Social media and GDPR

Reading Time: 10 minutes


Disclaimer: GDPR is a very large and complex piece of legislation, and I am not a legal practitioner. The following information has been reviewed by a law firm and is correct on the date of publication (10th April 2018). You should seek your own legal counsel for any specific requirements.

What is GDPR?

The General Data Protection Regulation, known as GDPR, comes into force on 25 May 2018.

It applies to ALL businesses no matter how large, or small. It applies to everyone marketing or selling to individuals and organisations , and also to organisations outside the EU, if they are offering goods or services to EU citizens or monitoring the behaviour of EU citizens. GDPR is mandatory.

We’re less than a year away from Brexit now, but you can’t ignore GPDR as the UK Government has recently published its draft Data Protection Bill, which is very closely aligned with GDPR, and following Brexit this will ensure that an equivalent to GDPR will remain in force in the UK.

If you are not compliant, the ICO could issue a fine of up to 20 million euros or 4% of your worldwide turnover for the previous 12 months, whichever is higher. Affected data subjects can also bring their own financial claims. There are step levels within these fines but it’s not just about financial consequences; there are criminal sanctions for officers, directors, partners and senior managers. At the moment these sanctions are limited to fines rather than prison sentences, but the liability is personal.

It’s also about trust.

Business today is built on trust. We buy from businesses we know, like and trust. We recommend businesses we know, like and trust. As such, the impact of brand and reputational damage can be far greater than any financial penalty.

GDPR replaces current data protection regulations – which came into effect in 1998 – well before any social media platforms were launched! Much guidance has been published by the Information Commissioner’s Office, or ICO, who are responsible for upholding data protection legislation in the UK.

The ICO advise that GDPR is a living document, so there is more advice to come.

In her speech at the Data Protection Practitioner’s Conference on 9 April 2018 Elizabeth Denham, the UK Information Commissioner, said, there’s never been a more important time to be involved in data protection. You all have a role to play in advocating the correct use of personal data in a world where it powers so much of what makes our economy, our home life, and our public services function. She also said that 25 May is not the end, it is the beginning.

Key definitions

  • Controller: the company/person who decides how and why personal data is processed
  • Data subject: an identifiable living individual
  • Personal data: any information relating to a data subject
  • Processing: doing anything in relation to personal data
  • Processor: the company/person who processes personal data on behalf of the controller
  • Recipient: a company/person to which personal data is disclosed

To clarify, personal data is any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

It doesn’t matter whether a person can actually be identified from the data (eg. IP addresses). Under the GDPR, it is only relevant that the information relates to an identifiable person. That is a subtle but important difference between the current Data Protection Act and GDPR.  It’s also worth stressing that work-related emails will be personal data under the GDPR, if they allow a person to be identified.

Data processing

Whether an organisation acts as controller or processor isn’t always an easy question to answer. Just because you’re using another organisation’s data to provide services to them, you cannot assume you’re acting as their processor. Quite often outsourced service providers can be data controllers in their own right.

Whether or not you do anything with the data you collect, it’s still processing, and comes under GDPR.

All data controllers and data processors need to comply with data protection principles. Data processors have not previously been required to comply with these principles under the Data Protection Act, but will be required to do so under GDPR.

Data protection principles under GDPR

  1. Businesses must process personal data lawfully, fairly and in a transparent manner.
  2. Businesses must collect personal data only for one or more specified, explicit and legitimate purposes.
  3. Businesses must ensure personal data is adequate, relevant and limited to what is necessary.
  4. Businesses must ensure personal data is accurate and kept up-to-date.
  5. Businesses shall not keep personal data for longer than is necessary.
  6. Businesses must “ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Grounds for lawful processing of data

Alongside these data protection principles, there are 6 alternative grounds for legal processing of data under GDPR. Applying any one of these means satisfying the ‘lawfully’ requirement of the first data protection principle.

