As Facebook CEO Mark Zuckerberg continues his testimony in Congress following the Cambridge Analytica scandal, he has been set a pile of homework to beef up Facebook’s data protection policies and become GDPR compliant. While the enquiry came about following an investigation into cambridge analytica, in the long run it may have come at the perfect time, with GDPR just weeks away from coming into full force. During the hearing, Zuckerberg committed to implementing GDPR’s standards worldwide.

Eight things Facebook must do to comply with GDPR

Here is what the social network giant must do ensure they are at least on the way to full compliance come 25 May 2018.

1. Appoint a data protection officer (DPO)

Under GDPR, Organisations that process large amounts of personal data, are in the public sector or process particularly sensitive data are required to appoint a DPO. Facebook has certainly recognised this need, advertising the vacant position on their website and other forums. It remains to be seen, however, whether Zuckerberg will seek to appoint a DPO, or someone in a similar role, to strengthen their data protection compliance across the US.

2. Train all staff on GDPR

In order for staff to understand the requirements under GDPR, the DPO should put in place a clear GDPR training schedule. All staff, including IT, HR, marketing, and management, should take the training most relevant to their role.

3. Conduct a data protection impact assessment (DPIA)

DPIAs help organisations identify, assess and mitigate or minimise privacy risks with data processing activities and are particularly relevant when a new data processing process, system or technology is being introduced. In Facebook’s case, the DPIA should be managed by the DPO.

Read more: What is a DPIA and how do you conduct one?

4. Put clear data protection policies in place

Facebook will now need to be much more transparent regarding how they collect, process and manage data. Users will want to know what their information is being used for and Facebook will need to be much clearer on this. The hearing has revealed to users, and in many cases non-users as well, how much of their private information is being shared in order to target them in future advertisements and posts, a point that many people may never have considered before. Facebook’s data protection policy must now be updated to ensure it is GDPR compliant. Having committed to complying with GDPR in the US as well as Europe, this will in some respects be an easier task, allowing Facebook to have one data protection policy and one privacy policy for all jurisdictions.

5. Update their privacy notice

Facebook’s privacy notice must first and foremost be updated to include the new procedures required by GDPR and the recent hearing. It must be clear about how third parties use personal data and clearly state that they do not use the personal information of non-users. Further, Facebook will need to mak their privacy notice easier to find.

6. Have clear procedures for processing subject access requests

In the parliamentary committee hearing into the Cambridge Analytica-Facebook scandal, co-founder of PersonalData.IO, Paul-Olivier Dehaye, described how it took years to retrieve the personal data Facebook held on him. Eventually, he was able to get an 8-week snapshot, with Facebook citing the reason not to provide him with the full history “disproportionate effort”. Further, in the past users in the UK would only be able to retrieve their data by posting a request to the headquarters in Dublin, allowing Facebook to benefit from the once-business friendly data protection laws.

Under GDPR, if a subject access request is made, Facebook must not only provide all the data held on an individual and who else is using it, it must do so within ten days and free of charge (previously, there would be a charge of £10 for this). Under GDPR, one can also request for their data to be transferred directly to another system for free. Facebook must ensure they have the processes to respond to a subject access request, made by both users and non-users, in a GDPR-compliant manner.

7. Adopt “privacy by design” settings

Privacy by design is a privacy setting that requires each new service or business process that makes use of personal data to take the protection of such data into consideration during the design phase. In Facebook’s case, adopting privacy by design will help ensure a Cambridge Analytica-type scandal cannot happen again.

8. Edit default settings – opt-in and opt-out

This may well be one of the easiest changes to put into place, although Facebook will be concerned at the effect it will have on their ability to collect helpful data. Facebook’s current default settings automatically makes users’ information and posts public. During the hearing, Congressman Frank Pallone has strongly advised Zuckerberg to change the settings, which would require users to opt-in to making something public.