Procurement 23 April 2018

What data privacy lessons can business owners take from Facebook’s blunders?

Companies will be required to take issues of data privacy and consent seriously when GDPR comes into force.
When GDPR comes into force, companies of all shapes and sizes will be required to take issues of data privacy and consent seriously or face the consequences. Andrew Stellakis, managing director of Q2Q IT and certified GDPR practitioner, explores what small business owners can learn from Facebook’s recent data mishandlings.

For companies and individuals alike, time is precious. So, when it comes to such menial tasks as reading privacy policies, service agreements, T&Cs and other tedious small print, it would be easy to assume that end users are to blame if they rush through the process and grant consent for their details to be collected only to regret it later.

But that’s not always the case.

Under the GDPR, companies that gather and process personal data will have an increased responsibility to the individuals whose information they hold. They must have consent to collect it in the first place, be transparent about how it’s used and provide the option for data subjects to withdraw consent at any time.

Facebook’s recent revelations about how it intends to gather consent from its users can, therefore, be taken as an example of what not to do.

Facebook’s commitment? to data transparency

On the surface, it seems that the social media giant wants to show that it’s turning over a new leaf after the Cambridge Analytica scandal in which the data of more than 87m Facebook users is believed to have been compromised. In an apparent attempt to rebuild faith in its users, the company has therefore been announcing the various means by which it intends to improve its data processes on its blog with one such post claiming that it’s important to show people in black and white how our products work.

Very true. But Facebook isnt exactly practicing what it’s preaching.

The firm has outlined that in the coming months, it will be asking all users to make choices? about how their data is used including whether they want their Facebook ads to be influenced by third-party data, what profile information they are happy for the company to use and share, and whether or not they want to enable face recognition technology.

In theory, so far so good. But in practice, things are more complicated.

The importance of explicit consent

The ICO’s guidance on the GDPR states that for explicit consent to count, a positive opt-in is required, a clear and specific statement of permission is needed and pre-ticked boxes or any other method of default agreement can’t be used. And this is where Facebook’s attempts at compliance become slightly shady.

Although no boxes are already ticked, there are subtle elements in the newly introduced opt-in? processes that have been raising eyebrows and seemingly blurring the line between GDPR compliance and non-compliance. The opting-in part is simple. There’s a big blue accept and continue? button that when clicked or tapped, lets you carry on as you were.

However, in order to opt-out, there’s a less obvious, white manage data settings? button, that requires you to navigate through to two subsequent pages before you can deny access to your personal data. Whilst not an outright breach of the GDPR, such a convoluted opt-out procedure is certainly not within the spirit of transparency that the legislation is intended to uphold.

What should small business owners be doing differently?

As data protection practices go, Facebook has been setting a brilliant example lately for how not to go about complying with the GDPR. So, what should small business owners take away from these high-profile slip-ups?

Firstly, be open with any individuals whose data you already hold including employees, customers and anyone else about how their data is being used. You should conduct an audit of all the sensitive information you have on your systems and document how this was obtained, how long you intend to keep it and the measures you’ve implemented to protect it.

Secondly, only store the minimum data required. Does Facebook really need access to your biometric data (via facial recognition) or other sensitive information (including your political and religious views) Probably not.


Tax & admin