Search

How can we help?

Icon

Organisations’ use of social media: Data protection

Social media applications (or commonly known as ‘apps’) are being developed all the time and we are constantly being introduced to new social media platforms, some of which take almost no time to gain huge popularity. The increase in use of social media platforms has led many organisations to create official accounts on these platforms and use them to promote their business and interact with customers and potential customers alike. Social media platforms are great for customer engagement as they offer a free line of communication with an audience. These platforms can also be used by organisations to gain insights into customer behaviours and preferences. In a way, social media platforms have become an indispensable tool for organisations as they are integral to business operations and marketing techniques. These platforms therefore represent a challenge for organisations to comply with data protection and privacy laws.

In the UK, organisations must comply with the UK GDPR and Data Protection Act 2018 otherwise they potentially face enforcement action by the Information Commissioner’s Office (ICO). The UK GDPR contains rules on how personal data is to be managed, impacting organisations’ activities in many ways, including their activities on social media platforms.

Data protection and privacy concerns

Customers now regularly contact organisations via social media platforms, sometimes to voice their complaints, or to simply communicate with the organisation’s customer services. In doing so, individuals often provide their personal data, for example by giving their customer reference number or providing other details or information about themselves which can make them identifiable. Organisations must remember that their data protection obligations extend to social media. Any mishandling of individuals’ personal data provided through social media can therefore lead to data protection breaches, the consequences of which can be severe in terms of legal ramifications taken by the ICO. Such breaches can also result in grave reputational damage which can damage people’s trust in an organisation.

Melanie Pimenta

Senior Solicitor

View profile

+44 118 960 4653

Sana Nahas

Trainee Solicitor

View profile

‪+44 118 960 4611

When organisations use social media platforms, data is transmitted over networks and the chances of this data being accessed by a third party are high.

Staff training

Ensuring that employees understand data protection principles and are aware of the potential risks associated with social media is crucial. Providing active training and refresher training on best practices and compliance to all employees of an organisation, including senior management and in particular those in customer-facing roles, is essential. These customer-facing roles may include managing the organisation’s social media accounts. Organisations and those acting on their behalf should not do anything with personal data disclosed via private messaging on a social media platform, which the sender of that data did not consent to. To ensure a consistent approach is taken to the expected standards and behaviours on social media, it is best practice for organisations to have a social media policy in place.

It is unlikely that an organisation’s employees will be giving out their own personal data or that of their fellow employees on the organisation’s social media accounts, but it may still be worth training employees on the dangers of doing this, as the organisation may not have much control over this personal data being misused by others, but could still remain vicariously liable for employees’ actions.

Security measures

Organisations should consider having security measures in place to protect personal data, particularly using data encryption and adhering to the data minimisation principle. When organisations use social media platforms, data is transmitted over networks and the chances of this data being accessed by a third party are high. Encrypting this data could ensure that even if it is intercepted, it remains unreadable to unauthorised parties. Organisations may also want to consider placing other security measures such as multi-factor authentication, which, for users of the organisation’s social media accounts for example, is a way to make users provide multiple forms of identification before gaining access to the accounts. This provides an additional protection so that only authorised employees have access to the organisation’s social media accounts.

Social media has transformed all of our lives and provided a fruitful experience for all types of users, including businesses. However, social media comes with inherent data protection and privacy risks. By understanding organisations’ obligations under the UK data protection legislation and keeping up to date with data protection principles, organisations can enjoy the benefits of social media while still complying with the UK data protection legislation and safeguarding the personal data of individuals both in and outside the organisations.

If you require any support with advising on your data protection obligations, please do not hesitate to contact a member of the data protection team.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Melanie Pimenta

Senior Solicitor

View profile

+44 118 960 4653

Sana Nahas

Trainee Solicitor

View profile

‪+44 118 960 4611

About this article

Read, listen and watch our latest insights

Pub
  • 22 August 2023
  • Privacy and Data Protection

Overview of Data Subject Access Requests

In recent months, we have witnessed a series of high-profile data breaches that have brought data protection issues to the forefront of the public’s mind and with this comes an increase in Data Subject Access Requests (DSARs).

art
  • 16 August 2023
  • Privacy and Data Protection

PSNI and Electoral Commission Data Breach

Both the UK Electoral Commission and the PSNI, announced serious data breaches. This article looks at what happened to cause the breaches, and what lessons employers can learn from this about processing data and how to protect the information.

art
  • 09 August 2023
  • Privacy and Data Protection

Penalties for data breaches

Individuals and organisations alike are increasingly reliant on technology to assist with all kinds of functions – from communicating and sharing data to strengthening security and recruiting staff.

art
  • 27 July 2023
  • Privacy and Data Protection

Nigel Farage v NatWest: When you can’t bank on data protection?

If you have seen the headlines recently, you will have read that NatWest CEO Dame Alison Rose has resigned from her position following the row over Nigel Farage’s bank account and the disclosure of his banking data.

art
  • 21 July 2023
  • Privacy and Data Protection

What will happen if the Metaverse comes to life?

Metaverse talk has seemingly died down when just a few months ago it was a popular topic on the internet. This is no surprise since Mark Zuckerberg – the CEO of Meta Platforms, formerly ‘Facebook’ – has stopped discussing the Metaverse after a period of actively promoting it.

Pub
  • 04 July 2023
  • Privacy and Data Protection

New ICO guidance on DSARs

In this podcast Lucy Densham Brown and Rebecca Dowle members of the Data Protection team at Clarkslegal, summarise some of the key takeaways from the ICO’s new guidance on how employers should respond to data subject access requests (DSARs) from employees.