What Does GDPR Mean For Social Media Marketing

If you’ve heard of GDPR, chances are you’re wondering how it will affect your social media marketing plan. After all, Facebook and Instagram are two platforms that were recently hit with a lawsuit over the new rules, so surely they’ll be forced to change their ways. In fact, many people think that this means the end of all online advertising. But before we all throw our hands up in despair, let’s take a look at what GDPR actually means for marketers—and how we can still use these platforms to connect with our audience without breaking any laws.

In this guide, we find out What Does GDPR Mean For Social Media Marketing, are social media posts personal data, data protection act and social media, and how does social media meet legal requirements for data sharing.

What Does GDPR Mean For Social Media Marketing

GDPR Overview: What You Need To Know

GDPR stands for General Data Protection Regulation, and it’s a new set of regulations that will affect every business in the EU. It’s designed to give people more control over their personal data and make it easier for businesses to work with customers across the European Union.

The most important thing you should know about GDPR is that it affects all companies operating within or targeting European Union citizens—and not just companies based there! If you have an international audience, this legislation has serious implications for how you approach your GDPR strategy.

Who does GDPR apply to?

  • Any organization that processes the personal data of EU citizens is subject to GDPR.
  • This includes any organization that has a website or app that collects personal data from EU citizens, as well as any organizations that process the personal data of EU citizens in any way.

What is personal data?

The GDPR defines personal data as any information that can be used to identify a person. It is not limited to name, address, and birth date; it also includes IP addresses, social media posts and cookies.

A business could have an email list of customers who purchased a certain product in the past. This information could be considered personal data because it identifies each customer individually (each has their own email address).

What are my rights under the GDPR?

When you’re dealing with a piece of information about yourself, you have certain rights. These include:

  • The right to be informed: If your data is being processed, the controller must provide you with a notice containing key details about how and why that’s happening.
  • The right of access: You can ask for copies of the personal data we hold on you and information on how it’s being used.
  • The right to rectification: You can make corrections if your personal data is incomplete or inaccurate.
  • The right to erasure (also known as “the right to be forgotten”): You can request that an organization delete all or some of your personal data stored with them–but there are exceptions! For example, this doesn’t apply if we have another lawful reason for retaining the information in question or if it’s required by law in order for us to do our work (e.g., tax reports). It also won’t apply if keeping it helps us protect against fraud or other illegal activities–in which case deleting the information could put someone at risk.
  • The right restrict processing: Sometimes companies might need your consent before they use something about you–and when this is no longer necessary but they still want some parts left alone (e.g., all except last year’s salary), then users should be given options like “delete last year’s salary but keep everything else.” Users also have control over what happens when other third parties are involved (such as social networks sharing info from different services). In these cases

Does this apply to my website?

Yes, if your website is based in the EU, you must comply with GDPR. If it isn’t, then it doesn’t apply to you. It also applies to any website that sells goods or services to EU citizens.

Are cookies affected?

So, are cookies affected?

Cookies are a form of personal data and can be used to track people’s browsing activity. But they’re not required for a website to function, and they’re often used to improve the user experience (e.g., when you visit an e-commerce site). In fact, cookies help make sure that when you sign up for something online or log back in later on your browser isn’t filled with ads for things you’ve already bought or viewed.

Are social media platforms prepared for the new GDPR rules?

The short answer is that the social media giants are doing their best to comply with GDPR. Facebook, Google, and Twitter have all updated their privacy policies to be compliant with GDPR. They’ve also changed how they collect data, use data to improve their services, and provide personalized ads.

Facebook uses consent as its primary tool for collecting user data on its platform under new EU laws. Users must now give specific permission before sharing information like location or contact details with third parties such as advertisers on Facebook’s network. The company will also let users see what data it has collected from them by using a new “Access Your Information” feature found in the Settings menu of any device or browser used to access Facebook services (desktop/mobile).

Google has updated its terms of service for apps built on top of its platform including YouTube and Gmail. These changes require developers who use these services agree not to build apps that violate GDPR rules unless they obtain consent from users first — something that isn’t currently possible within most apps built around Google products at this time since they’re not designed specifically for this purpose yet!

