guide
Preparing for the Data Protection Assessment
Check out the Meta Horizon Channel
For more on this topic, take the Course: Submitting a Data Protection Assessment
In partnership with
4 min read
Share this doc:
The Data Protection Assessment (DPA) evaluates whether developers comply with Meta policies covering prohibited uses of data, data deletion, data sharing with third parties, and data security. The completion of the Data Protection Assessment is a requirement for any app that accesses, transmits, or stores User Data.
You will be assigned a DPA to complete within a specific deadline after your request to access platform features via the Data Use Checkup (DUC) is granted. Because the assessment is dynamic, and each organization is different, completion time will vary. Your progress will autosave, so you don't have to complete the assessment in one sitting. We recommend allotting some time over 2 to 3 weeks to complete the DPA.
This guide will help you prepare to successfully complete the DPA and avoid delays in the review process.
Before completing the DPA:
Step 1:
Read the DDUP in full to ensure you understand the requirements. The following DPA preparation steps will help you determine if you are in compliance with all of the DDUP's requirements. Check out this resource: DDUP Evaluation Checklist for more information.
Step 2:
Assemble your response team by identifying subject matter experts (SMEs) within your organization to help you answer all of the questions included in the DPA. The DPA is cross-functional, so include SMEs from teams like:
- Legal
- Information Security
- Product
Step 3:
Gather a list of your organization's administrators and their contact information, and if necessary, update these details under Members in the Developer Dashboard. Instruct all of your administrators to save [email protected] to their email contacts to make sure they don't miss any communication.
Step 4:
Gather your privacy policy and all policies, terms, and agreements you have in place with any third-party partners or service providers with whom you share User Data. You may need to submit some of these documents for review, including:
- Your app's privacy policy
- A list of any third party with whom you share User Data (including your third-party service providers and their sub-service providers)
- Contracts with each of these third parties (including their standard terms of service and/or privacy policies) or, if they are not your service providers, documentation for why you have shared User Data with them
Review Service Provider Contracts
Remember, Meta requires your service providers to protect user data according to the same standards that you do. Once you've gathered each of your third-party service providers' contracts:
Step 5:
Evaluate your contracts with all third-party service providers. Above all, confirm each of your service providers comply with the Developer Data Use Policy. Look for the sections of their contracts that relate to what data they will collect and how they will use it.
Specifically, when it comes to Meta Horizon User Data and/or Device User Data, you need to confirm that they....
Step 6:
Be prepared to provide additional information and/or documentation in the event that Meta requests it. While Meta will make these requests at their discretion, you can be prepared for the following scenarios.
| If You... | Be Prepared to Provide... | Completed? |
|---|---|---|
| share data to comply with a legal regulation | a documented explanation of the circumstances in which you share User Data to comply with that legal or regulatory requirement | |
| share data with a third party at your user's request | a documented description of how users direct you to share their User Data with another person or business; include screenshots if applicable |
Prepare for Security-Related Questions
Once Meta has approved your request to collect and use User Data, you are required to secure that data on any cloud-based service, servers, and/or databases where it is stored. You will be asked questions about your information and data security processes and policies. You will need to work with your InfoSec SME to determine if your policies and processes meet Meta's requirements. Before you dig in:
Step 7:
Review your audit logging practices. Good security hygiene related to audit logs helps ensure that only authorized individuals and applications can access certain data, including the data you receive from Meta.
Not familiar with audit logs? Review these resources.
Note: This is not an exhaustive list of resources, but these will help you better understand audit log security.
- Audit Logging Overview
- Center for Internet Security (CIS): Audit Log Management Policy Template
- Practitioner's Guide: Tamper-proof logs
- NIST Controls: Audit and Accountability
- SOC 2 AICPA Trust Criteria, specifically CC7.2 and CC7.3
- OWASP Logging Cheat Sheet
The following resources are not available free-of-charge, but offer valuable information and guidance:
Review the following audit log security practices and select which, if any, your organization currently practices.
Currently, my organization:
Review your selections, and then choose which of the following applies to you:
You are well-prepared.
Have supporting documentation ready to submit if requested.
You are in good shape.
Work with colleagues on your InfoSec team to request or create supporting documentation you need.
These practices help us keep our shared users safe. Work with colleagues on your InfoSec team to prepare for the DPA:
- Make a plan to implement any of the security practices you don't currently follow. Beginning in Q1 2024, selected apps in the DPA will be required to meet these requirements and may be required to upload evidence to support their answers.
- Gather supporting documentation for any security measures you already practice.
- Request or create supporting documentation for any new or currently undocumented policies and processes.
Step 8:
Review your personnel security practices. Even with industry-leading security practices in place, employees will always be the most significant vulnerability at any organization. Having personnel security practices in place helps you protect all of the data you collect, process, and store - including the data you receive from Meta.
Not familiar with personnel security? Review these resources.
Note: This is not an exhaustive list of resources, but these will help you better understand personnel security.
Review the following personnel security practices and select which, if any, your organization currently follows.
Currently, my organization:
Review your selections, and then choose which of the following applies to you:
You are in good shape.
Work with colleagues from teams like InfoSec, Human Resources, and Training to gather or create supporting documentation for each security practice you've adopted. Be prepared to provide this documentation in case Meta requests it.
These practices help us keep our shared users safe. Work with colleagues on your InfoSec, Human Resources, and Training teams to prepare for the DPA:
- Make a plan to implement one or more of these, or similar, personnel security practices.
- Gather supporting documentation for any security measures you already practice.
- Request or create supporting documentation for any new or currently undocumented policies and processes.
Step 9:
Gather relevant documents and information. Not only will you need this information to evaluate your processes, but Meta may request this documentation under certain scenarios. Use the table below to help you determine what you need.
| If You... | Be Prepared to Provide... | Completed? |
|---|---|---|
| have information security practices in place to protect User Data and/or Device User Data, like access management, change management, and operations | a documented description of your Information Security Practices (Learn more) | |
| have a data security certification | a copy of that data security certification (Learn more) | |
| do not have a data security certification, but you do take steps to protect the security of User Data | policy or procedure documents, software configurations, screenshots, or screen recordings that illustrate the steps you take to protect the security of User Data (Learn more) |
Disclaimer: This resource does not guarantee compliance with Meta policies, nor applicable data privacy laws. Review Meta Horizon's Developer Data Use Policy for a comprehensive overview of Meta's requirements.
For more on this topic, take the Course:
Submitting a Data Protection Assessment
The Data Protection Assessment evaluates whether you are complying with Meta’s policies surrounding prohibited uses of data, data security and deletion, and sharing data with third parties. This course will provide you with the guidance you need to successfully complete your annual DPA.
