Given that the reach of social media is increasing all the time, an article on forthcoming data privacy legislation might seem like something of an anathema.
You may have the view that social media is about relationships, engagement and interactivity and not really about data privacy, online security and participant consent.
Well, it’s time to think again.
Unless you have been hiding in a cave or chose to skip over press articles, there is some major new legislation on the way in May 2018 called the EU General Data Protection Regulation – or GDPR.
This new Regulation comes into effect on 25th May 2018 and will apply to all 28 Member States of the EU.
The UK Government has recently published its draft Data Protection Bill, which is very closely aligned with GDPR, and following Brexit this will ensure that an equivalent to this new data protection legislation will remain in force in the UK.
The EU is calling it “the most important change in data privacy regulation in 20 years”, so you’d be unwise to ignore it and assume it doesn’t apply to your organisation. That goes for U.S. organisations too, and in fact anywhere that does business in the EU.
What are the key features of GDPR?
Many. But going back to basics, one of the key features of GDPR is the requirement for ‘privacy by design’, which entails proper planning for how personal data is to be safely and securely managed and processed as is it passes through an organisation.
Whether that includes personnel data for HR purposes, payment card data for on-line transactions, or medical records used by a doctor’s surgery, Article 35 of GDPR requires that these processes are scrutinised such that data subjects have clarity about the effective protection of their personal information.
GDPR requires that one of six categories of “legal basis for the processing of personal data” are in place. Of particular note are two of these:
-Consent of the data subject – by this we mean customer, potential customer, influencer, effectively anyone not within the data processing organisation.
-Necessary for the performance of a contract with the data subject – an auditable agreement between the organisation which explains the acceptable use of their personal data.
GDPR and social media – where is the link?
As marketers you are concerned with making the most effective use of social media tools or platforms such as Facebook, LinkedIn, Twitter, Pinterest, WhatsApp, Snapchat or Instagram.
The last thing you are likely to worry about is having your followers, friends or connections actually providing you with consent to store or use their data.
You will be pleased to hear that as far as consent and data use is concerned, these will be effectively covered by the terms and conditions and privacy notices of each of these software tools.
Due to existing legislation known as EU-US Privacy Shield, US organisations (including social media application providers) can self-certify and commit to this framework agreement which underpins their protection of EU citizen data entrusted to them.
In short, this means that both you and your social media audience agree to the terms of the tools you use. GDPR will also require them to have an accountable EU representative that can be held to account for the GDPR compliance of the organisation within Europe.
So while you can breathe easier it’s worth being mindful of the bigger picture.
The tick box before the app opens
While you might not be a big fan of small print, social media users will need to be presented with a clear Privacy Notice or similar, which is available for their consideration before they decide to sign up and start participating.
The T&Cs of joining will almost certainly contain one of the two legal bases for processing above (explicit consent or performance of a contract).
That of course does not exempt you from exercising proper care with your use of personal data from your social media followers. For example, it will not be acceptable to take a customer’s email address and then look to use that in any undeclared email marketing or data processing activities.
Some other social media pointers
A social media ‘name’ is a personal identifier. This is significant because if an application voluntarily decides to make that public, then that is their decision with full understanding and expectation that it will be seen by others.
On another note, it will be interesting to see how the social media platforms will be expected to deal with subsequent data subject erasure requests, especially when many social media interactions record the participation of two or more individuals in exchanges of communications. Will simple deletion be sufficient? Watch this space.
From social media to CRM
If a social media handle is attached to a CRM account, then that would need be provided voluntarily and not added by independent research.
There’s a growing number of examples of organisations who have ‘enhanced’ personal data beyond that provided by the citizen.
It is vital that you don’t just assume that the person is happy to have their personal data held on an electronic system, especially if you have an intention of passing or selling that data on to a third party that the data subject has no existing connection to.
Given that the nature of a social media relationship is usually informal, your best approach will be to specifically ask whether people agree to having their details held on a CRM system.
You might disclose this within a Privacy Notice or a Data Protection Impact Assessment, but regardless of your method, citizens do have a right to know and subsequent rights to validate their data, and even request that you permanently remove it.
Snail mail vs email
Generally speaking a postal address and email address are subtly different: an email address typically identifies a single individual, whereas a postal address could identify a group of people.
However, GDPR does not differentiate between B2B and B2C communications – even the B2B route is almost certainly going to disclose personal information about the intended employee recipient; their job title for example, the name of their employer or their employment location.
With snail mail, the sender has up-front costs (printing, enveloping, postage etc), whereas sending an email is normally free. Whilst to date it’s very difficult to back out of unconsented emails (GDPR will change that), with snail mail it’s a simple matter of writing ‘RTS’ and returning it for free.
GDPR and other marketing channels
GDPR changes marketing consent from broadly ‘opt-out’ as at present, to consented ‘opt-in’ from May 2018.
Another of the six bases for processing we discussed earlier is having a ‘legitimate interest’, and Recital 47 of GDPR notes that direct marketing is one such legitimate interest.
Direct mail and telemarketing activities needs to be for existing customers to be a legitimate interest from which they should have the ability to opt-out. Checks should also be taken against the various mailing/telephone preference services lists which are available.
However, unsolicited electronic communications (email and SMS) will require specific opt-in consent unless ‘soft opt-in’ applies. Details can be found on the ICO website.
By now your organisation’s GDPR preparation plans should be on schedule and in good shape. If not, do check out UtopiaR for some very handy GDPR compliance tools and advice).
You do need to be extra vigilant about whether your organisation takes social media-derived personal data out of the tools you use and stores them in another CRM system or elsewhere.
If in doubt, don’t do it. Or better still, explain why, ask for and record consent, and process in accordance with consent records.
After all, transparency is a fundamental part of gaining customer trust and something we should all be committed to.