While it might seem overwhelming, there are many ways to approach these new regulations without getting overwhelmed.

While the GDPR may seem like a minefield of legal information and technical jargon, it’s important not to get overwhelmed by the amount of work that needs to be done. Remember that you can’t expect yourself or your team to know everything about GDPR compliance right away. You’ll need some help from experts and trusted resources along the way.

A good start would be working out what is personal data and what isn’t; once you’ve done this, you’ll have an idea of how much work there is left for you – if any! If it turns out that none of your content falls under personal data protection laws (which means it’s fair game), then all those hours worrying about this might have been wasted.

Another thing worth doing is making sure your company has measures in place to protect personal data wherever possible – this could be through training employees on how best to handle sensitive information or implementing stricter security checks into your systems so that hackers don’t get access easily without setting off alarms first!

are social media posts personal data

Roughly 57% of the global population now have access to the internet. While being connected to the largest database in the world does bring a host of advantages, it does come at a price. Recent statistics revealed that about 53% of online users are currently more concerned about their online privacy compared to a year ago.

Further statistics added that there is a hacker attack every 39 seconds. Thus, making cybercrime more profitable than the global illegal trade. In 2018 alone, cybercriminals have earned a total of approximately $600 billion from stealing personal and business records.

The alarming cybercrime rate has led the European Parliament and the Council of the European Union to put together the General Data Protection Regulation (GDPR) which ensures data protection and social media privacy for all individual citizens of the European Economic Area (EEA) and the European Union (EU).

In general, GDPR is geared towards providing individuals full control over their personal data and centralize the regulatory environment by corresponding to EU regulations. It is applicable to organizations that are handling personal information of EU residents and citizens.

Technically speaking, any company that processes and stores information about EU citizens within EU states must comply with the GDPR even if they do not have a business presence within the continent. Among the most specific criteria for companies required to comply include the following:

Moreover, organizations should have a legal basis for processing personal customer information under the set GDPR and social media policy. The regulation will also provide customers to request that their personal information be deleted by businesses that they do not wish to be in possession of it. Its focus is to make sure that the consumers have rights on their personal data which include:

The GDPR recognizes personal data as anything that can be utilized as a part of identification. Beyond the common information like name, phone number, and addresses, this also includes photos, bank information, medical data, any numbers pertaining to financial accounts, and data associated with social media posts.

In other words, GDPR makes it even harder for business websites that heavily depend on social media to monitor customer information and their behavior for automated profiling or targeting. Additionally, companies have to obtain a legal basis in the form of explicit opt-in customers to send social advertising emails when there is a sale in their stores.

Here are a few more articles to help you:

More often than not, mobile opt-ins are connected to social media and usually take the form of a popup that asks for the authorization of users from the social app. Even though are already regularly in use by most social media companies, the GDPR rules mean that the forms will be more comprehensive about the types of information gathered and the reason why is it shared.

Through this process, consumers can ensure more privacy, the added security of their personal data, and better control of their shopping experiences. This is because businesses have to make sure that consumer consent is specific, unambiguous, and freely given which includes the choice to easily withdraw.

To make it easier for consumers to understand, businesses are necessitated to fulfill these requirements under the GDPR regulations:

In addition, the GDPR regulation on data protection on social media also states that pre-checked boxes for consent are not allowed. In short, customers have to take action before consent is given to the business.

Under the GDPR regulations, there are six grounds for processing personal data. These include consent, contract, public interests, legal obligations, legitimate interests, and vital interests. Perhaps the most relevant when it comes to social media are legitimate interests and consent as it tackles more on the privacy, protection, and control of users.

Besides the changes in social media advertising, GDPR has also influenced significant modifications in the lead generation process. Companies like Facebook and LinkedIn adopted several changes to its lead generation processes with the former requiring users to agree to its terms and conditions and the latter adding an automatic checkbox to their forms.

What’s more, GDPR has also paved the way for social leaders to put together a clear policy within the framework that is specifically connected to its regulations. The document should be formal, detailed, and intended to educate or inform anyone involved in social media management of the appropriate rules surrounding GDPR.

