Data Protection Assessment

Data Protection Assessment is a requirement for apps accessing advanced permissions that is designed to assess how developers use, share and protect Platform Data as described in the Facebook Platform Terms. When enrolled, an administrator of the app will need to complete a questionnaire based on their app’s access to Platform Data. An admin of the app will be given 60 days to complete the assessment or risk losing platform access.

It is strongly recommended that you consult with legal, policy, and data security experts within your organization for guidance on how to address certain questions. Providing incomplete or vague answers may result in loss of platform access.

You will receive an email and a message in your app’s Alert Inbox when it’s time for you to complete the assessment. If you miss this communication, you will also see notifications about the Data Protection Assessment on your App Dashboard.

Note: The Data Protection Assessment is different from Data Use Checkup (DUC), which focuses on what specific permissions the app has access to and is an annual process that requires developers to certify that their continued use of Facebook data meets the requirements of our Platform Terms and Developer Policies. It’s also different from App Review, which is a forward-looking process that gates access to certain Facebook Platform permissions, requiring developers to submit an application to justify platform access.

Before You Start

To prepare for the Data Protection Assessment, we recommend that you:

  • Update your contact information in Developer Notification Settings.
  • Ensure your list of app admins is up to date under Roles in the app dashboard.
  • Remove any apps or permissions that you no longer need. Carefully assess whether or not you need the app or permission as this action may be difficult to reverse.
    • To remove an app, go to App Dashboard > Settings > Advanced (scroll down).
    • To remove a permission, go to App Dashboard > App Review > Permissions and Features and select the trash icon to the right of the permission you want to remove.
  • Review our Platform Terms in detail, and be sure you’re able to answer questions on how your app meets the requirements of these terms.
  • Gather relevant documentation such as your privacy policy, security certificates, data deletion flows, and sample contractual language with service providers regarding data practices.
  • Review our Data Security Best Practices.

If you are an app admin and you are required to complete the Data Protection Assessment, you will receive email communication and a message in your app’s Alert Inbox.

Deadline

Deadlines are unique to each app and will be displayed in your developer notification, the app dashboard banner, and the apps panel.

Submit an Assessment

Step 1. Navigate to the Form

In the app dashboard, navigate to the app's card and click Data Assessment.

Step 2. Start the Assessment

Click Start Assessment.

Step 3. Add Your Information

Provide information about the data you access. Depending on the responses to the Data Protection Assessment, you may be asked to provide additional documentation.

If you use service providers, you must provide sample contractual language that you use with those service providers that states that:

  • They can only use data at your direction.
  • They can only use data to provide the service you requested.
  • You require service providers to meet the requirements of the Platform Terms.
  • Service providers delete the data they received from you when you cease using their service.

If you share data to provide a person/business with a service:

  • Example contractual language that you use to prohibit people/businesses to use Platform Data in a way that violates the Platform Terms.

If you’re a tech provider:

  • A description of the steps you take to ensure that your clients' Platform Data is maintained separately from the data of other clients or data that you use for your own purposes.

If you share data to comply with legal regulations:

  • An explanation of the circumstances in which you share Platform Data to comply with a legal or regulatory requirement.

If you share data with a third party because users tell you to:

  • Description of how users direct you to share Platform Data with another person or business.
  • Include screenshots if applicable.

If you delete Platform Data when it is no longer needed to provide an app experience or service to users:

  • Description of how you determine when Platform Data is no longer necessary to provide an app experience or service to users.

If you delete data when users request it:

  • Description of how users can request that their data be deleted.
  • Include screenshots if applicable.

If you have a publicly available privacy policy:

  • Link to your privacy policy.

If you have an information security framework:

  • Description of your Information Security Framework. (Learn more.)

If you have a data security certification:

If you do not have a data security certification, but you do take steps to protect the security of Platform Data:

  • Policy or procedure documents, software configurations, screenshots, or screen recordings that illustrate the steps you take to protect the security of Platform Data. (Learn more.)

If you have a way for people to report security vulnerabilities in your app

Step 4. Submit Your Information

Click Submit.

Check the Status of an Assessment

Step 1: In the app dashboard, scroll down to the Required Actions section.

Step 2: Click View Status. Click View if you’d like to access the assessment form.