In light of Mark Zuckerberg’s appearance in front of Congress last week, Business Insider reported that Zuckerberg’s personal notes had the following reminder:
“Don't say we already do what GDPR requires.”
That was sound advice because Facebook, like many organizations, do not appear ready to demonstrate GDPR compliance. But what improvements should Facebook users expect to see to their privacy if the social networking giant does become compliant with GDPR? Let’s take a look.
According to the Transparency Principle of GDPR, Facebook users will be reminded of the following:
A positive to come out of the recent scrutiny of Facebook’s operations is that it has prompted the company to notify new users to check their privacy options when they access the Facebook Messenger app, this is a step in the right direction.
With GDPR, organization’s need to justify the use of a user’s data, meaning that they need to rely on one of the six legal bases to be able to process any type of personal data. A Facebook will receive notification of this through either:
Internet Cookies: Facebook will be forced to notify the user about the use of information stored in a Facebook cookie, the user would also be requested to provide explicit consent to be tracked by cookies. The consent and the related notice will then be saved with a timestamp indicating when the user agreed to opt in.
Record Deletion: People who want to stop using Facebook will have a choice to opt out and have all of their information forgotten. This means Facebook will be required to remove every trace of the user’s information from their storage systems, no matter where and at how many locations (including third party systems) it is stored.
Data Portability: Facebook users will now have a chance to request a copy of their data so it can be ported to a rival service. This is currently impossible today. According to Business Insider, Facebook will stand to lose an estimated $2.8 billion when they will be able to offer data portability to its users as mandated by GDPR.
In conclusion, all organizations dealing with the personal data of EU residents are advised to perform a risk assessment against the GDPR requirements and understand their gaps. At a minimum, such assessments should be conducted with both legal aspects and security requirements in mind.
Furthermore, the fallout from Facebook will very likely lead to new privacy rules in the United States. Therefore, any company dealing with users in the form of customers or consumers for the purpose of sales and/or marketing - including conducting analytics - should perform a privacy gap assessment to understand their risks and be equipped with the appropriate remediation plan to address the issues and avoid a Facebook-like situation.
Online’s GDPR Assessment and Remediation Program is designed around three critical activities: interpretation and application of GDPR by our in-house legal counsel and security experts, assessment of personal data processing security and privacy posture, and the development of a prioritized remediation strategy and roadmap. You can learn more about GDPR by downloading our service overview below or checking out our last blog on the topic here.