If you work in the marketing industry, you’ll no doubt know and have preparations well underway for the General Data Protection Regulation (GDPR) which is coming into play on 25th May. If you don’t, now is the time to start investigating – and fast – because you could get fined up to €20m if you’re found in breach.
I expect you all know what GDPR is, but as a brief reminder: it is being brought in across Europe and will supersede the UK Data Protection Act 1998, with the aim to give people more control of their data and how it is used.
The recent Cambridge Analytica scandal shows exactly why this is an important move: and how careful you need to be with social media data.
For social media marketers, we see there being two main areas that GDPR will affect: social media targeting, and lead generation campaigns. This blog takes a look at both of these in more detail, and how you can make sure your company is compliant.
Using email data for social media
At the moment, you may look to target customers or potential customers on social media using email addresses which have been provided to you.
If anyone has created their social media account using the email address given to you (e.g. during a sign-up procedure), you can target them and they will then receive the social advertising – for example, customers who gave their email address to test drive a car may then be targeted by ads when there is a sale at that car showroom.
Under GDPR, you will only be able to use this data if there is a right for it to be processed. As you may or may not know, there are six ‘grounds’ for processing data under GDPR: contract, consent, legal obligation, vital interests, public interests, and legitimate interests. The two which are most relevant for social media are consent and legitimate interest.
For consent to be used, it is important to note that there must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
GDPR has a strong stance on consent, and it must only be used when a genuine choice is offered. For example, if you said that someone could only take a car for a test drive if they allowed their data to be used, that is not considered true consent.
The second ground is legitimate interests, where you use someone’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for using it.
Facebook has already said that it plans to launch a safeguard for email data, and that marketers will be asked to confirm that they permission to use the email addresses.
Lead generation for social media
Particularly in the case of B2B companies, you may be using social media as a way to generate business, and this will also require some changes under GDPR.
On LinkedIn, social media marketers will automatically see a required opt-in box added to their lead generation forms when they are being created. Users must click this box before they can submit information – which acts as consent under GDPR. Advertisers will also be required to include custom privacy policy text in their ads.
According to LinkedIn, users will also see a new consent tracking and revoke screen in their privacy settings, which will allow them to revoke their consent on a per-lead basis, until 90 days after submission. Lead data will be deleted from LinkedIn's servers automatically after 90 days, so advertisers must download or pass their leads from LinkedIn to their own third-party tool by then.
Facebook has said it is currently reviewing its disclosures when it comes to lead generation, so it is worth keeping an eye on their GDPR page for any updates: I predict that all eyes will be on them on the back of Cambridge Analytica and they will be keen to show compliance.
If you’re concerned about how your company uses social media data ahead of the introduction of GDPR, get in touch and we can discuss the process.