The document can summarize the types of policies that are already in place on various systems and discuss to correct errors as well. Furthermore, GDPR also promotes better email engagement as only people who are interested in your product will be the ones receiving your content, thereby, increasing conversion rates.

How Businesses Can Benefit From Complying With GDPR Regulations?

Businesses that fail to adhere to these requests will face a fine of roughly 20 million euros or 4% of their annual turnover. Conversely, GDPR is not all doom and gloom as it also comes with plenty of advantages for complying with businesses.

Boost Your Cybersecurity Practices

Perhaps the biggest advantage of opting for GDPR compliance with RSI Security is to enhance the cybersecurity strategies of the company. After all, there is no business in the world that can afford to take the danger of cybersecurity ignorance given the costs of business downtime and data breaches as a result of the loss of critical data or theft.

In a 2017 Cyber Security Breaches Survey, experts revealed that 68% of large firms in the United Kingdom (UK) have encountered some form of cyberattacks. With the complexity and scale of these attacks accelerating at full throttle, having a GDPR-compliant framework in place will establish a security-conscious workflow.

The legislation requires businesses to determine their security strategy and incorporate sufficient technical and administrative measures to protect the personal information of EU citizens. These activities are essential for helping the organization minimize the attack surface and better understand what is going on throughout your network.

Usually, the GDPR mandates every business to make use of privileged and identity access management to ensure that only a few professionals can access critical organizational data. It is also under the GDPR regulation that an organization must disclose any breach within 72 hours of its occurrence to prevent further damage.

Improve Return On Investments on Social Media Strategies

As mentioned, one of the key concepts of the GDPR is that the business should employ an opt-in policy and have the consent of data subject to process personal data. Through this process, organizations can fine-tune their database of relevant customers and leads that genuinely want to hear their business.

With this data at hand, businesses can experiment with niche marketing by creating tailored messages geared towards specific habits and needs of a clearly defined audience that has more interest in your products. This particular granular marketing strategy will lead to a higher conversion rate, social sharing, click-through, and increase your marketing ROI as efforts and budgets are spent wisely.

It is also through these tailored messages that businesses can build more trusting relationships with their clients and the general public. When asking for consent to utilize the information of data subjects, businesses have to explain concisely and clearly how they will be using their personal information.

The responsibility and transparency every business demonstrates to the public will encourage trust in their brands as consumers are becoming more and more vigilant about how their data is handled. In a nutshell, organizations can use the GDPR to highlight that they do care about the privacy of their prospective and current clients and stand head and shoulders above their competitors.

Enhance Management Of Data

Businesses should know precisely what sensitive data they hold on people to be compliant. Usually, the initial process through GDPR compliance is to examine each data to better organize storages. This will enable businesses to decrease the data they gather and hold and more importantly refine the data management process.

More often than not, a third-party service like RSI Security will encourage businesses to determine and clean up redundant obsolete and trivial (ROT) information which offers little to no organizational value. By getting rid of this information, businesses can slash costs on processing and storing this data.

Subsequently, businesses will evaluate the data and implement mechanisms to make the information searchable and indexed globally. This is essential in easily handling the requests of subjects who exercise their rights to be deleted from your system. On the flip side, this requirement will enable businesses to restructure data storage so that their staff members will be more efficient and productive while working with easily searchable, accessible and accurate information.

What Does It Take To Be GDPR-Compliant?

While the sea of customer information under GDPR’s protection may seem daunting, there a few keys yet straightforward requirements you should concentrate on to increase your odds of compliance. Start the road to GDPR compliance by achieving customer consent through a request that needs to be laid out in plain and simple language.

The terms of consent should be consistently precise with the most up-to-date information of every customer as well. Additionally, your business should also put up processes that enable you to respond and act upon a withdrawal request in a reasonable timeframe.

Other than crafting privacy policies, businesses are also advised to hire the services of a Data Protection Officer (DPO) from RSI Security to further increase your chances of being compliant. Usually, public organizations and companies larger than 15 employees that process personal data are required to appoint a DPO.

The DPO will be responsible for the systematic and regular tracking of data subjects on a large scale. They also process on an immense scale of special categories of data to pinpoint the necessary steps to reach compliance.

