Disclaimer: GDPR is a very large and complex piece of legislation, and I am not a legal practitioner. The following information has been reviewed by a legal strategist and this blog has been updated, March 2022. You should seek your own legal counsel for any specific requirements.
What is GDPR?
The General Data Protection Regulation, known as GDPR, came into force on 25 May 2018. Post-Brexit, it was made into UK domestic law in 2021 through the UK GDPR. Principles, rights and obligations are the same for both the GDPR and UK GDPR.
It applies to ALL businesses no matter how large, or small. It applies to everyone marketing or selling to individuals and organisations if they are offering goods or services to UK or EU citizens or monitoring the behaviour of UK or EU citizens.
If you are not compliant, the ICO could issue a fine of up to 20 million euros or 4% of your worldwide turnover for the previous 12 months, whichever is higher. Affected data subjects can also bring their own financial claims. There are step levels within these fines but it’s not just about financial consequences; there are criminal sanctions for officers, directors, partners and senior managers. At the moment these sanctions are limited to fines rather than prison sentences, but the liability is personal.
It’s also about trust.
Business today is built on trust. We buy from businesses we know, like and trust. We recommend businesses we know, like and trust. As such, the impact of brand and reputational damage can be far greater than any financial penalty.
Key definitions
- Controller: the company/person who decides how and why personal data is processed
- Data subject: an identifiable living individual
- Personal data: any information relating to a data subject
- Processing: doing anything in relation to personal data
- Processor: the company/person who processes personal data on behalf of the controller
- Recipient: a company/person to which personal data is disclosed
To clarify, personal data is any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
It doesn’t matter whether a person can actually be identified from the data (eg. IP addresses). Under the GDPR, it is only relevant that the information relates to an identifiable person. It’s also worth stressing that work-related emails will be personal data under the GDPR, if they allow a person to be identified.
Data processing
Whether an organisation acts as controller or processor isn’t always an easy question to answer. Just because you’re using another organisation’s data to provide services to them, you cannot assume you’re acting as their processor. Quite often outsourced service providers can be data controllers in their own right.
Whether or not you do anything with the data you collect, it’s still processing, and comes under GDPR.
All data controllers and data processors need to comply with data protection principles. Data processors have not previously been required to comply with these principles under the Data Protection Act, but will be required to do so under GDPR.
Data protection principles under GDPR
- Businesses must process personal data lawfully, fairly and in a transparent manner.
- Businesses must collect personal data only for one or more specified, explicit and legitimate purposes.
- Businesses must ensure personal data is adequate, relevant and limited to what is necessary.
- Businesses must ensure personal data is accurate and kept up-to-date.
- Businesses shall not keep personal data for longer than is necessary.
- Businesses must “ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Grounds for lawful processing of data
Alongside these data protection principles, there are 6 alternative grounds for legal processing of data under GDPR. Applying any one of these means satisfying the ‘lawfully’ requirement of the first data protection principle.
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose
- Contract: the processing is necessary for a contract you have with the individual (eg postal address to deliver a product), or because they have asked you to take specific steps before entering into a contract
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations)
- Vital interests: the processing is necessary to protect someone’s life
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Consent
There is a much higher standard of consent with GDPR, and the definition of consent is:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
Which means no more opt-outs, no more pre-ticked boxes, complete transparency about the purposes of processing data and the need to keep records of consent given. It must also be easy for someone to remove their consent at any time.
So, when requesting consent; the more you can split out your options with separate tick boxes, the better. And link those options through to a privacy policy that explains your purpose and grounds for processing. Please seek legal advice on updating your privacy policy.
Why is this relevant to use of social media? Well, many of us are using social media to generate awareness and we’re posting links to content whereby we’re asking for an email address in exchange – so that we can continue to market to them. We’re also using social media to nurture relationships.
Here’s a great diagram from Hubspot showing the customer journey and the areas of data processing at each stage of the journey.
To read the full article, visit: https://blog.hubspot.com/customers/gdpr-data-features-hubspot-compliance
GDPR and social media
The good news is that as far as consent and data use is concerned when it comes to GDPR and social media is that it will effectively be covered by the terms and conditions and privacy notices of each of the social media platforms.
The area for caution when it comes to social media and GDPR, is extracting personal data from the platform and storing it elsewhere within your business.
For example, it is only acceptable to take an email address from social media, hold it on a CRM or use it in any email marketing activity, if you can justify doing so via one of the six legal grounds and provided you comply with the data protection principles. It’s not impossible, but it would be quite tricky to achieve.
You can continue to message via the social media platform where you have made a connection (liked or followed), but you can’t move the communication to any other marketing channel unless you can satisfy those legal grounds and comply with the data protection principles.
LinkedIn is primarily a data controller and has responsibility for ensuring compliance with GDPR.
For further information, visit: https://www.linkedin.com/help/linkedin/answer/87080
Meta (Facebook/Instagram/WhatsApp/Messenger)
In most cases, Facebook is a data controller.
