How GDPR Will Affect Your Interactions with Facebook
Facebook is the perfect marketplace to enable small businesses to interact with their customers and target new ones. Unfortunately, this usually necessitates the sharing of information, and if this is personal data related to European citizens then it falls under the remit of GDPR. In order to make sure your company is compliant with all aspects of GDPR it is essential to know who is responsible for that data, and this means identifying the data controller and data processor.
What is the Difference Between a Data Controller and Data Processor?
A data controller is a person or company that determines what data will be retained and how it will be processed. The data processor can be a separate entity that processes the data on behalf of the data controller. It is the data controller that will be largely governed by the GDPR rules, and they are the ones that have to be sure that they have a legal basis for collecting any personal information. This includes having valid GDPR-compliant consent, a contractual necessity for holding the data, and a legitimate interest in it.
During your interactions with Facebook, it is important to know whether you or Facebook are the data controller so that it is clear who will be responsible for the legal implications. Facebook themselves are currently making all their processes fully GDPR compliant, so it is up to you to make sure your company is also compliant for the occasions when it will be required.
In most cases, Facebook will be acting as the data controller, for example when an interaction is taking place within Facebook itself or its own apps like Instagram, Oculus, or Whatsapp. In this case, Facebook and its partners will take all the responsibility for complying with GDPR, and all information concerning this will be available in their privacy policies.
However, there are situations where Facebook will be acting simply as a data processor for you, and in these cases, you will need to be aware of your responsibilities. This will arise when they are processing your data on your behalf, for example with Custom Audiences, Analytics for measurement, and Workplace Premium. In any situation where you send personal data to Facebook that they then process, you will be the data controller and must have a legal basis for holding whatever information you are sending.
Transfer of Data Outside the EU
As Facebook is an American company, any data you send to them may be transferred outside the European Union. This is generally prohibited by GDPR except in specific cases where there will be adequate levels of protection for the data sent, purely so that the rights of the European individuals will remain secure as far as the new regulations are concerned. Facebook, however, have a Privacy Shield certification which is one of the accreditations that GDPR accepts, meaning that any data you send to them will still be protected as strongly as those within the Union.
In summary, Facebook will make sure they are fully compliant with GDPR in the cases where they are the data controller, but when you send any data you hold on EU citizens to them for advertisement purposes or any other reason, it is up to you to make sure you are fully compliant yourself and have a legally valid reason for holding and processing sensitive information.
For more information about how Facebook is working towards being compliant with GDPR, this document explains their procedure along with some FAQs.