Search

How can we help?

Icon

Organisations’ use of social media: Data protection

Social media applications (or commonly known as ‘apps’) are being developed all the time and we are constantly being introduced to new social media platforms, some of which take almost no time to gain huge popularity. The increase in use of social media platforms has led many organisations to create official accounts on these platforms and use them to promote their business and interact with customers and potential customers alike. Social media platforms are great for customer engagement as they offer a free line of communication with an audience. These platforms can also be used by organisations to gain insights into customer behaviours and preferences. In a way, social media platforms have become an indispensable tool for organisations as they are integral to business operations and marketing techniques. These platforms therefore represent a challenge for organisations to comply with data protection and privacy laws.

In the UK, organisations must comply with the UK GDPR and Data Protection Act 2018 otherwise they potentially face enforcement action by the Information Commissioner’s Office (ICO). The UK GDPR contains rules on how personal data is to be managed, impacting organisations’ activities in many ways, including their activities on social media platforms.

Data protection and privacy concerns

Customers now regularly contact organisations via social media platforms, sometimes to voice their complaints, or to simply communicate with the organisation’s customer services. In doing so, individuals often provide their personal data, for example by giving their customer reference number or providing other details or information about themselves which can make them identifiable. Organisations must remember that their data protection obligations extend to social media. Any mishandling of individuals’ personal data provided through social media can therefore lead to data protection breaches, the consequences of which can be severe in terms of legal ramifications taken by the ICO. Such breaches can also result in grave reputational damage which can damage people’s trust in an organisation.

Melanie Pimenta

Associate

View profile

+44 118 960 4653

When organisations use social media platforms, data is transmitted over networks and the chances of this data being accessed by a third party are high.

Staff training

Ensuring that employees understand data protection principles and are aware of the potential risks associated with social media is crucial. Providing active training and refresher training on best practices and compliance to all employees of an organisation, including senior management and in particular those in customer-facing roles, is essential. These customer-facing roles may include managing the organisation’s social media accounts. Organisations and those acting on their behalf should not do anything with personal data disclosed via private messaging on a social media platform, which the sender of that data did not consent to. To ensure a consistent approach is taken to the expected standards and behaviours on social media, it is best practice for organisations to have a social media policy in place.

It is unlikely that an organisation’s employees will be giving out their own personal data or that of their fellow employees on the organisation’s social media accounts, but it may still be worth training employees on the dangers of doing this, as the organisation may not have much control over this personal data being misused by others, but could still remain vicariously liable for employees’ actions.

Security measures

Organisations should consider having security measures in place to protect personal data, particularly using data encryption and adhering to the data minimisation principle. When organisations use social media platforms, data is transmitted over networks and the chances of this data being accessed by a third party are high. Encrypting this data could ensure that even if it is intercepted, it remains unreadable to unauthorised parties. Organisations may also want to consider placing other security measures such as multi-factor authentication, which, for users of the organisation’s social media accounts for example, is a way to make users provide multiple forms of identification before gaining access to the accounts. This provides an additional protection so that only authorised employees have access to the organisation’s social media accounts.

Social media has transformed all of our lives and provided a fruitful experience for all types of users, including businesses. However, social media comes with inherent data protection and privacy risks. By understanding organisations’ obligations under the UK data protection legislation and keeping up to date with data protection principles, organisations can enjoy the benefits of social media while still complying with the UK data protection legislation and safeguarding the personal data of individuals both in and outside the organisations.

If you require any support with advising on your data protection obligations, please do not hesitate to contact a member of the data protection team.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Melanie Pimenta

Associate

View profile

+44 118 960 4653

About this article

Read, listen and watch our latest insights

art
  • 04 November 2024
  • Privacy and Data Protection

FAQs – Data Subject Access Requests

Any individual who may be identified from any form of document, whether directly or indirectly, is a data subject.

art
  • 29 October 2024
  • Privacy and Data Protection

The ICO’s 2024-2025 priorities for protecting children’s personal information online

The Information Commissioner Officer (the “ICO”) has set out its 2024-2025 priorities for protecting children’s personal information online.

art
  • 12 September 2024
  • Privacy and Data Protection

2024 in review: tracking key data protection developments

As we approach the final quarter of 2024, it’s an opportune moment to revisit the data protection trends and developments that were anticipated at the end of 2023. Now, let’s see how those predictions have played out.

art
  • 02 September 2024
  • Employment

Social Media – how private is your personal data

Nowadays most people have at least one social media account. Whether it’s Facebook or TikTok, X, or LinkedIn, most adults have an online presence.

art
  • 29 August 2024
  • Privacy and Data Protection

What a controller or a processor needs to know…in a nutshell

Data processing agreements are a common feature of contracts for the supply of services, for example often featuring as self-contained schedules to master services agreements.

Pub
  • 20 August 2024
  • Privacy and Data Protection

Data Protection unlocked for HR: How to ensure compliance?

In the second episode of the ‘Data Protection Unlocked for HR’ podcast series, Harry Berryman and Shauna Jones, members of the Clarkslegal data protection team, share invaluable insights on how HR can ensure compliance, safeguard employee data, and maintain privacy standards.