Under the General Data Protection Regulation (GDPR), all companies will be required to take issues of data privacy and consent seriously – or face the consequences. Andrew Stellakis, pictured above, managing director of Q2Q IT and certified GDPR practitioner, explores what SME owners can learn from Facebook’s recent data mishandlings.
When it comes to fulfilling the heightened data privacy responsibilities of the GDPR, Facebook’s latest revelations about how it intends to gather consent from its users can be taken as an example of what not to do.
Following the Cambridge Analytica scandal – in which the data of more than 87m Facebook users is believed to have been compromised – the social media company has since announced the various means by which it intends to give users greater control over how their data is used. This includes whether they want their Facebook ads to be influenced by third-party data, what profile information they are happy for the company to use and share, and whether or not they want to enable face recognition technology.
Yet when it comes to the actual process of consent, Facebook’s attempts at compliance are slightly shady. The opting-in part is simple – there’s a big blue “accept and continue” button that when clicked or tapped, lets you carry on as you were. However, in order to opt-out, there’s a less obvious, white “manage data settings” button, that requires you to navigate through to two subsequent pages before you can deny access to your personal data.
Whilst not an outright breach of the GDPR, such a convoluted opt-out procedure is certainly not within the spirit of transparency that the legislation is intended to uphold.
So, what can SME owners learn from the data privacy example that Facebook has set?
- Be transparent – Ensure any individuals whose data you already hold know how this is being used. Conduct an audit of all the sensitive information you have on your systems and document how this was obtained, how long you intend to keep it and the measures you’ve implemented to protect it.
- Only store the minimum data required – Does Facebook really need access to your biometric data via facial recognition? Probably not. But it enables you to be identified in your photos, your friends’ photos and – most worryingly – other people’s photos who you may not even know. So, ask yourself the same question when it comes to the data you have on file. This is one case where keeping extra details “just in case” isn’t the safest option.
- Obtain explicit consent – When collecting personal data from individuals, make it clear that they can opt-out of this agreement at any time and provide a straightforward way for them to do this. Don’t follow Facebook’s example of making it easier for individuals to provide consent, but convoluted to revoke it/object to giving it in the first place.
- Protect all personal data properly – Don’t share it unless you’ve explicitly been granted permission by the individual to do so and ensure you have effective security measures in place to safeguard it against a potential breach. Remember – the personal data your business uses is only ever borrowed, not yours to use as you please. The GDPR is all about respecting that fact.
Q2Q IT is an IT support specialist, providing monitored systems support and GDPR compliance assistance to SMEs across the North West of England.