases that were dead. If you'd been convicted and you'd served a sentence, I'm not sure it's more print, but if there's no reason to keep the data, the police had to destroy it. They were loath to destroy it, and they didn't destroy very much by the look of it, but that's the reason for the dip, and it's creaking back up again. But those curves are gonna go on rising no matter what the legislators say, I'm sure. So the FGPI, whatever it stood for, I've already forgotten. So the 110 page report, it really is superb. It is, if you're interested in the subject, this is the Bible, I think. It's a response to the public concern. They've monitored 132 countries, and they've come up with examples of good practices from all these countries I've listed. Even Russia, they find example of good practice. Now, whether the Russians follow good practice, given recent political developments in a different matter, but they have actually got legislation through the Russian Duma that protects individuals, it's just a small example. So this thing has picked out what the angels should do if they're drafting forensic rules for forensic application in a country. And civil servants love this sort of thing. You've got to get into the framework of their mentality. If other people are doing it and it looks right, they'll do it as well. So there's a lot going on in the right direction. This is my last slide, apart from the summary. This is some of the questions that you can get. If you ask these questions, some of the answers. Like who should collect the data for a forensic? And it actually says it shouldn't be the police. It should be a specialist agency. Now, in America and UK, to tell the police that they're not trustworthy enough to collect DNA isn't going to wash. But if you're in some of the African countries where the reputation of the police is zero, DNA is going to take the thing backwards. So this is quite an altruistic set of things. But some of the questions we've been asking, you would ask, there are some answers that they're beginning to identify the best practice to follow. I'm not suggesting that every country will adopt these in two years, or even 10 years. And even if they're adopted, they will be observed. But the idea of getting a middle ground that is explicit and spelt out in some detail, the work is already going on. So this was to try and give you some reassurance of the questions that were coming up in the seminar on Friday. But in fact, answers are in the pipeline. I'm not suggesting that it's all going to happen and sort itself out tomorrow or anything like that. But at least work is being done at a high level to resolve the conflict between what we want as private individuals and what we want as citizens that are going to be protected by the police. Summary, in other words, basically on the genetic side, we want something in the middle of the road. We've got to pay respect GDPR, but we need to go over the top. It's turned out to be a big anti-climax. We see the side effects every day. We go on the web, are you going to click these cookies? That's GDPR. But for us as geneticists, provided we're sensible and have a privacy statement, it's really turned out to be a non-event. On the forensic side, it is expanding rapidly. We're quite white to be worried, but I think the legislative progress is probably going to be roughly in the right direction. There'll be exceptions, of course, in every regime. They're not going to all get it right first time, but the momentum is in that direction. Thank you very much for your attention. Great. Thank you very much, Tim. Well, I think it's very reassuring that we have somebody like you who's able to go through all of this information and come up with this type of reassuring message. I'm sure there's going to be questions for James, but I'm going to hold them back for the panel discussion that follows now. So we're going to take a five-minute break and then we're going to come back for a panel discussion that looks at DNA privacy and data protection in general and, most importantly, how you, as an individual, can optimize your privacy and data protection when you're dealing with recreational DNA testing and the commercial companies that we all test with. So take a five-minute break, but before that, please give James a very big thank you for an excellent presentation. Thank you. Thank you. Thank you for the stipulations three minutes ago. Well, I'm not a halfway through it. That was a bit classic. Yes. Well, I know. I thought it was, that's what we're seeing. I thought it was important that you know where you stood. Well, yeah. We haven't talked about it. I had that...