Recently, Facebook announced a new initiative aimed at protecting how its users’ data is managed across its platforms: the Data Protection Assessment. The assessment consists of a questionnaire for apps that access advanced permissions and specifically focuses on how developers protect, share and use platform data.
The new Data Protection Assessment went into effect at the end of July, which means that developers need to be aware of the questionnaire’s standards and requirements for any new releases moving forward. Specifically, the assessment seeks to understand how a user’s data will be used, why the data is needed, and when it will come into use.
Even for app developers who aren’t asking for advanced permissions, these types of questions are vital for ensuring information security. Here’s what you need to know.
[Read more: Developing Secure Web Applications: 6 Best Practices]
What is Facebook’s Data Protection Assessment?
Facebook’s Data Protection Assessment is a questionnaire for app developers that use, share, and protect data from Facebook’s various platform users (including Instagram).
“For apps accessing the highest sensitivity of user data, developers will be required to provide evidence such as examples of contractual language with service providers regarding Platform Data, any third-party data security certification such as a SOC2, a link to ways people can report vulnerabilities they have uncovered with your app, and descriptions of ways users can request that their data be deleted, to support their responses to the assessment,” said Facebook.
SOC2 compliance is a voluntary standard set forth by the American Institute of Certified Public Accountants (AICPA). To achieve SOC2 compliance, an organization must score highly across five Trust Service Principles (TSPs). These principles are Security, Availability, Processing Integrity, Confidentiality, and Privacy.
The Data Protection Assessment will ask developers to verify that they’ve applied strong safeguards to protect user data, including compliance with standards like SOC2, offering an easy way for users to request their data be deleted, and other user-based controls. Ultimately, the assessment aims to simultaneously safeguard data while giving users more control over how third-party apps collect and utilize their information.
To complete the Data Protection Assessment, follow these steps:
- Make sure your contact information is up-to-date under Notification Settings.
- Update your list of app administrators in the App Dashboard under “Roles.”
- Get rid of any apps you no longer need; be careful to only remove those apps no longer in use, as this step is hard to reverse. To remove an app, go to App Dashboard, Settings, Advanced.
- Review Facebook’s platform terms to understand how to answer questions about app compliance.
- Gather relevant documentation: privacy policy, security certificates, data deletion flows, and sample contractual language with service providers regarding data practices.
Developers who receive the Data Protection Assessment must complete it within 60 days or risk losing access to the platform.
Facebook’s data security requirements for app developers
The Data Protection Assessment is just one of a few new standards that Facebook is requesting developers meet. In late 2020, Facebook also rolled out the Data Use Checkup, a requirement that developers review the permissions they have access to and commit their API access and data to comply with the Facebook Platform Terms and Developer Policies, or risk losing their API access.
Data Use Checkup, compared to the questionnaire, focuses on specific permissions that an app can access. It is an annual requirement that developers must certify to stay in line with the platform’s privacy policy.
[Read more: How Understanding User Privacy Can Improve Your Cybersecurity]
In addition, App Review requires developers to submit an application to justify platform access, restricting the way developers can access certain Facebook Platform permissions.
Facebook’s Data Protection Assessment is just the latest in what experts predict will be even more stringent requirements for app developers. “For apps that require much more sensitive data, Facebook is going to roll out even stricter policies,” wrote the experts at Digital Information World. “The platform claims it will ask for evidence. For instance, the platform could ask to take a look at the contractual information, third-party data certification (which is a must), and an explanation of all the ways that users could ask for their data to get deleted.”
What does this mean for developers? Even if you aren’t asking for advanced permissions from your users, it’s clear that Facebook is placing a premium on information security. Implementing tools that protect your user data is crucial not just for this social media platform, but all your work.
Nightfall’s data loss prevention tools for developers
Nightfall’s Developer Platform allows app developers to embed data loss prevention (DLP) and data classification into any application. Protect sensitive information in all your application log platforms to work toward achieving SOC2 compliance, as well as compliance with many other industry standards and best practices.
Here’s how Nightfall can help ensure your app is SOC2 compliant to meet the Data Protection Assessment:
- Configure detection rules that detect sensitive data your business handles using out-of-the-box templates in our library.
- Enable real-time monitoring on business applications that house sensitive data.
- Implement manual or automated workflows to remediate any security vulnerabilities.
- Run historical scans to search for sensitive data that exists in data silos today.
- Visualize historical scan results in a custom Nightfall dashboard.
- Leverage detailed tutorials and open source code to implement sensitive data remediation within popular IaaS platforms.
- Review and export scan results should they be required in the event of an audit.
Nightfall is the first and only data protection platform that can integrate with any SaaS or cloud infrastructure to detect and classify information like PII, PHI, secrets & credentials, and more — all in real-time. Our machine-learning-based detectors can be applied to any application environment via our APIs.
Learn more about how Nightfall can keep your information secure by scheduling a demo at the link below.