Will Facebook's phased GDPR strategy be enough?

Dive Brief:

Ahead of the EU's coming data protection regulation, European users of the Facebook platform will begin receiving requests to review what information is shared on profiles and how their data is used for advertising based off partner data and facial recognition technology, according to a company announcement Tuesday.
European users will receive additional accommodation relating to GDPR, including how to contact Facebook's Data Protection Officer. European changes are rolling out several weeks before the May deadline, and a phased approach will extend these modifications to the rest of the world on an unspecified schedule.
As early as last summer, Facebook was advertising for a data protection officer, which the company decided to carve out a space for in its European headquarters, according to IAPP. The position to oversee GDPR compliance appears unfilled and remains open on Facebook's website. The company does have a deputy chief privacy officer and a global deputy chief privacy officer.

Dive Insight:

For the last month Facebook has been in the spotlight, taking the PR punches and criticisms of regulators, internet users and other companies. But Facebook is the tip of the iceberg when it comes to companies collecting and using data online. Google, Apple, Amazon and other internet companies will likely see the glare of the spotlight soon.

What hits Facebook first could be a preview for what is coming for other companies. The regulatory or punitive responses global and domestic regulators coalesce around now in response to the social media company's recent data scandal will send rippling effects through the enterprise and technology communities.

Facebook's phased approach to GDPR protections is a liberty many companies cannot take. Reorganizing data collection, processing and storage processes to accommodate the requirements of GDPR isn't always segmentable by geographic boundaries or user nationalities.

Blocking access to EU users has been considered by companies with a more modest footprint on the continent, but for most compliance is a question not of "if" but "when." With time ticking, other Silicon Valley giants are rolling out their GDPR plans and tools.

Google will launch a non-personalized advertising model for users opting out of ad targeting based on personal data, as well as consent mechanisms on its platforms. Microsoft rolled out data subject request processing tools across its cloud platforms earlier this week.

Theories abound, but not even the experts know what is going to happen come May 25. European regulators stretched thin may take months to figure out how they want to enforce a regulation many companies won't be ready for when the deadline hits. Or, looking to make an example, they may go after a high-profile company and audit their data protection practices, readying a hefty bill for penalties.

With Facebook already sweating under the spotlight, it could be an obvious first target. European digital chiefs and regulators are not taking recent scandals lightly and have been pushing questioning and meetings with the heads of internet companies. Mark Zuckerberg met with Andrus Ansip, VP of the Digital Single Market for the European Commission, Tuesday, and Ansip is scheduled to meet with Google CEO Sundar Pichai as well, reports Reuters.

Whether Facebook concludes its almost year-long search for a data protection officer in the next five weeks remains to be seen. Based of its large-scale monitoring of data subjects and processing of special data categories, Facebook will be required to appoint a DPO under GDPR.

DPO leadership has been crucial for many companies on their GDPR journey as data protection and privacy move from an afterthought to a priority. The compliance leaders straddle what are often disparate departments and drive a centralized, companywide strategy to transform businesses with data-centric models.