A Data Protection Impact Assessment (DPIA) may also be required to achieve compliance, especially if our company stores personal data in permanent storage. A DPIA is an evaluation of your organization’s procedures and processes that measure how these steps affect or might compromise the security of individuals whose data, it stores and gathers.

Through the DPIA, businesses can ensure compliance with the applicable policy, regulatory, and legal requirements regarding privacy. It is also essential in determining the risks and effects of data loss and evaluating protections and alternative methods to mitigate potential privacy pitfalls.

Furthermore, companies must also have technologies and processes that will allow them to pinpoint and address breaches within a 72-hour timeframe. This may require the need to overhaul the company’s internal data, security policies, and substantial employee training to assure a proper response plan to data breach threats.

Closing Thoughts

Although it will take more time than a few weeks to reach full GDPR compliance, doing so will put companies on the right foot with protecting their customer data in the long run. Put workstreams in their positions to assist your human resources and appoint a DPO to cover all the nooks, crannies, and bases of your compliance strategy. Talk to an expert at RSI Security to start your journey towards GDPR compliance.

Schedule a free consultation

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

data protection act and social media

Social media is a vast and expanding network, which allows space for the personal data of users to be compromised for the use of cyber-criminal activity and distortion. Consequently, a need to protect the personal data of social media users has intensified. Social networking now requires intelligence to confront hacking attempts in the forms of phishing scams, spyware, viruses and cloning. The increased use of social networking sites, and the vast amount of personal data that they store, has also called for more data protection.

Social Networking Sites and Data Protection

As social media offerings are developed, a social media user is supplying their personal data to a wide online network, at the risk of their personal data being manipulated. Therefore, a wide range of data protection requirements are necessitated.

The Data Protection Act (DPA) 2018 provides the legal precautions necessary to prevent social media networks from exploiting personal data. The DPA includes an exemption for personal data, which has been used for domestic purposes. The Information Commissioner’s Office (ICO) states that the domestic purposes exemption is necessitated for individuals using social networking sites for personal reasons. Therefore, an individual using Facebook or Twitter for their own personal reasons, does not need to comply with the DPA.

The domestic purposes exemption only relates to individuals, therefore if a business is using social networking sites to promote their business, then they are required to conform to the DPA.

Catfishing: A form of Identity Theft

The personal data uploaded onto social media networks by individuals, has enabled the concept of ‘catfishing’ to occur. Catfishing is the process in which personal data, such as name, age and photographs of an individual are stolen, in order to create another identity. In July 2017 Labour MP Ann Coffey called for a law to criminalise catfishing, as it is the act of stealing personal identity, and thus a form of identity theft. The demand to make catfishing illegal has gained more momentum in recent years, due to the increase in catfishing scandals and personal data available on social media networks. Although no laws have been made against catfishing yet, with the increased focus upon data protection, it seems likely that more calls will be made to make catfishing illegal.

Data Breaches and Social Networking Sites

The rise in cyber-criminal activity in the recent years has demanded the new DPA legislation in 2018 to strengthen the controls over personal data online. In 2013, Twitter experienced a data breach which allowed cyber-hackers access to 250,000 accounts, exposing the names, email addresses and passwords of each of these social media users. This data breach followed a series of security breaches in US technology and social media companies, including the hacking of the Wall Street Journal and New York Times. Furthermore, Apple in 2013 were encouraged to stop using Java to mitigate the risks of cyber-hacking.

Moreover, LinkedIn in 2012 lost the account credentials for 167 million LinkedIn accounts following a data breach. This data breach involved a hacker stealing the encrypted passwords of these accounts, from the networking site, resulting in a process of re-setting all account passwords to occur. The rise in cyber-criminal activity and hacking of social media networking sites, means that it is imperative to understand what personal data you have uploaded onto these sites.

Social Media and Businesses

A vast number of businesses now utilise social media networking sites to promote their business and to communicate with customers, these social media networks tend to be Facebook, LinkedIn and Twitter.

