You’ve probably heard about GDPR Compliance by now, but do you know what it means or how it works with certain platforms? General Data Protection Regulation (GDPR) is a new framework that will strengthen and unify data protection for individuals within the European Union (EU). It goes into effect next month, with a deadline on May 25, and will alter the way Workplace by Facebook is regulated.
Now you might be asking yourself, does GDPR apply to me? GDPR applies to all EU data subjects, so it will apply to all companies processing personal data of subjects residing in the EU, regardless of the company’s location. While most of GDPR principles build on existing regulations already in place with the EU, the GDPR places new requirements on companies.
Continue reading to see the steps Workplace by Facebook is taking to get ready for the change.
Workplace and GDPR
Workplace is ready to comply with all data protection laws that apply to them. They will adapt their existing practices to align with GDPR and ensure that Workplace Premium customers meet their obligations.
Most of GDPR’s requirements fall on data controllers – a person or party that determines the purposes for which, and the manner in which any personal data is to be processed. Workplace Premium customers act as data controllers and appoint Facebook as a data processor under the Workplace agreement. In Workplace Standard, Facebook is the data controller and is responsible for the processing of Workplace Standard users’ data.
The data processing addendum will ensure that you can continue to use Workplace in compliance with GDPR by providing the undertakings which Workplace, as the data processor, must provide you with under Article 28(3). In relation to user rights specifically, you as the data controller are responsible for compliance with your GDPR obligations. Workplace offers company Admins various tools to meet obligations in relation to GDPR:
- Access: Admins are able to use the Workplace APIs in order to provide access to personal data held about any user, should you receive a subject access request and to port this data if required
- Deletion: Admins are able to request deletion of any user’s account which will delete the personal information held about that user in Workplace, including their profile and all content posted and comments made
Data Security and Transfers
GDPR requires Workplace Premium customers to engage data processors who can provide an appropriate level of security to meet the requirements set out in the new regulations. The safety of the personal data Workplace processes for customers is of the utmost importance. They undergo regular security audits and Workplace Premium is ISO 27001 certified. Workplace also invests in systems to make sure they can identify threats to data security when they process data for Workplace Premium customers.
Facebook, Inc. is certified under the EU-US Privacy Shield Framework. This means companies will be able to rely on the Privacy Shield Framework to meet EU data transfer requirements when they use Workplace Premium. Facebook, Inc. in the US makes various commitments under the Privacy Shield Framework to legitimize data transfers from the EEA to the US.
Using the Workplace Platform
Companies will be able to continue using Workplace as they currently do, without any interruption. Contractual commitments allow customers to demonstrate their compliance with GDPR and Workplace by Facebook will be updating their agreements to provide the undertakings required from data processors.
Multi-company Groups (MCGs) live outside of all instances. Subject to applicable local laws, MCG members are free to agree upon the ownership of data in that MCG. Users can remove themselves from an MCG, but their data stays in the MCG unless they delete their account.
Workplace by Facebook is serious about GPDR and security. Are you ready to give your employees the best enterprise social platform to collaborate and stay secure? To learn more, please contact us.