More on non-European companies and GDPR It’s more than the letter of the regulation

This is a follow up to my recent blog: “American companies and GDPR”.

I’ve now had a chance to look at Facebook’s actual privacy policy. It is worth reading, it is very clear – but it is also very long. Does this actually satisfy GDPR requirement, being too long for many people to read in full?

It all comes down to Facebook’s new “consent flow”. Does this hide options to leave Facebook and does it encourage people to just hit the “accept” button and move on? See the flaw-by-flaw guide to Facebook’s Privacy Policy from TechCrunch.

GDPR is very emphatically about managing privacy with the interests of the data subjects at heart. It is not about encouraging lazy people to sign away their rights. Unless organisations really institutionalise data privacy policy in the subject’s interest, they may find that GDPR doesn’t “go away”. To quote Mick Yates, a passionate advocate of privacy: “if a company is really ‘customer centric’ then GDPR is strategically and tactically a good thing. Companies on the other hand that simply want to maximise their control (and revenues) see it as a bad thing”.

Also, people should remember that many countries are coming up with their own versions of privacy protection law, often based on the EU GDPR. If you are a global Mutable Business, it’s not just GDPR and the EU you should be thinking about.

Thanks to Mick Yates (Visiting Professor at University of Leeds and Founder & Customer Leadership Strategist at LeaderValues), James Kezman, and others, on Facebook, for discussion and sources around this issue.

David Norfolk

My current main client is Bloor Research International, where I am Practice Leader with responsibility for Development and Governance. I am also Executive Editor (on a freelance basis) for Croner's IT Policy and Procedures (a part-work on IT policies). I am also on the committee of the BCS Configuration Management Specialist Group (BCS-CMSG). I became Associate Editor with The Register online magazine – a courtesy title as I write on a freelance basis – in 2005. Register Developer, a spin-off title, started at the end of 2005, and I was launch editor for this (with Martin Banks). I helped plan, document and photograph the CMMI Made Practical conference at the IoD, London in 2005 ( I have also written many research reports including one on IT Governance for Thorogood. I was freelance Co-Editor (and part owner) of Application Development Advisor (a magazine,, now defunct) for several years. Before I became a journalist in 1992, I worked for Swiss Bank Corporation (SBC). At various times I was responsible for Systems Development Method for the London operation, the Technical Risk Management framework in Internal Control, and was Network Manager for Corporate group. I carried out a major risk evaluation for PC systems connecting across the Bank’s perimeter to external systems and prioritised major security issues for resolution by the Bank’s top management in London. I also formulated a Security Policy for London Branch and designed a secure NetWare network for the Personnel Dept. Before 1988 I was an Advisory Systems Engineer in Bank of America, Croydon in database administration (DBA). on COBOL-based IMS business systems. Before 1982, I worked in the Australian Public Service, first as a DBA in the Dept of Health (responsible for IMS mainframe systems) and latterly as a Senior Rserach Officer 2 in the Bureau of Transport Economics. Specialties: I have the ability to extract the essence of significant technical developments and present it for general consumption, at various levels, without compromising the underlying technical truth.

Have Your Say: