Does Workplace comply with GDPR?
What is GDPR?
The General Data Protection Regulation (GDPR) is a new framework that will harmonize data protection rules across the European Union (EU). It goes into effect on May 25, 2018 and will govern how the Facebook Family of Companies is regulated. You can find out more about Facebook’s approach to GDPR here.
Many of the principles build upon the current data protection rules in place within the EU. But GDPR also places some new requirements on companies. GDPR will apply to any Workplace customer with users residing in the EU, even if the organization’s location is outside of the EU.
Workplace and GDPR Compliance
GDPR expands current data protection laws and also adds some new requirements. Most of GDPR’s requirements fall on data controllers. This is the organization or party that decides the "purposes" and "means" of any processing of personal data. Workplace Advanced customers act as data controllers and appoint Facebook as a data processor under the Workplace agreement. In Workplace Essential, Facebook is the data controller and is responsible for the processing of Workplace Essential users’ data.
Facebook and Workplace comply with all data protection laws that apply to us. Where applicable, we’ll adapt our existing practices to align with GDPR. We’re also dedicated to helping our Workplace Advanced customers meet their obligations.
Safeguards and Contractual Commitments
We understand that GDPR requires Workplace Advanced customers to engage data processors with appropriate safeguards to ensure an appropriate level of protection for personal data.
We’ve been working with our product, design and engineering teams to make sure our products will comply with the GDPR rules. This includes making sure our contractual commitments allow customers to demonstrate their compliance. We’ll be updating our agreements to provide the undertakings required from data processors under GDPR.
GDPR requires Workplace Advanced customers to engage data processors who can provide an appropriate level of security to meet the requirements set out in the new regulations. The safety of the personal data we process for our customers is of the utmost importance to us. We undergo regular security audits and Workplace Advanced is ISO 27001 certified.
We also invest in systems to make sure we can identify threats to data security when we process data for Workplace Advanced customers. In the unlikely event of a relevant incident, we’ll notify and assist customers. For more information, see here.