Organisations, through abiding to the DPA and the PECR requirements, can receive consent from social media users, using social plugs in the form of a “like” or “follow.” Thus, organisations enjoy an easier capture of consent through social media, whilst complying with the data protection regulations, but it tends to be through default. Social media users tend to be un aware that a “like” effectively offers their online data to that business.

Consequently, a lot of confusion arises between the business and the online customer, and data protection now states how to use these social plugs legally. Social plugs offer businesses the opportunity to expand their outreach across social media easily, however data protection regulations have been put into place to ensure that these social plugs are not exploited.

The EU-US Privacy Shield has in effect committed social media networks from the US, to comply with the new framework agreement within the GDPR, to protect the personal data of EU citizens. Thus, businesses and their social media audience agree to the terms and conditions set out by the GDPR.

The business industry, as well as society in general, is increasingly becoming dominated by social media networks and the social media culture. Therefore, personal data, which exists on these networking sites in excess, is at risk. Despite the renewal of the DPA 2018, businesses and individuals need to be aware of the risks of cyber-hacks and data breaches.

how does social media meet legal requirements for data sharing

At its most basic, social media compliance simply means following the rules when using social media to engage with the public. But it’s not that simple.

Social media compliance is a complex topic that can strike fear in the hearts of social marketers. In this post, we try to make it a little more clear and a little less scary.

Bonus: Get a free, customizable social media policy template to quickly and easily create guidelines for your company and employees.

Compliance simply means following the rules. But in practice, social media compliance is hardly ever simple. The “rules” are a complicated mix of industry regulations and federal, state, and local laws.

Social media compliance standards and risks vary by industry and location. The most common generally fall into four broad categories.

Privacy and data protection requirements generally:

There’s a lot of consumer protection legislation and regulation in this area. A few relevant regulations include:

The broad principles tend to overlap. Essentially:

Marketers must understand the full scope of confidentiality requirements in their industry.

For example, those marketing educational institutions must follow the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA).

It’s essential that healthcare employees understand the Health Insurance Portability and Accountability Act (HIPAA). Simply resharing a social post without signed consent could be a HIPAA compliance issue.

In fact, all healthcare employees are governed by HIPAA compliance rules on social media. That’s why it’s critical to have an internal social media policy (see compliance tip #7 below).

For instance, a series of Tweets recently went viral in which someone claimed to work at the Barbados hospital where Rihanna gave birth. The Tweets, which announced her labor and delivery, would have landed the hospital with a significant HIPAA non-compliance fine in the U.S.

For more details, check out our post on using social media for healthcare.

Social marketers in all industries need to be aware of marketing and advertising rules to build a risk-free social media presence.

These can come from bodies such as the Food and Drug Administration (FDA) and Federal Trade Commission (FTC).

The FDA, in particular, monitors claims related to food, beverage, and supplement products. Currently, they’re particularly focused on cracking down on claims related to COVID-19.

The FTC often focuses on endorsements and testimonials. In the social sphere, that often means influencers.

In the UK, the Advertising Standards Authority has taken a unique approach to non-compliant influencers. The authority posted their names and handles on a webpage. They even took out social media ads calling out the influencers by name.

Access and accessibility requirements aim to ensure access to critical information.

The U.S. Freedom of Information Act (FOIA) and other public records laws ensure public access to government records. That includes government social media posts.

This means government social accounts should not block followers, even problematic ones. Even politicians’ personal pages must not block followers, if they use those pages to conduct political business

Meanwhile, archiving requirements ensure each organization has a record of social media activities. This can be required for legal cases.

If you use social media for regulated industries, you likely have in-house compliance experts. They should be your go-to resource for any questions about what you can (and can’t) do on social networks.

Your compliance officers have the latest information on compliance requirements. You have the latest information on social tools and strategies. When the compliance and social media marketing departments work together, you can maximize the benefits for your brand — and reduce the risks.

You need to know exactly who has access to your social media accounts. You also need to give different team members different levels of access.

For example, you might want several team members to have the ability to create social content. But you might need principal approval before posting.

Sharing passwords among team members creates unnecessary risk. It’s especially problematic when people leave their role. A password management and permissions system is a must.

