- 1 What is GDPR?
- 2 The Data Controller vs the Data Processor
- 3 5 Things You Must Do to Become GDPR-Compliant
- 4 To Sum Up
On 25 May 2018, GDPR expanded current data protection law and also added some new requirements. This article takes a look at these regulations and what they mean for you as for Facebook advertiser. First, though, a bit about the GDPR.
What is GDPR?
General Data Protection Regulation (GDPR) is a set of rules created to give EU citizens more control over their personal data.
“The GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
Each company is responsible for complying with the GDPR. These rules require advertisers to be more transparent regarding personal data you collect and what you do with it. Everybody can continue to use Facebook products (Facebook and Messenger, Instagram, Oculus, and WhatsApp) in the same way they do always.
Facebook announced three main pledges:
The company is eager to be more transparent regarding how it and advertisers get and process data about platform’s users. The responsibility of each advertiser is to inform what types of data you’re collecting, what you’re doing with it, and who else will see it. In order to become GDPR compliant, advertisers must “a relevant legal basis (for example, consent, contractual necessity or legitimate interests)” for your use of client’s data.
The Data Controller vs the Data Processor
You have to know two concepts — “data controller” and “data processor”. They are important for understanding a company’s responsibilities under the GDPR. A company may be a data controller, data processor or both.
When is a company the data controller?
When it has the responsibility of deciding how the personal data is processed. Data controllers have to control how data is collected, what it’s used for, and how long it’s retained. They have to also to give users access to their data. Data controllers must also warrant that data processors process data legally.
When is a company the data processor?
A company is a data processor when it processes personal data on behalf of a data controller. They have obligations to process data safely and legally.
Who is Facebook: data controller or the data processor?
In the majority, Facebook operates services as a data controller. However, there are some situations in which the company acts as a data processor when working with businesses and other third parties. An advertiser must have a legal basis for Facebook to process this data, while the network processes their data.
When does Facebook act as the data processor?
► Measurement and analytics
Facebook uses advertisers’ data in order to measure the performance and reach of ad campaigns. The company also uses it for reporting.
► Custom Audiences
Facebook uses a business’s data about customers (emails, phones) to match it to people in a network’s database to create a Custom Audience for ad campaigns.
► Facebook Workplace
The company processes personal data in order to provide this service. You can read more about Workplace and GDPR here.
5 Things You Must Do to Become GDPR-Compliant
1. Use a cookie notification bar when using the Facebook Pixel. There should be a prominent message when a page loads for the first time which informs users what actions they can take to consent to your using of cookies. For more information, check Cookie Consent Guide from Facebook.
Facebook offers to use the following API to pause sending pixel fires to Facebook, and once cookie consent is granted, send pixel fires to Facebook. You need to call revoke on every page.
It is not mandatory, however, if a user wishes to argue their GDPR rights, you will be subject to European Laws.
3. When you upload a custom audience to Facebook using a data file, Facebook is a data processor. This way, you are responsible for using this information before it’s uploaded to Facebook for targeting. The network is developing now a Custom Audiences permission tool that will require you to provide proof how you obtained this data.
4. In order to comply with GDPR, users have to be able to retract their consent. Don’t forget to remove people from custom audiences when they remove consent.
5. If you collect personal data and you share it with other tools, be sure that they are GDPR-compliant. In this case, you would be the data controller, which makes you responsible for all data that passes through the tools you use.
To Sum Up
If you attempt to reach customers in the EU, you have to be sure that all you’re doing is GDPR-compliant. Abovementioned things will help you with this. Additionally, we prepare the list of useful sites about GDPR:
⦾ Read Facebook developers GDPR FAQs in order to understand whether developers have to make any changes for using Facebook platform products and other information.
⦾ To understand whether you are the data controller or the data processor, check here.