Organisations’ use of social media: Data protection

Social media applications (or commonly known as ‘apps’) are being developed all the time and we are constantly being introduced to new social media platforms, some of which take almost no time to gain huge popularity. The increase in use of social media platforms has led many organisations to create official accounts on these platforms and use them to promote their business and interact with customers and potential customers alike. Social media platforms are great for customer engagement as they offer a free line of communication with an audience. These platforms can also be used by organisations to gain insights into customer behaviours and preferences. In a way, social media platforms have become an indispensable tool for organisations as they are integral to business operations and marketing techniques. These platforms therefore represent a challenge for organisations to comply with data protection and privacy laws.

In the UK, organisations must comply with the UK GDPR and Data Protection Act 2018 otherwise they potentially face enforcement action by the Information Commissioner’s Office (ICO). The UK GDPR contains rules on how personal data is to be managed, impacting organisations’ activities in many ways, including their activities on social media platforms.

Data protection and privacy concerns

Customers now regularly contact organisations via social media platforms, sometimes to voice their complaints, or to simply communicate with the organisation’s customer services. In doing so, individuals often provide their personal data, for example by giving their customer reference number or providing other details or information about themselves which can make them identifiable. Organisations must remember that their data protection obligations extend to social media. Any mishandling of individuals’ personal data provided through social media can therefore lead to data protection breaches, the consequences of which can be severe in terms of legal ramifications taken by the ICO. Such breaches can also result in grave reputational damage which can damage people’s trust in an organisation.

Staff training

Ensuring that employees understand data protection principles and are aware of the potential risks associated with social media is crucial. Providing active training and refresher training on best practices and compliance to all employees of an organisation, including senior management and in particular those in customer-facing roles, is essential. These customer-facing roles may include managing the organisation’s social media accounts. Organisations and those acting on their behalf should not do anything with personal data disclosed via private messaging on a social media platform, which the sender of that data did not consent to. To ensure a consistent approach is taken to the expected standards and behaviours on social media, it is best practice for organisations to have a social media policy in place.

It is unlikely that an organisation’s employees will be giving out their own personal data or that of their fellow employees on the organisation’s social media accounts, but it may still be worth training employees on the dangers of doing this, as the organisation may not have much control over this personal data being misused by others, but could still remain vicariously liable for employees’ actions.

Security measures

Organisations should consider having security measures in place to protect personal data, particularly using data encryption and adhering to the data minimisation principle. When organisations use social media platforms, data is transmitted over networks and the chances of this data being accessed by a third party are high. Encrypting this data could ensure that even if it is intercepted, it remains unreadable to unauthorised parties. Organisations may also want to consider placing other security measures such as multi-factor authentication, which, for users of the organisation’s social media accounts for example, is a way to make users provide multiple forms of identification before gaining access to the accounts. This provides an additional protection so that only authorised employees have access to the organisation’s social media accounts.

Social media has transformed all of our lives and provided a fruitful experience for all types of users, including businesses. However, social media comes with inherent data protection and privacy risks. By understanding organisations’ obligations under the UK data protection legislation and keeping up to date with data protection principles, organisations can enjoy the benefits of social media while still complying with the UK data protection legislation and safeguarding the personal data of individuals both in and outside the organisations.

If you require any support with advising on your data protection obligations, please do not hesitate to contact a member of the data protection team.