Facebook and data privacy: the key lessons for SMEs

Managing Director

Fav thing about the office

Good banter

As a child I wanted to be a ... when I grew up


Guilty Pleasure(s)

Strictly come dancing

Favourite Holiday


If I had a superpower it would be...

Mind Reading

Describe yourself in three words or less

Methodical, Energetic, Reliable

An interesting fact about me

Started “Work” life as an opera singer


Horse riding, fillet steak and a good curry

Favourite Band

…into Classical Music

Karaoke Jam

Desperado- The Eagles

What I do at Q2Q:

My role is to provide the overall direction and “eye on the compass” as to where we, as a team, are heading.

I’m still very much focused on the customer and will often get involved in customer solution discussions. As a techie at heart, I’m regularly seeking to understand industry developments and directional changes that may affect our customers, so we and our customers can remain on the front foot.

Background and Achievements

I started out in an I.T technical department of what was then British Rail, following which I joined a large construction company to re-organise their I.T infrastructure.

I then spent a couple of years as a business systems analyst at P&O Nedlloyd designing, developing and implementing systems within their Bulk and Tank Carrier companies.

In 1999 I was appointed as I.T Manager of SockShop and subsequently as of Head of I.T. at the Tulchan Group, comprising then of 300 stores. Due to a Year 2000 compliance issue, we were required to seek an alternative system, which we were able to more cost effectively write ourselves. This product subsequently became known as RAWHIDE and we later sold this product into a number of other businesses. At the time it was quite cutting edge as all the warehouse function was undertaken using handheld, wireless scanners, rather than the batch scanners that were dominant at the time.

In 2003 The Tulchan Group was acquired by Harris Watson. We were then asked to take responsibility for the I.T. of Viyella Ladies wear and in 2004 the demands of two MD’s and two FD’s (Tulchan Group + Viyella), resulted in the sensible decision to break out of the group and Q2Q was born. This then enabled us to also get involved with a number of other group companies (Harris Watson owned companies) as well as other non-group parties.  At one stage we were managing the I.T for almost 500 stores across a number of businesses.

Today Q2Q retains some of the group customers that we acquired along the way, as well as a substantial number of new and diverse customers in almost all industries including accounting, business development organisations, legal marketing, medical, retail and wholesale.

Hobbies and Interests

Horse riding, running (Jogging), motorbikes, reading any of the Detective Rebus stories.

Our MD Andrew recently shared his thoughts on Facebook’s recent data privacy blunders with Business Advice. Check out the full article below to see what he had to say about the Cambridge Analytica scandal – and why the social media giant’s questionable consent processes are a cause for concern…

For companies and individuals alike, time is precious. So, when it comes to such menial tasks as reading privacy policies, service agreements, T&Cs and other tedious small print, it would be easy to assume that end users are to blame if they rush through the process and grant consent for their details to be collected – only to regret it later.

But that’s not always the case.

Under the GDPR, companies that gather and process personal data will have an increased responsibility to the individuals whose information they hold. They must have consent to collect it in the first place, be transparent about how it’s used and provide the option for data subjects to withdraw consent at any time.

Facebook’s recent revelations about how it intends to gather consent from its users can therefore be taken as an example of what not to do.

Facebook’s “commitment” to data transparency

On the surface, it seems that the social media giant wants to show that it’s turning over a new leaf after the Cambridge Analytica scandal – in which the data of more than 87m Facebook users is believed to have been compromised. In an apparent attempt to rebuild faith in its users, the company has therefore been announcing the various means by which it intends to improve its data processes on its blog – with one such post claiming that it’s “important to show people in black and white how our products work”.

Very true. But Facebook isn’t exactly practicing what it’s preaching.

The firm has outlined that in the coming months, it will be asking all users to “make choices” about how their data is used – including whether they want their Facebook ads to be influenced by third-party data, what profile information they are happy for the company to use and share, and whether or not they want to enable face recognition technology.

In theory, so far so good. But in practice, things are more complicated.

The importance of explicit consent

The ICO’s guidance on the GDPR states that for explicit consent to count, a positive opt-in is required, a clear and specific statement of permission is needed and pre-ticked boxes or any other method of default agreement can’t be used. And this is where Facebook’s attempts at compliance become slightly shady.

Although no boxes are already ticked, there are subtle elements in the newly introduced “opt-in” processes that have been raising eyebrows – and seemingly blurring the line between GDPR compliance and non-compliance. The opting-in part is simple – there’s a big blue “accept and continue” button that when clicked or tapped, lets you carry on as you were.

However, in order to opt-out, there’s a less obvious, white “manage data settings” button, that requires you to navigate through to two subsequent pages before you can deny access to your personal data. Whilst not an outright breach of the GDPR, such a convoluted opt-out procedure is certainly not within the spirit of transparency that the legislation is intended to uphold.

What should small business owners be doing differently?

As data protection practices go, Facebook has been setting a brilliant example lately for how not to go about complying with the GDPR. So, what should small business owners take away from these high-profile slip ups?

Firstly, be open with any individuals whose data you already hold – including employees, customers and anyone else – about how their data is being used. You should conduct an audit of all the sensitive information you have on your systems and document how this was obtained, how long you intend to keep it and the measures you’ve implemented to protect it.

Secondly, only store the minimum data required. Does Facebook really need access to your biometric data (via facial recognition) or other sensitive information (including your political and religious views)? Probably not. Unless, of course, you also want them to be able to recognise you in your photos, your friends’ photos and – most worryingly – other people’s photos who you may not even know. So, ask yourself the same question when it comes to the data you have on file. This is one case where keeping extra details “just in case” isn’t the safest option.

Thirdly, when it comes to collecting individuals’ information, you should obtain their explicit consent to do so. Crucially, make it clear that they can opt-out of this agreement at any time and be sure to provide a straightforward way for them to do this. For example, if it’s a mailing list that you’ve signed someone up to, ensure there’s a clear “unsubscribe” option to select. Don’t follow Facebook’s example of making it easier for individuals to provide consent, but convoluted to revoke or object to giving it in the first place. At best, that’s not in the spirit of the new law, and may even be considered an outright breach.

And finally, ensure the data you hold is properly protected. Don’t share it with other people unless you’ve explicitly been granted permission by the individual to do so. Make certain that you have effective security measures in place to safeguard it against a potential breach. And remember – the personal data your business uses is only ever borrowed, not yours to use as you please. The GDPR is all about respecting that fact.

If consent and GDPR compliance still have you confused, contact us today to find out how we can help!

Facebook and data privacy: the key lessons for SMEs