More on non-European companies and GDPR - It’s more than the letter of the regulation

This is a follow up to my recent blog: “American companies and GDPR”.

I’ve now had a chance to look at Facebook’s actual privacy policy. It is worth reading, it is very clear – but it is also very long. Does this actually satisfy GDPR requirement, being too long for many people to read in full?

It all comes down to Facebook’s new “consent flow”. Does this hide options to leave Facebook and does it encourage people to just hit the “accept” button and move on? See the flaw-by-flaw guide to Facebook’s Privacy Policy from TechCrunch.

GDPR is very emphatically about managing privacy with the interests of the data subjects at heart. It is not about encouraging lazy people to sign away their rights. Unless organisations really institutionalise data privacy policy in the subject’s interest, they may find that GDPR doesn’t “go away”. To quote Mick Yates, a passionate advocate of privacy: “if a company is really ‘customer centric’ then GDPR is strategically and tactically a good thing. Companies on the other hand that simply want to maximise their control (and revenues) see it as a bad thing”.

Also, people should remember that many countries are coming up with their own versions of privacy protection law, often based on the EU GDPR. If you are a global Mutable Business, it’s not just GDPR and the EU you should be thinking about.

Thanks to Mick Yates (Visiting Professor at University of Leeds and Founder & Customer Leadership Strategist at LeaderValues), James Kezman, and others, on Facebook, for discussion and sources around this issue.