Often used as a free marketing tool, and with some staff having thousands of personal followers on social media platforms such as Twitter, Facebook and LinkedIn, social media is becoming an important cog in many companies’ marketing campaigns. Here is some guidance on what GDPR requires of us when using social media for marketing purposes.
Read: The digital marketing guide to GDPR
GDPR and social media
In recent years social media has become a central platform for communication between businesses and customers or clients. Since social media tools all work with personal data, those using them for business purposes must take data protection regulations into account. But this shouldn’t deter you from using these tools: used correctly, social media can be an excellent form of communication and marketing. The important thing is to make sure you keep your social media platforms secure and that you handle all customers’ data appropriately.
What does GDPR mean for social media marketing?
When considering how to best manage social media marketing, it’s important to keep data protection rules and best practice in mind. It is unlawful to collect more data than you need, and you need to be able to justify any information you collect. But social media marketing can actually be better for marketing and for GDPR compliance than older methods of email lists and marketing, which are not as effective as they once were. Connecting with potential leads through social media, sharing relevant content and contact details can be much more effective and targeted than blunt force direct marketing, and when done correctly, potentially less problematic on a GDPR front.
Who does the legislation apply to?
GDPR does not apply to individuals using social media for their own purposes, but does apply to individuals acting as sole traders or organisations who use social media in the following ways:
- Posting personal data on a website
- Downloading and using personal data from a website
- Running a website which allows others to post comments or other content about people
This means that if an organisation posts on a social network or a blog, or uses personal data from a social networking site, they are usually subject to data protection laws.
If an organisation runs an online forum or comments section, then they have a responsibility for the content posted. This includes a duty to take reasonable steps to monitor and moderate the content posted. Reasonable steps must be taken to check the accuracy of any personal data posted by a third party. While it may be unreasonable to moderate every comment, there would at least need to be an option to report problematic posts.
Determining who in an organisation can say what, and when they are representing only themselves or their organisation is difficult. While it is generally recommended to keep personal and professional social media presence separate, this is not always possible. It is very important for organisations to have clear policies on social media use by employees.
What should be included in a social media policy?
You may want to include the following points in your social media policy:
- Risk of defamation
- Reputation and brand management
- Handling negative comments
- Monitoring employees
- Protecting information about employees
Employees may face disciplinary action for posting comments online that may damage the organisation’s reputation. If employers plan to monitor social media activity then this needs to be communicated to employees and justified.
If an individual posts on their social media account on behalf of their company, the company’s social media policy should consider:
- Whether the company monitors private messages sent from staff’s personal Twitter account
- Publicly sharing sensitive information about the company’s clients online
- Using company devices for personal communications
It is also advisable to use a disclaimer that any opinions expressed are personal and do not represent the views of the organisation.
Using your own device to post on behalf of your organisation raises a number of data protection pitfalls. The owner of the data remains in control of it regardless of who owns the device. An Acceptable Use Policy should cover this, and what kinds of business information can be processed on a personal device. Security breaches could also be more of an issue. Losing a personal device, or it being accessed by friends or family of the user, whilst containing confidential or sensitive information, could cause problems.
For example, Hillary Clinton’s use of a private email account set off a scandal that rocked the US Presidential election. It was her desire to use one mobile device for her work and personal emails that instigated the chaos.
Social media marketing
GDPR will make it more difficult to justify automated targeting or profiling of people using their personal information. The reasons for making automated decisions about a person must be explained. For example, targeting adverts for baby products at someone who searches for ‘morning sickness’ online may be unlawful profiling based on collecting sensitive personal information.
Data protection rights under GDPR
Privacy by default
The strictest privacy settings automatically apply to any new sign-up to a product or service. Personal information is only collected and kept for the amount of time necessary.
Right to data portability
Beyond a traditional Subject Access Request, people have the right to access their data and have it provided in a way that makes it easy for a computer to read, such as via a spreadsheet. A person can also request for their data to be transferred directly to another system for free.
Right to erasure
Someone can request the deletion or removal of their personal data, including information published online. Someone can also request for all of the posts they made on a website when they were under 18, such as on a social network, to be removed.
VinciWorks’ social media module included in GDPR training
VinciWorks’ GDPR course, GDPR: Privacy at Work, can be configured into over 1,000 courses using our course builder, meaning that marketing teams can learn the modules most relevant to their role. The course is included in VinciWorks’ GDPR training suite.