In light of Mark Zuckerberg’s appearance in front of Congress last week, Business Insider reported that Zuckerberg’s personal notes had the following reminder:
“Don't say we already do what GDPR requires.”
That was sound advice because Facebook, like many organizations, do not appear ready to demonstrate GDPR compliance. But what improvements should Facebook users expect to see to their privacy if the social networking giant does become compliant with GDPR? Let’s take a look.
The Transparency Principle
According to the Transparency Principle of GDPR, Facebook users will be reminded of the following:
- Their privacy options and rights
- The categories of personal data being processed
- For what purpose their data personal data is being processed
- How and with whom their personal data is being shared
- Explanations of any user profiling
- Warnings about any risk to privacy by Facebook.
- Rules and safeguards in place in relation to data processing
A positive to come out of the recent scrutiny of Facebook’s operations is that it has prompted the company to notify new users to check their privacy options when they access the Facebook Messenger app, this is a step in the right direction.
Justified Use of Data
With GDPR, organization’s need to justify the use of a user’s data, meaning that they need to rely on one of the six legal bases to be able to process any type of personal data. A Facebook will receive notification of this through either:
- A consent request to opt in - this would also inform users on how Facebook would use their data, including for analytical purposes.
- Facebook’s privacy notice – This would have reminded users that the processing of their personal data would be required for them to use Facebook’s services.
- In certain scenarios Facebook might have been able to rely on the users’ legitimate interest as the legal basis for processing. This would have required conducting the required Legitimate Interest Assessment or Balancing Test.
Rights of the User
Internet Cookies: Facebook will be forced to notify the user about the use of information stored in a Facebook cookie, the user would also be requested to provide explicit consent to be tracked by cookies. The consent and the related notice will then be saved with a timestamp indicating when the user agreed to opt in.
Record Deletion: People who want to stop using Facebook will have a choice to opt out and have all of their information forgotten. This means Facebook will be required to remove every trace of the user’s information from their storage systems, no matter where and at how many locations (including third party systems) it is stored.
Data Portability: Facebook users will now have a chance to request a copy of their data so it can be ported to a rival service. This is currently impossible today. According to Business Insider, Facebook will stand to lose an estimated $2.8 billion when they will be able to offer data portability to its users as mandated by GDPR.
- The GDPR will be introducing incentives for companies that use pseudonymization and anonymization techniques to de-identify personal data. While it won’t be required, Facebook could mitigate the risk of future leaks by utilizing these techniques.
- It is also clear that as of today, Facebook’s privileged access model does not follow the model of least-privilege. With proper GDPR compliant access controls, and other appropriate organizational and technological measures in place, fears of future leaks would also be allayed.
In conclusion, all organizations dealing with the personal data of EU residents are advised to perform a risk assessment against the GDPR requirements and understand their gaps. At a minimum, such assessments should be conducted with both legal aspects and security requirements in mind.
Furthermore, the fallout from Facebook will very likely lead to new privacy rules in the United States. Therefore, any company dealing with users in the form of customers or consumers for the purpose of sales and/or marketing - including conducting analytics - should perform a privacy gap assessment to understand their risks and be equipped with the appropriate remediation plan to address the issues and avoid a Facebook-like situation.
Online’s GDPR Assessment and Remediation Program is designed around three critical activities: interpretation and application of GDPR by our in-house legal counsel and security experts, assessment of personal data processing security and privacy posture, and the development of a prioritized remediation strategy and roadmap. You can learn more about GDPR by downloading our service overview below or checking out our last blog on the topic here.