In this article, we tackle some of the most pressing GDPR questions regarding social media and Employee Advocacy.25th of May 2018 is the date when your company, at latest, needs to be compliant to the European General Data Protection Regulation, aka GDPR, and now is the time to make sure you are ready and informed regarding the changes it will bring about. We all know GDPR will have a profound effect on the way we do digital marketing. The regulation was not put in place to hinder the performance of digital marketers, but to protect the privacy rights of individuals. Marketing and social selling, when done right, is all about finding the right people and serving them when and how they want. Therefore being GDPR compliant is inherently logical, as it sets the framework to function within the rights of private individuals, in the realm of mutual respect and active consent towards what is being marketed to you.
We at Smarp welcome the GDPR with open arms and continue to take heavy measures to ensure the privacy of our customers, partners and users. We believe in sharing knowledge and content, but only when it is done while complying with the highest standards of personal data privacy. Smarp, both our company and our platform, has workforce in place to ensure constant data privacy and security. Issues of data management, handling and storing, of course, go beyond the measures of GDPR compliance and deal with general IT security matters as well. Smarp was built, first and foremost, to be secure, and in 2016, Smarp became the first Employee Advocacy provider in the market to earn the ISO 27001 security certificate.
We want to help companies ease into GDPR compliance, so we here at Smarp found out some of the most pressing questions people had around the subject of GDPR, social media and Employee Advocacy, and decided to tackle the questions head-on. While we cannot offer legal advice, we are here to share our best practices and knowledge in regards to the regulation. Here we go!
GDPR, Social Media and Employee Advocacy FAQ
1. Can employees use contact information found from social media?
Social media platforms such as Facebook and LinkedIn already only have opt-in users: all users have to agree they have read the Terms and Conditions in order to continue. So as far as people's data and profiles existing in social media platforms go, this information is "data-opted-in", but for this specific platform only. This means no one is allowed to “hijack” one opt-in to another network, platform or software.
Companies are not allowed to export contacts from LinkedIn or Facebook to the company CRM database without an approval. Companies will need explicit approval to carry a specific contact, including an email, to a CRM database.
Employees should not mass-generate company emails from LinkedIn profiles, but they are able to go to someone’s LinkedIn profile, find their email address and tailor a marketing or sales message to them. However, the contact can request not to be contacted anymore and in this case, the request has to be respected.
2. Can employees add social media users to internal company email lists?
Employees will need explicit approval for each individual user to be added to a specific email list. This also means that contact information in one company email list may not be carried to another company email list without the individual’s approval. The permission to be added to an email-list needs to be informed and freely given. Looking at the macro-level, this means, for example, that going forward companies may no longer add “subscribe to email list” as the default option on a form and instead, it needs to be ticked by the user. Companies need to be able to prove the consent as well and they must be able to give the details of who consented, when and how, and to what exactly. Thus, keep your consent clause as specific and easily understandable as possible and make sure it stays on record.
This is obviously good news for marketers and customers alike. Users will no longer be receiving irrelevant marketing materials, and marketers aren’t spending their resources in concentrating on people who do not have an interest in the brand or the product at that stage.
3. Can employees approach people on social media directly?
Employees are humans and they are allowed to directly engage with individuals in social media within that same platform. Everyone existing in social media as a natural person, commenting in a public or private conversation, may be contacted by a natural person. But of course, the contact has the right to request not to be contacted again, and their wishes need to be respected.
Everyone in social media has opted-in to that social media platform, and if their contact information is visible, they may be contacted in that specific social media. Note that this does not apply to children.
4. Can employees share the contact information of colleagues to a prospect or a customer in social media?
An employee could, for example, be having a discussion online with a customer or a prospect, and start to feel like someone else could take over. Are they allowed to give the contact information of their colleague to this person, to make introductions?
If this colleague is on the same social media platform, they can be for example tagged into a discussion. But as for giving their email (especially if it is an open group or discussion), ask for permission first. Employees are also private individuals with the right to privacy and data protection, and this applies to work email and work numbers as well. Remember that names are personal data too!
5. Is an employee's right to data privacy (in relation to their manager or colleague) similar to the right of an individual?
When using consent as a legal ground for possessing and handling employee data, employers should be cautious of complying with the principle of freely given consent. One of the possible breaches for this is the imbalance of power, which may occur between an employer and an employee. Consent is also considered not freely given if not complying would cause significant hinderance or if a service is dependent on the consent, in a context where the consent isn’t necessary for the performance. (For example, telling your accounting team they have to take selfies and post them on your company Instagram or they get fired is a no-no, but it wasn’t a good idea before GDPR either).
6. Is it OK to attach social media usernames to CRMs?
Relationships on social media tend to be more personal and less formal than other types of communication. However, companies cannot assume individuals want to be added to an electronic system, so employees must ask social media users for their permission to add their details to a CRM system. Companies cannot store more data than they ask permission for.
7. If someone sends a link to a landing page in social media, do they have to announce they are working in that company?
Employees should act as per company social media policy and with adherence to their industry rules and country-specific regulations. Some companies and countries have it in their regulations that whenever a landing page asking for personal information is shared, the social media message should include a notice that the person who has shared the message, in fact, works for the company. However, as long as the landing page itself adheres to the GDPR, this seems to remain instructed, not regulated.
8. What is the difference between personal and professional data processing?
The regulation doesn’t apply to processing personal data by a natural person when there is no connection to a professional or commercial activity, i.e, on “the course of a purely personal or household activity”. The context of personal or a household activity includes, for example, social networking and online activities. Note that the regulation does apply to controllers and processors providing the means to process the personal data, even when the activity is personal. While some line can be drawn due to the application of controllers and processors, the “context or personal activity” does leave room for interpretation. When it comes to personal or professional branding, for example, the line between personal and professional activity becomes blurred.
People working as entrepreneurs, consultants or specialists often do not even separate between personal and professional and don’t necessarily distinguish working time and free time from each other. With the rise of digital workplaces and the scattering of working hours, working locations and work devices make it more and more difficult to separate professional and personal time. For this reason, it is wise for all companies to set rules and regulations to be followed in general online when it comes to anything work or even industry related that may deal with personal information.
9. Do I have to worry about anything regarding using Smarp in relation to my Employee Advocacy or other campaigns?
Smarp is ISO 27001 certified, which already confirms our good practices and procedures considering information security. In our company, we have a GDPR task force working to make Smarp fully GDPR compliant, and we regularly consult lawyers and information security specialists to ensure everything is done to the highest standards.
10. What personal data does Smarp collect and where is it hosted?
Smarp collects a limited amount of non-sensitive personal data:
- Employees’ first name and last name
- Company email address
- IP Address
- Cookie ID
- Connected social media network profile picture URL
Smarp data is hosted exclusively in Europe (Amazon Web Services Ireland and Google Cloud Platform Belgium).
Bonus Question: What do I do now?
Look, GDPR can be complex, but this one is easy: continue to create and share content people want to opt-in to, and encourage your employees to create and share good content in their social media channels as well.
Consumers will have to be offered an easy way to opt out of data collection. After this what naturally follows is offering consumers ways to opt back in, preferably along several steps of the way. So make your content good, make your product good, listen and engage. Do as you would normally do, and as long as you bring value, your customers, users, and prospects will opt-in to your content and digital services.