In regulated industries, monitoring is especially important. You may need to respond to comments within a specified time. You may also have to report comments to a regulatory body. For instance, those involving adverse drug reactions.

It’s also important to watch out for social accounts related to your organization but not under corporate control.

This might be a well-intentioned advisor or affiliate creating a non-compliant account. Or, it might be an imposter account. Each can cause its own kind of compliance headaches.

Bonus: Get a free, customizable social media policy template to quickly and easily create guidelines for your company and employees.

Any brand that works with outside salespeople needs to keep a particular eye out for inappropriate claims.

For example, the Direct Selling Self-Regulatory Council (DSSRC) conducts regular monitoring. They recently found sellers for the multilevel marketing meal kit brand Tastefully Simple making inappropriate income claims on Facebook and Pinterest. The council notified Tastefully Simple, who contacted sellers to remove the claims.

In some cases, Tastefully Simple was not successful in having claims taken down. The council then advised the company to:

“Use the social media platform’s reporting mechanism for intellectual property violations and, if necessary, also contact the platform in writing and request removal of the remaining social media posts.”

To avoid trouble, start with a social media audit to uncover social accounts related to your brand. Then put a regular social monitoring program in place.

In regulated industries, all communications on social media need to be archived.

Automated social media compliance tools (see some recommendations at the bottom of this post) make archiving much easier and more effective. These tools classify content and create a searchable database.

They also preserve messages in context. Then, you (and regulators) can understand how each social post fits into the larger picture.

A pre-approved content library provides your whole team easy access to compliant social content, templates, and assets. Employees, advisors, and contractors can share these across their social channels.

For example, Penn Mutual provides an approved content library for independent financial professionals. The ease of posting means 70% of Penn Mutual’s financial pros share approved social content. They see an average of 80-100 shares per day.

Penn Mutual has paid income-tax free dividends to its eligible policyholders for more than 170 years. That’s a track record you can take great comfort in.ow.ly/mf0p103lfcv

Posted by Rita Gibson Insurance & Investment Services Inc. on Sunday, January 23, 2022

Make social media compliance training part of onboarding. Then, invest in regular training updates. Make sure everyone understands the latest developments in your field.

Work with your compliance team. They can share the latest regulatory developments with you. You can share the latest changes in social marketing and social strategy with them. That way, they can flag any new potential compliance risks.

And, perhaps most important of all…

The components of your social media compliance policy will vary based on your industry and the size of your business. It might actually include several different types of policy, such as:

Here’s an example of each type of social media compliance policy mentioned above:

GitLab’s entire social media policy for team members is worth reading, but here are some good excerpts from their list of dos and don’ts:

The acceptable use policy for this subsidiary of Spectrum Therapeutics begins:

“We ask that all comments and posts remain respectful of both Canopy Growth Corporation and other users.”

Among other guidelines, the policy contains this important advisory:

“Do not post messages that are unlawful, untrue, harassing, defamatory, abusive, threatening, harmful, obscene, profane, sexually oriented or racially offensive.”

And if you ignore the policy?

“Multiple offenders will be blocked from using our social media channel after three warnings.”

The social media privacy policy for this group of companies lays out how and why social data is collected, stored, and shared. It includes details for both visitors and employees.

“The information we collect automatically may include information like your IP address, device type, unique device identification numbers, browser-type, broad geographic location (e.g. country or city-level location) and other technical information. We may also collect information about how your device has interacted with our Social Media, including the pages accessed,links clicked, or the fact that you became a follower of our Social Media pages.”

In its influencer endorsement policy, Fiverr outlines FTC requirements. For example:

“Each of the Influencer’s social media endorsements must clearly, obviously and unambiguously disclose their ‘material connection’ with Fiverr’s brand.”

The policy provides detailed guidance for how to include this disclosure:

“For video endorsements, the Influencer should make the disclosure verbally and also superimpose the disclosure language in the video itself. For live stream endorsements, the Influencer should make the disclosure verbally and repeat the disclosure periodically throughout the live stream.”

Fiverr also provides examples of approved disclosure wording:

Financial institutions face an extensive list of compliance requirements for social media.

Leave a Comment