Search

How can we help?

Icon

Organisations’ use of social media: Data protection

Social media applications (or commonly known as ‘apps’) are being developed all the time and we are constantly being introduced to new social media platforms, some of which take almost no time to gain huge popularity. The increase in use of social media platforms has led many organisations to create official accounts on these platforms and use them to promote their business and interact with customers and potential customers alike. Social media platforms are great for customer engagement as they offer a free line of communication with an audience. These platforms can also be used by organisations to gain insights into customer behaviours and preferences. In a way, social media platforms have become an indispensable tool for organisations as they are integral to business operations and marketing techniques. These platforms therefore represent a challenge for organisations to comply with data protection and privacy laws.

In the UK, organisations must comply with the UK GDPR and Data Protection Act 2018 otherwise they potentially face enforcement action by the Information Commissioner’s Office (ICO). The UK GDPR contains rules on how personal data is to be managed, impacting organisations’ activities in many ways, including their activities on social media platforms.

Data protection and privacy concerns

Customers now regularly contact organisations via social media platforms, sometimes to voice their complaints, or to simply communicate with the organisation’s customer services. In doing so, individuals often provide their personal data, for example by giving their customer reference number or providing other details or information about themselves which can make them identifiable. Organisations must remember that their data protection obligations extend to social media. Any mishandling of individuals’ personal data provided through social media can therefore lead to data protection breaches, the consequences of which can be severe in terms of legal ramifications taken by the ICO. Such breaches can also result in grave reputational damage which can damage people’s trust in an organisation.

Melanie Pimenta

Senior Solicitor

View profile

+44 118 960 4653

Sana Nahas

Trainee Solicitor

View profile

‪+44 118 960 4611

When organisations use social media platforms, data is transmitted over networks and the chances of this data being accessed by a third party are high.

Staff training

Ensuring that employees understand data protection principles and are aware of the potential risks associated with social media is crucial. Providing active training and refresher training on best practices and compliance to all employees of an organisation, including senior management and in particular those in customer-facing roles, is essential. These customer-facing roles may include managing the organisation’s social media accounts. Organisations and those acting on their behalf should not do anything with personal data disclosed via private messaging on a social media platform, which the sender of that data did not consent to. To ensure a consistent approach is taken to the expected standards and behaviours on social media, it is best practice for organisations to have a social media policy in place.

It is unlikely that an organisation’s employees will be giving out their own personal data or that of their fellow employees on the organisation’s social media accounts, but it may still be worth training employees on the dangers of doing this, as the organisation may not have much control over this personal data being misused by others, but could still remain vicariously liable for employees’ actions.

Security measures

Organisations should consider having security measures in place to protect personal data, particularly using data encryption and adhering to the data minimisation principle. When organisations use social media platforms, data is transmitted over networks and the chances of this data being accessed by a third party are high. Encrypting this data could ensure that even if it is intercepted, it remains unreadable to unauthorised parties. Organisations may also want to consider placing other security measures such as multi-factor authentication, which, for users of the organisation’s social media accounts for example, is a way to make users provide multiple forms of identification before gaining access to the accounts. This provides an additional protection so that only authorised employees have access to the organisation’s social media accounts.

Social media has transformed all of our lives and provided a fruitful experience for all types of users, including businesses. However, social media comes with inherent data protection and privacy risks. By understanding organisations’ obligations under the UK data protection legislation and keeping up to date with data protection principles, organisations can enjoy the benefits of social media while still complying with the UK data protection legislation and safeguarding the personal data of individuals both in and outside the organisations.

If you require any support with advising on your data protection obligations, please do not hesitate to contact a member of the data protection team.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Melanie Pimenta

Senior Solicitor

View profile

+44 118 960 4653

Sana Nahas

Trainee Solicitor

View profile

‪+44 118 960 4611

About this article

Read, listen and watch our latest insights

art
  • 19 February 2024
  • Privacy and Data Protection

The role of Data Protection Officers in ensuring compliance

How many of us receive marketing calls for products and services we did not sign up for?

art
  • 09 February 2024
  • Privacy and Data Protection

Are we suffering from cookie fatigue?

An over-indulgence in Easter treats might not be the only cookie fatigue that individuals will suffer this year according to the Information Commissioners Office (ICO).

Pub
  • 26 January 2024
  • Privacy and Data Protection

AI Podcast: AI, Discrimination and Automated Decision-making

In this podcast, Lucy Densham Brown and Jordan Masters, members of the data protection team at Clarkslegal, discuss how using AI and automated decision-making could conflict with GDPR protections and lead to discrimination.

art
  • 28 December 2023
  • Privacy and Data Protection

Data Protection: What’s in store for 2024?

As 2023 nears to a close, we take a look at some of the key trends and developments to watch out for in 2024.

art
  • 12 December 2023
  • Privacy and Data Protection

Is Santa’s List Naughty or Nice?

All year we all work hard to make sure we end up on the Nice List, and avoid that dreaded lump of coal at the end of our bed. But what about Santa himself?

art
  • 04 December 2023
  • Privacy and Data Protection

The UK-US data bridge for transfers of personal data – Melanie Pimenta writes for Business Voice magazine

In Business Voice magazine, Melanie Pimenta, Senior Solicitor at Clarkslegal writes that transferring data can be a tricky business and the risks of getting it wrong can be costly both reputationally and financially.