There are some key instances, in which Facebook may also serve as a data processor. This is, for example, the case if you use Custom Audiences – when you upload a list of customers from your database to target with Facebook ads.
Whenever you create a Facebook ad you are asked to accept their terms and conditions.
Facebook’s policies apply to the other businesses they own, Instagram and WhatApp.
For further information, visit: https://www.facebook.com/business/gdpr
Again, Twitter is primarily a data controller.
As with LinkedIn, and Facebook, when you upload your own data to create a Tailored Audience for advertising, Twitter becomes a data processor. You are the data controller and are responsible for ensuring you have legal grounds to process the data before transferring it to Twitter for processing.
For further information, visit: https://gdpr.twitter.com
Social media advertising
In short, when a company is providing personal data to any advertising platform, for example in the form of an email list, they will need to have the right to do so under the GDPR.
When advertising for lead generation purposes on social media you will need to ensure there is a suitable disclaimer and link to a privacy policy on any form you use when capturing data. No pre-ticked opt-in boxes for obtaining consent. Where you need to exercise caution under GDPR is taking personal data out of social media, and when you’re using it for lead generation and collecting data in exchange for content such as downloads consent for further marketing communication needs to be explicit and opt-in.
If you are promoting products via social media, then at the point you capture personal data, you are processing it for contractual purposes.
But, the good news is that working within the social media platforms post May 25 2018 is a GDPR compliant method of marketing… so long as the social media platform itself is compliant. Their compliance makes the process easier for you. Remember, whichever platform you use – LinkedIn, Facebook, Twitter etc, you will still have to justify one of the six legal bases of processing and comply with the data protection principles.
I’ll mention email marketing briefly, as social media is so often used for list building. Under GDPR it is a mandatory requirement to be able to prove that the recipient had given valid consent and a double opt-in procedure is a highly-recommended and well-established process of proving that. Double opt-in requires a subscriber to ‘tick a box’ to receiving marketing material, and then receive an email asking them to confirm their email address. Double opt-in is not a requirement as it is possible to prove valid consent without following the double-opt in procedure however it is a very good way of providing evidence that consent has been obtained.
Social media management tools
As an example, here’s the GDPR information from Hootsuite, which is the management tool I use. Their website says:
“Hootsuite is a data processor of content generated, requested or published via its supported platforms in accordance with the instructions our customers give us through our services. Because our customers control how their content is collected and used by them, our customers are, in legal terms, the data controllers of the content that they process through our platform. Hootsuite is its customers’ data processor of that content. For more information on the types and categories of data we and our customers collect and process, please see our Privacy Policy.”
For more information, visit https://hootsuite.com/en-gb/legal/general-data-protection-regulation
If you’re using any other social media platform or management tool then please do check their website for GDPR updates and also the EU-US privacy shield.
Outsourcing social media
If you are outsourcing social media management, then you will need a data processing agreement with any suppliers. There must be a written contract when one business processes personal data on behalf of another business.
Where a data processor carries out any processing on behalf of a data controller, the data controller does not comply with the GDPR unless there is a written contract between the two parties that includes, as a minimum, the following clauses:
- a summary of the subject-matter of the data
- the length of time that the processing will continue
- the nature and purpose of the processing
- the type(s) of personal data that will be processed
- the categories of data subjects whose personal data will be processed
- a statement of the obligations and rights of the data controller
- the data processor must only act on the data controller’s documented instructions
- all of the data processor’s personnel who access the data must be subject to appropriate confidentiality obligations
- the data processor will comply with the requirements in the GDPR regarding security measures and encryption
- the data processor must assist the data controller in dealing with requests from data subjects, dealing with data breaches and conducting impact assessments
- the data processor must delete or return (at the data controller’s choice) all personal data at the end of the contract, or when the need for processing ceases
- the data processor must provide any information the data controller requests in order to demonstrate compliance with the GDPR, and to allow the data controller to audit and inspect the data processor’s compliance
- the data processor must not delegate the processing to a sub-processor without the data controller’s written consent (and then only on the basis of a written agreement which contains similar terms to the list above)
In addition, a data controller is only permitted to use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures in order to meet the requirements of the GDPR, and protect the rights of the data subject.
If you are a social media manager, if you have not yet received a written contract from your client, then I would strongly recommend updating your contracts to clarify your clients’ role as data controller and your role as a recipient of personal data and as a data processor. There must be something in writing to protect both parties. If you don’t then, in theory, both parties could be fined up to €10 million or 2% of annual global turnover (whichever is greater).
Conclusion
It is so important to clearly understand the data you hold and collect for your business, the alternative grounds for legal processing of data under GDPR and to maintain records.
Trust is a key currency in business, and the transparency around getting consent and sharing the purpose of collecting data can only be a good thing. GDPR compliance will ensure that only those who wish to receive marketing communications are on your list, which hugely minimises waste in terms of both time and resources.
As consumers become more aware of GDPR, and the information they share with organisations, we may see a reduced volume of available data but that’s fine. The remaining data should be more focused, targeted and valuable as a result.
For further information:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/