General Data Protection Regulation comes into effect on 25th May 2018. This post takes a look at these regulations and what they mean for you. And it explores the steps Workplace has been taking to get ready for the change.
Workplace and GDPR Compliance
GDPR expands current data protection law and also adds some new requirements. Most of GDPR’s requirements fall on data controllers. This is the organization or party that decides the ‘purposes’ and ‘means’ of any processing of personal data.
Workplace Premium customers act as data controllers and appoint Facebook as a data processor under the Workplace agreement. In Workplace Standard, Facebook is the data controller and is responsible for the processing of Workplace Standard users’ data.
Facebook and Workplace comply with all data protection laws that apply to us. Where applicable, we’ll adapt our existing practices to align with GDPR. We’re also dedicated to helping our Workplace Premium customers meet their obligations.
Safeguards and Contractual Commitments
We understand that GDPR requires Workplace Premium customers to engage data processors with appropriate safeguards to ensure an appropriate level of protection for personal data.
We’ve been working with our product, design and engineering teams to make sure our products will comply with the GDPR rules. This includes making sure our contractual commitments allow customers to demonstrate their compliance. We’ll be updating our agreements to provide the undertakings required from data processors under GDPR.
GDPR requires Workplace Premium customers to engage data processors who can provide an appropriate level of security to meet the requirements set out in the new regulations. The safety of the personal data we process for our customers is of the utmost importance to us. We undergo regular security audits and Workplace Premium is ISO 27001 certified.
We also invest in systems to make sure we can identify threats to data security when we process data for Workplace Premium customers. In the unlikely event of a relevant incident, we’ll notify and assist customers. For more information, see here.
Facebook, Inc. has certified under the EU-US Privacy Shield Framework. This means companies will be able to rely on the Privacy Shield Framework to meet EU data transfer requirements when they use Workplace Premium.
Facebook, Inc. in the US makes various commitments under the Privacy Shield Framework to legitimize data transfers from the EEA to the US. You can find more information about Facebook’s participation in the Privacy Shield Framework here.
Q: Does GDPR apply to me?
GDPR applies to all EU data subjects so will apply to all companies and organizations who have EU citizens as part of their business or organization. GDPR will apply to all companies processing the personal data of subjects residing in the European Union, regardless of the company’s location.
Q: Will you be updating the Enterprise Agreement for compliance with GDPR?
Yes, we’ll be updating the agreement with a data processing addendum to provide the necessary undertakings a data processor must provide to a data controller under GDPR under Article 28(3). We’ll be notifying all Premium customers of this update in advance of May 2018. We’ll not be entering into any separate data processing agreements.
Q: Under GDPR, do you foresee any changes or restrictions in the way companies can use the Workplace platform?
No, companies will be able to continue using Workplace as they currently do, without any interruption. We’ll make sure our contractual commitments allow customers to demonstrate their compliance with GDPR. And we’ll be updating our agreements to provide the undertakings required from data processors.
Q: What tools are you going to offer Workplace Premium companies, as data controllers, to comply with our GDPR obligations?
The data processing addendum will ensure that you can continue to use Workplace in compliance with GDPR by providing the undertakings which we, as the data processor, must provide you with under Article 28(3). In relation to user rights specifically, you as the data controller are responsible for compliance with your GDPR obligations. We offer company Admins various tools to meet your obligations in relation to GDPR for example:
- Access: Admins are able to use the Workplace APIs in order to provide access to personal data held about any user, should you receive a subject access request and to port this data if required
- Deletion: Admins are able to request deletion of any user’s account which will delete the personal information held about that user in
- Workplace, including their profile and all content posted and comments made
Q: How can I implement my employee’s right to be forgotten in Workplace?
A person’s right to be forgotten is not a new GDPR concept. It’s currently required under existing data protection law. A user has the right, at any time, to request the data controller to delete their personal data, a right which is now detailed in Article 17 of GDPR. It’s up to the data controller to understand what grounds they have for continuing to process such data (if any) after this request or to delete the data. Admins are able to request deletion of a user’s account at any time. This will delete the personal information held about that user in Workplace. And it will include their profile and all content posted and comments made.
Q: Does Facebook have a Data Protection Officer?
Yes, Facebook will be appointing a DPO and we will confirm this appointment and contact details when available
Q: Are Workplace servers located in the EU?
We have data centers across the world including the US, the EU, and Singapore. And we have certified Workplace Premium under Privacy Shield for these required data transfers outside of the EU (as noted in the Enterprise Agreement terms and Privacy Shield Certification). Security and data privacy are principal concerns of Workplace as noted and explained in our information on Security on Workplace and Trust Center
Q: Will Facebook enter into joint DPIAs or help us in completing ours?
We are not able to enter into joint DPIAs with any clients. But we’re happy to provide you with any information you may need in order to complete your DPIAs accurately. We have a lot of information about Workplace available in our Help pages here. This includes information on Security on Workplace and our Enterprise Agreement contains additional details about the data we’re processing and our Privacy Shield Certification.
Q: How does GDPR affect Multi-Company Groups?
Multi-company Groups (MCGs) live outside of all instances. Subject to applicable local laws, MCG members are free to agree upon the ownership of data in that MCG. Users can remove themselves from an MCG but their data stays in the MCG unless they delete their account. For more information on MCGs see here.