With the General Data Protection Regulation (GDPR) fast approaching for all organisations I felt it was worth recapping where it has come from and the potential impact of GDPR on social media management from a business perspective.
In 1998 the current Data Protection Act (DPA) came into force, designed to protect an individuals “Personal data” stored electronically or in an organised paper filing system, and is enforced by the Information Commissioner's Office (ICO). It gives legal rights to individuals who have their personal data “processed”.
The EU's new General Data Protection Regulation (GDPR) rules which are due to come into effect on May 25th 2018, are essentially an update to the Data Protection Act (DPA), retaining some of the existing elements, but importantly it introduces much stricter rules (and punishments for organisation breaking the rules) related to getting explicit consent from individuals to store and process their personal data, and how organisation's are required to respond to any individual who requests access or changes to the data being stored about them. As such, the new rules will potentially have an impact on marketing, communications and other customer-facing teams who regularly capture and store data of prospects and customers.
Find out what CrowdControlHQ is doing to prepare for GDPR by visiting our GDPR Compliance page here >>
Key GDPR Definitions
At this point it is worth explaining some of the key terminology associated with the GDPR:
“Data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed .
“Data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
“Processing”, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data
“Personal data" is any information that would identify a living individual from the information that is held on the individual and includes any opinion expressed about the individual, but excludes anonymised data.
Personal data is categorised as either nonsensitive or sensitive, whereby sensitive data includes things such as; Racial or ethnic origin, Political opinions/membership of trade union, Religious beliefs, Physical or mental health condition, Sexual life and any Alleged offences/legal proceedings.
The Data Protection Act sets out eight principles governing the use of personal information which all organisations must comply with, unless an exemption applies. In summary these are:
- Personal data must be processed fairly and lawfully (2 individual tests)
- It should only be collected and processed for limited purposes
- The information must be adequate, relevant and not excessive
- It must be accurate and kept up to date
- It should not be kept for longer than is necessary
- It should be processed in line with the rights of the data subject
- Personal data must be protected by “appropriate technical and organisational measures”
- It should not transferred outside of the European Economic Area unless the country the data is being sent to has “adequate” data protection
The EU’s General Data Protection Regulation (GDPR) are introducing strict new guidelines which all organisations who handle an individuals data (who live inside the EU) must adhere to. It builds on the original Data Protection Act and has the following additions;
- Same basic principles as current Data Protection law, but strengthened
- Greater accountability for both organisations and employees
- New rights for individuals, and strengthening of existing rights
- A requirement to report any breaches
- Data Protection Officers need to be put in place and organisations need to conduct Data Protection Impact Assessments
- Higher penalties for non-compliance
- Data processor will also be liable
There is a huge amount of guidance in this area and marketing managers must contact their organisations for more clarity around this area. If in doubt please visit the ICO website for guidance at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr
Impact of the GDPR on organisations
The best way to combat GDPR is to go back to basics when it comes to the data you collect and store. The key theme coming from the EU is ‘privacy by design’. This means you have to plan and decide how an individual's personal data can pass through your organisation in a safe and secure way. This data can vary from:
- Name and email address of marketing leads in your CRM database
- Home address details of paying customers
Prior to ascertaining this data, as an organisation you will have to ask individuals for permission to use their personal data, whilst simultaneously supplying them with a legitimate reason as to why you need their information, transparency is key to being compliant. Once it is decided legitimate use of the data has expired the information will have to be erased (this can vary in time).
Impact of the GDPR on social media & marketing
It’s good news! Much like the CrowdControlHQ platform, the social media networks themselves have privacy notices already built-in which ensure they are compliant. Audiences on social media, already give clear and transparent consent to organisations in the way of ‘liking’ or ‘following’ a business on social. In the eyes of GDPR these consumers have given their consent to receive marketing messages via social. However, they can stop this just as quickly by opting out from receiving updates and marketing communication, by unfollowing or un-liking the social media page. As such, the challenge for organisations of getting consent is virtually eliminated specifically on social media. Further, it allows brands to increase engagement by producing content that your audience are genuinely interested in.
To read more about GDPR and CrowdControlHQ visit https://content.crowdcontrolhq.com/gdpr
Disclaimer: The information given on this website is neither a definitive guide to EU data privacy nor legal advice for your company to use in complying with EU data privacy laws such as GDPR. Instead, it provides background information to help you better understand how CrowdControlHQ has addressed some important legal points. This legal information is not the same as legal advice, where an lawyer applies the law to your specific circumstances, so we insist that you consult a lawyer if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.