When GDPR comes into force, companies of all shapes and sizes will be required to take issues of data privacy and consent seriously – or face the consequences. Andrew Stellakis, managing director of Q2Q IT and certified GDPR practitioner, explores what small business owners can learn from Facebook’s recent data mishandlings.
For companies and individuals alike, time is precious. So, when it comes to such menial tasks as reading privacy policies, service agreements, T&Cs and other tedious small print, it would be easy to assume that end users are to blame if they rush through the process and grant consent for their details to be collected – only to regret it later.
But that’s not always the case.
Under the GDPR, companies that gather and process personal data will have an increased responsibility to the individuals whose information they hold. They must have consent to collect it in the first place, be transparent about how it’s used and provide the option for data subjects to withdraw consent at any time.
Facebook’s recent revelations about how it intends to gather consent from its users can, therefore, be taken as an example of what not to do.
Facebook’s “commitment” to data transparency
On the surface, it seems that the social media giant wants to show that it’s turning over a new leaf after the Cambridge Analytica scandal – in which the data of more than 87m Facebook users is believed to have been compromised. In an apparent attempt to rebuild faith in its users, the company has therefore been announcing the various means by which it intends to improve its data processes on its blog – with one such post claiming that it’s “important to show people in black and white how our products work”.
Very true. But Facebook isn’t exactly practicing what it’s preaching.
The firm has outlined that in the coming months, it will be asking all users to “make choices” about how their data is used – including whether they want their Facebook ads to be influenced by third-party data, what profile information they are happy for the company to use and share, and whether or not they want to enable face recognition technology.
In theory, so far so good. But in practice, things are more complicated.
The importance of explicit consent
The ICO’s guidance on the GDPR states that for explicit consent to count, a positive opt-in is required, a clear and specific statement of permission is needed and pre-ticked boxes or any other method of default agreement can’t be used. And this is where Facebook’s attempts at compliance become slightly shady.
Although no boxes are already ticked, there are subtle elements in the newly introduced “opt-in” processes that have been raising eyebrows – and seemingly blurring the line between GDPR compliance and non-compliance. The opting-in part is simple. There’s a big blue “accept and continue” button that when clicked or tapped, lets you carry on as you were.
However, in order to opt-out, there’s a less obvious, white “manage data settings” button, that requires you to navigate through to two subsequent pages before you can deny access to your personal data. Whilst not an outright breach of the GDPR, such a convoluted opt-out procedure is certainly not within the spirit of transparency that the legislation is intended to uphold.
What should small business owners be doing differently?
As data protection practices go, Facebook has been setting a brilliant example lately for how not to go about complying with the GDPR. So, what should small business owners take away from these high-profile slip-ups?
Firstly, be open with any individuals whose data you already hold – including employees, customers and anyone else – about how their data is being used. You should conduct an audit of all the sensitive information you have on your systems and document how this was obtained, how long you intend to keep it and the measures you’ve implemented to protect it.
Secondly, only store the minimum data required. Does Facebook really need access to your biometric data (via facial recognition) or other sensitive information (including your political and religious views)? Probably not.
Unless, of course, you also want them to be able to recognise you in your photos, your friends’ photos and – most worryingly – other people’s photos who you may not even know. So, ask yourself the same question when it comes to the data you have on file. This is one case where keeping extra details “just in case” isn’t the safest option.
Thirdly, when it comes to collecting individuals’ information, you should obtain their explicit consent to do so. Crucially, make it clear that they can opt-out of this agreement at any time and be sure to provide a straightforward way for them to do this.
For example, if it’s a mailing list that you’ve signed someone up to, ensure there’s a clear “unsubscribe” option to select. Don’t follow Facebook’s example of making it easier for individuals to provide consent, but convoluted to revoke or object to giving it in the first place. At best, that’s not in the spirit of the new law, and may even be considered an outright breach.
And finally, ensure the data you hold is properly protected. Don’t share it with other people unless you’ve explicitly been granted permission by the individual to do so. Make certain that you have effective security measures in place to safeguard it against a potential breach. And remember – the personal data your business uses is only ever borrowed, not yours to use as you please. The GDPR is all about respecting that fact.
Q2Q IT is an IT support specialist, providing monitored systems support and GDPR compliance assistance to SMEs across the North West of England.
Sign up to our newsletter to get the latest from Business Advice.