  1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose
  2. Contract: the processing is necessary for a contract you have with the individual (eg postal address to deliver a product), or because they have asked you to take specific steps before entering into a contract
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations)
  4. Vital interests: the processing is necessary to protect someone’s life
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.


There is a much higher standard of consent with GDPR, and the definition of consent is:

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”

Which means no more opt-outs, no more pre-ticked boxes, complete transparency about the purposes of processing data and the need to keep records of consent given. It must also be easy for someone to remove their consent at any time.

So, when requesting consent; the more you can split out your options with separate tick boxes, the better. And link those options through to a privacy policy that explains your purpose and grounds for processing. Please seek legal advice on updating your privacy policy.

Why is this relevant to use of social media? Well, many of us are using social media to generate awareness and we’re posting links to content whereby we’re asking for an email address in exchange – so that we can continue to market to them. We’re also using social media to nurture relationships.

Here’s a great diagram from Hubspot showing the customer journey and the areas of data processing at each stage of the journey.

To read the full article, visit:

The EU-US Privacy Shield

At this point it’s important to note that many of the online services we use as small business owners and marketers are based outside of the EU.

This is where the EU-US privacy shield framework becomes important to GDPR compliance.

The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.

US organisations (including social media providers) can self-certify and commit to this framework agreement which underpins their protection of EU citizen data entrusted to them.

LinkedIn, Facebook and Twitter are all actively listed on the EU-US privacy shield, which means we’re all good to continue using them for business. Facebook owns Instagram and WhatsApp, so they are OK too.

For more information, visit:

GDPR and social media

The good news is that as far as consent and data use is concerned when it comes to GDPR and social media is that it will effectively be covered by the terms and conditions and privacy notices of each of the social media platforms.

The area for caution when it comes to social media and GDPR, is extracting personal data from the platform and storing it elsewhere within your business.

For example, it is only acceptable to take an email address from social media, hold it on a CRM or use it in any email marketing activity, if you can justify doing so via one of the six legal grounds and provided you comply with the data protection principles. It’s not impossible, but it would be quite tricky to achieve.

You can continue to message via the social media platform where you have made a connection (liked or followed), but you can’t move the communication to any other marketing channel unless you can satisfy those legal grounds and comply with the data protection principles.


LinkedIn is primarily a data controller and has responsibility for ensuring compliance with GDPR. As previously mentioned, it is certified under the EU-US privacy shield.

GDPR will, however, have some effects on their products such as LinkedIn Marketing Solutions, Sales Solutions and Talent Solutions.

By the time GDPR becomes effective, all members will have the option of opting out of allowing use of their demographic data in ad targeting. Members will control this from a new advertising settings page

For further information, visit:


Again, Twitter is primarily a data controller. Their website says they are working towards GDPR compliance and will be updating their privacy policy which will be available to review before 25th May.

As with LinkedIn, and Facebook, when you upload your own data to create a Tailored Audience for advertising, Twitter becomes a data processor. You are the data controller and are responsible for ensuring you have legal grounds to process the data before transferring it to Twitter for processing.

For further information, visit:


In most cases, Facebook is a data controller.

There are some key instances, in which Facebook may also serve as a data processor. This is, for example, the case if you use Custom Audiences – when you upload a list of customers from your database to target with Facebook ads.

Whenever you create a Facebook ad you are asked to accept their terms and conditions; these are due to change before 25th May to comply with GDPR.

Facebook’s policies apply to the other businesses they own, Instagram and WhatApp. 

For further information, visit:

Social media advertising

In short, when a company is providing personal data to any advertising platform, for example in the form of an email list, they will need to have the right to do so under the GDPR.

When advertising for lead generation purposes on social media you will need to ensure there is a suitable disclaimer and link to a privacy policy on any form you use when capturing data. No pre-ticked opt-in boxes for obtaining consent. Where you need to exercise caution under GDPR is taking personal data out of social media, and when you’re using it for lead generation and collecting data in exchange for content such as downloads consent for further marketing communication needs to be explicit and opt-in.

