Where does GDPR fit with Social Media for small UK businesses?
GDPR and social media don’t really sound like the perfect combination but if you are trying to grow your business, you will no doubt be using social media as one of your key tools.
It certainly isn’t easy or quick to learn to make effective use of it. It’s more than likely that you have been and maybe still are wrestling with the intricacies of getting your message right, so your posts match your brand and resonate with your ideal client. I know this is true because I’m struggling with the same issues for my business. I wish I had a magic spell I could cast to help you and me with that side of things, but I don’t.
What I do have are some very straightforward tips to help you avoid GDPR pitfalls when using some of the most popular networks.
At this point, it’s important to mention that GDPR does NOT apply to your personal use of social media, it does apply when you use it for business purposes.
What about the basics?
Let’s be clear, the requirements of GDPR that do apply to social media are the same ones that you are required to apply to all parts of your business.
Here’s a quick reminder of the fundamentals in relation to your business use of social media (skip ahead if this is something of which you’re confident):
- You must have a lawful basis before you collect any personal data (one per purpose)
- You must inform people clearly what you do with their data
- You only collect what data is necessary
- You keep it for as short a time as possible
- You keep it secure from collection to destruction
Personal data is any personally identifying piece or pieces of information or a context (e.g., a job role in a small company could do that, so beware). As the multi-tasking owner of a small business, you will probably have a combination of an email list, maybe a membership list plus suppliers and clients’ details that make up the personal data you handle. This personal data will have been collected through a variety of channels, including your social media accounts.
When is it NOT GDPR you should be following and just what is covered?
To be clear, the marketing activities we are looking at fall under the Privacy and Electronic Communications Regulations 2003 (PECR) i.e., by phone, fax, email, text, picture, video or voice and including messages sent via social media or similar systems that are stored electronically. And you must also comply with GDPR (and the Data Protection Act). Scary? No, it doesn’t have to be.
How can your business avoid the pitfalls?
Here are some easy fundamentals to remember:
- You must have informed consent before sending marketing messages to non-clients or non-customers. Remember, this consent includes contact by any means, including all of those mentioned above.
- The “soft opt-in” rule about existing customers means, if a client or customer bought something from you recently and didn’t choose to opt out of marketing messages, they are likely to be OK with hearing from you about an offer that is relevant to them. For example, if they bought a 2-hour online workshop about a specific subject from you, there’s a good chance they will be interested in attending a one-day online workshop about the same or a connected subject that offers great value and more help to solve their problem. The soft opt-in is allowed for existing clients or customers, but you must offer an unsubscribe option in every message. N.B. Non-commercial promotions charity fundraising and political campaigning are NOT allowed to use a soft opt-in (this is being considered in the current changes to data protection consultation in the UK).
- You can send marketing messages to companies (providing they haven’t told you not to – you should keep a do not contact list!) – that might be a generic email address e.g., [email protected] Remember that personal data can be a piece or pieces of information that positively identifies a living individual. This means that sole traders or partners will be identifiable, and their data is covered by GDPR and if a person is identified in any way by their job role for a company, that is also personal data (take care). Of course, it’s always worth remembering that truly non-personal email addresses, phone numbers or messaging contacts are less likely to be effective in gaining real interactions or engagement.
- If you have someone else e.g., a freelancer or an agency, to send the messages for you, they are processors for your controller and you still carry the responsibility and the same rules apply. It also applies if you get your friends to forward the message on your behalf…
- Don’t forget cookies on your website, if you have one and use them (you probably do). You need to have a cookie control banner to give visitors choice if they want to give their consent to be marketed to or not.
If you have consent you can send marketing messages.
- You don’t contact individuals without their consent – cold calling is a no-no.
- Make sure your messages are relevant to clients or customers or the soft opt-in isn’t watertight as a method but, more than that it will annoy them and isn’t good practice for marketing.
- Have a “do not contact list” to avoid complaints and check it before sending communications.
- If you collect personal data for use in your own email campaigns either via an online website form (maybe for a subscription or enquiry) or via marketing cookies (cookie consent) be sure your request for consent clearly explains what it is for e.g., if you add a second consent to the one for subscribing to allow you send out marketing messages.
- A bit more about messenger apps; let’s have a quick look at WhatsApp & other channels
WhatsApp is a popular way for people to contact each other for business purposes. You should be aware that neither the personal or business version is GDPR-compliant because it has access to your contacts. The WhatsApp Business app is only marginally better because it doesn’t have access to your personal contacts, however, it does gather your business contacts’ data via the app. There is a third option that is only available through 3rd-party providers and that is designed for larger businesses and with a cost involved, of course.
