Introducing Data Protection Assessment

Update on 8/09/2022: We have announced new upcoming updates and improvements to the Data Protection Assessment, which you may experience depending on the date of your next assessment. Learn more about these updates in our recent blog post. Please stay up to date and take action based on communications to the contact email on your app’s basic settings page, and the administrators listed on your app.

Update on 8/13/2021: We have added additional guidance regarding the Data Protection Assessment here.

Today, July 22, 2021, we’re sharing our latest initiative to safeguard how people’s data is being managed and protected on our platforms - the Data Protection Assessment. This is the next step among several initiatives we’ve introduced over the last year to ensure we are continuously making progress towards our commitment to people’s privacy and data security - a responsibility that we share with all developers in our ecosystem.

The new Data Protection Assessment is a questionnaire (see Exhibit 2) for apps accessing advanced permissions, specifically focused on how developers (both direct integrators and tech providers) use, share and protect Platform Data as described in the Facebook Platform Terms. We’ll also ask about privacy policies and implementations of data security practices. For apps accessing the highest sensitivity of user data, developers will be required to provide evidence such as examples of contractual language with service providers regarding Platform Data, any third-party data security certification such as a SOC2, a link to ways people can report vulnerabilities they have uncovered with your app, and descriptions of ways users can request that their data be deleted, to support their responses to the assessment. All developers who receive this new Data Protection Assessment questionnaire will be required to submit the assessment within 60 days, or risk the loss of platform access. This assessment will be rolling out in phases, beginning at the end of July.

This is different from Data Use Checkup (DUC), which focuses on what specific permissions the app has access to and is an annual process that requires developers to certify that their continued use of Facebook data is in compliance with our Platform Policy. It’s also different from App Review, which is a forward-looking process that gates access to certain Facebook Platform permissions, requiring developers to submit an application to justify platform access. The combination of App Review, Data Use Checkup and Data Protection Assessment allow us to get a fuller picture of how apps are accessing platform data and the methods they are using to keep this data secure.

We’re grateful for the way in which developers have joined us in our journey to protect people’s privacy on our platform and are establishing new best practices alongside us.

What to do to prepare for the Data Protection Assessment

To prepare for the assessment, you should:

• Update your contact information in Notification Settings
• Ensure your list of app admins is up to date in the App Dashboard > ‘Roles’
• Remove any apps that you no longer need. Carefully assess whether or not you need the app as this action may be difficult to reverse. To remove an app, go to App Dashboard > Settings > Advanced.
• Review our Platform Terms in detail, and be sure you’re able to answer questions on how your app is complying with these terms.
• Gather relevant documentation such as your privacy policy, security certificates, data deletion flows, and sample contractual language with service providers regarding data practices.
• Review our Data Security Best Practices
• Review specific questionnaire details and documentation here

What you can expect with the Data Protection Assessment

If your app is in scope for this periodic assessment, based on the data your app has access to, and you are the app admin, you will receive an email and a message in your app's Alert Inbox when it’s time for you to complete the assessment. If you miss the dev alerts, you’ll also see notifications about the Data Protection Assessment in your App Dashboard (see Exhibit 1). We’ll be rolling this out in phases in the coming weeks, so please check back often.

The assessment asks questions about how you use, share, protect, and delete platform data. If your app accesses particularly sensitive data, you will be required to provide documentation, and it may take time to gather this information. Be sure to start the assessment early to allow plenty of time to complete it. You don’t need to complete the assessment in one setting. You can save your progress and return to the assessment later. See more details here.

If your app is enrolled in this assessment, you have 60 days to complete and submit the assessment. Non-submission as well as violation of our terms may result in enforcement actions taken against your app.

We know that protecting people’s privacy is just as important to you as it is to us. Thank you for partnering with us as we continue to build a safer, more sustainable platform.