If you are promoting products via social media, then at the point you capture personal data, you are processing it for contractual purposes.

But, the good news is that working within the social media platforms post May 25th is a GDPR compliant method of marketing… so long as the social media platform itself is compliant. Their compliance makes the process easier for you. Remember, whichever platform you use – LinkedIn, Facebook, Twitter etc, you will still have to justify one of the six legal bases of processing and comply with the data protection principles.

I’ll mention email marketing briefly, as social media is so often used for list building. Under GDPR it is a mandatory requirement to be able to prove that the recipient had given valid consent and a double opt-in procedure is a highly-recommended and well-established process of proving that. Double opt-in requires a subscriber to ‘tick a box’ to receiving marketing material, and then receive an email asking them to confirm their email address. Double opt-in is not a requirement as it is possible to prove valid consent without following the double-opt in procedure however it is a very good way of providing evidence that consent has been obtained.

Social media management tools

As an example, here’s the GDPR information from Hootsuite, which is the management tool I use. Their website says:

“Hootsuite is a data processor of content generated, requested or published via its supported platforms in accordance with the instructions our customers give us through our services. Because our customers control how their content is collected and used by them, our customers are, in legal terms, the data controllers of the content that they process through our platform. Hootsuite is its customers’ data processor of that content. For more information on the types and categories of data we and our customers collect and process, please see our Privacy Policy.”

For more information, visit

If you’re using any other social media platform or management tool then please do check their website for  GDPR updates and also the EU-US privacy shield.

Outsourcing social media

If you are outsourcing social media management, then you will need a data processing agreement with any suppliers. There must be a written contract when one business processes personal data on behalf of another business.

Where a data processor carries out any processing on behalf of a data controller, the data controller does not comply with the GDPR unless there is a written contract between the two parties that includes, as a minimum, the following clauses:

  • a summary of the subject-matter of the data
  • the length of time that the processing will continue
  • the nature and purpose of the processing
  • the type(s) of personal data that will be processed
  • the categories of data subjects whose personal data will be processed
  • a statement of the obligations and rights of the data controller
  • the data processor must only act on the data controller’s documented instructions
  • all of the data processor’s personnel who access the data must be subject to appropriate confidentiality obligations
  • the data processor will comply with the requirements in the GDPR regarding security measures and encryption
  • the data processor must assist the data controller in dealing with requests from data subjects, dealing with data breaches and conducting impact assessments
  • the data processor must delete or return (at the data controller’s choice) all personal data at the end of the contract, or when the need for processing ceases
  • the data processor must provide any information the data controller requests in order to demonstrate compliance with the GDPR, and to allow the data controller to audit and inspect the data processor’s compliance
  • the data processor must not delegate the processing to a sub-processor without the data controller’s written consent (and then only on the basis of a written agreement which contains similar terms to the list above)

In addition, a data controller is only permitted to use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures in order to meet the requirements of the GDPR, and protect the rights of the data subject.

If you are a social media manager, if you have not yet received a written contract from your client, then I would strongly recommend updating your contracts to clarify your clients’ role as data controller and your role as a recipient of personal data and as a data processor. There must be something in writing to protect both parties. If you don’t then, in theory, both parties could be fined up to €10 million or 2% of annual global turnover (whichever is greater).


It is so important to clearly understand the data you hold and collect for your business, the alternative grounds for legal processing of data under GDPR and to maintain records.

Trust is a key currency in business, and the transparency around getting consent and sharing the purpose of collecting data can only be a good thing. GDPR compliance will ensure that only those who wish to receive marketing communications are on your list, which hugely minimises waste in terms of both time and resources.

As consumers become more aware of GDPR, and the information they share with organisations, we may see a reduced volume of available data but that’s fine. The remaining data should be more focused, targeted and valuable as a result.

For further information:


Print Friendly, PDF & Email