Clubhouse does the same as WhatsApp and has other data protection concerns, as does TikTok. I’m not covering those in this article but, as you will have gathered all of these apps have certain disadvantages. If you decide you really need/want to use any of them, you should do your due diligence before going ahead and decide if the risks are acceptable then document your decision-making process.
Let’s have a look at some of the most popular social media channels:
You may use Facebook and have or will have a Facebook group of your own, which means you should be aware of the following information.
If you have a website, you may have a Pixel installed for Facebook advertising or a cookie if you have a button visitors can click on to go to your Facebook page or group.
Examples where you will need consent for a Pixel via your cookie control banner:
- If you use Facebook advertising and the Pixel is used to retarget adverts and/or measure conversions
These are audiences created from your email list (or CRM) that you upload to your Facebook Ads account that targets them directly.
There are five types of custom audiences, they are:
- Website Custom Audiences (based on Pixel)
- Customer list Custom Audiences (clients or customers who have already interacted with your business)
- App activity Custom Audiences (if you have your own app then this can be an option
- Offline activity Custom Audiences (anyone who has purchased from your business in the last 180 days)
- Engagement Custom Audiences (people who have engaged with your business through Facebook, Instagram or WhatsApp and any other Facebook tools, apps and services).
Instagram follows the same protocols as Facebook (unsurprisingly)
- LinkedIn requires users to update lead-generation forms to ensure compliance with GDPR.
- It’s worth remembering that GDPR applies in cases even such as adding a business card and its details to files, computer systems or databases or downloading a contact list.
- Make sure you have your business’s policies and procedures clearly covering the various processes you use as this is the basis of your GDPR compliance.
- You are covered for the usual functionality of LinkedIn e.g., messaging your existing contacts or reaching out to new contacts to connect with you.
- However, you are not covered for data scraping from LinkedIn to make contact.
Twitter has a business entity based in Ireland that is the data controller for the personal data of users outside of the US. The parent company Twitter Inc. has a DPA in place for its interactions with the Irish entity. It uses a similar process to Facebook to obtain consent before advertisers have access to personal data.
You need to have a social media policy
What should you include in a social media policy?
This is one of the easiest places to demonstrate the relationship between GDPR and social media in your business. For most owner-run small businesses, a simple hybrid Policy and Procedure document is the most practical. If there’s only you in the business, it fulfils the purpose of evidence should anything go wrong. If you have freelancers, contractors or employees, it serves the additional purpose of explaining your business approach to social media to them as well to avoid any misunderstandings.
You may want to include the following points in your social media policy:
- Risk of defamation to others
- Reputation and brand management – your attitude to these key components of your business (dos and don’ts)
- Handling negative comments to maintain the standards and good relations of your business with its customers, and the public. You’ll need to provide clear guidance and instructions for staff/freelancers
- You will likely wish to include details of situations where employees may face disciplinary action, where you have employees. This will cover instances where posting comments online could damage your business’s reputation/brand.
- Also, if you intend to monitor employees’ social media activity, you must tell them and justify it.
If an individual posts on their own social media account on behalf of the business, your policy may include using a disclaimer to make it clear that any opinions started aren’t a reflection of the business’s views (unless they are…).
On a slightly different subject, don’t forget the potential data protection issues of someone using their own device. This covers the security of the data, which is normally covered by a Bring Your Own Device Policy/Procedures document.
- Use double opt-in: If you have a social media landing page encouraging visitors to opt-in to your email newsletter or which could be an additional option when you are offering a freebie, you should follow the double opt-in process offered by all email marketing platforms. This gives you your record of consent whilst giving your subscribers a clear choice.
- Considering buying a list of prospects: If you at any stage consider buying a list of prospects that include personal data, make sure you check and double-check to see what consent they gave AND get a copy of it to keep in your records.
- Do your due diligence BEFORE you start using any channel, messenger app or website for collecting personal data from clients, customers or suppliers.
- When you receive notification of a change to any policies of any social media channel, be patient and at least scan through them to be sure you are still keeping your business safe!
So, GDPR and Social Media…
As you can see, social media is no different from any other part of your business as far as the steps you should take to avoid falling foul of data protection legislation, including GDPR. You don’t need to spend hours and have a complicated set-up just have a simple process that works for you and your business. If you have questions, see below for details of my Facebook community group or you can contact me via LiveChat. 🙂