top of page
  • Ishbel Macleod

Is your social media GDPR compliant?

GDPR. It led to sleepless nights for lawyers, business owners and – of course – marketers, when it came into play in May 2018. But while the goal was to make data regulation clear and easy, news stories and reports such as The Social Dilemma show that this isn’t always the case.

To make sure your social media is compliant, we’ve created this guide to help you. We aren’t lawyers – however, this is our understanding of the GDPR and what it means for your social media output.

GDPR at a glance

GDPR – full name General Data Protection Regulation – is a European law which came into effect on 25 May 2018 and applies to anyone processing personal data within the EU.

The text of the GDPR is over 45,000 words long but can be summed up as: it is the consumers, not companies, who have control over their personal data. Consumers have the power to decide who they want to receive marketing from…and have more powers to stop contact if they don’t want it.

Please note - technically the EU GDPR is an EU regulation and therefore doesn't apply in the UK anymore. However, GDPR has been incorporated into the Data Protection Act 2018 as the UK GDPR...and there are very few changes from the core principles and obligations. If you offer goods or services to people in the European Economic Area, the EU GDPR will still be applicable to your business.

What counts as ‘data’ under GDPR?

Pretty much anything that can identify you counts as data under GDPR, including: your name, date of birth, address (including IP), phone number, ID numbers (e.g. National Insurance or passport number) and photos.

There is also a secondary level of data, known as ‘special category’, which has much higher protection: this includes information such as race and ethnicity, biometric data (e.g. fingerprints), sexual orientation and health data. This information should only be processed if absolutely necessary.

If you are collecting any of the above data, you will need to carefully store it (and only for as long as necessary) if you don’t want to fall foul of GDPR. It’s worth noting however that there is no issue with fully anonymised data: so just tracking things like follower numbers or engagement rate is fine.

Why is GDPR relevant for me, in social media or marketing?

You may think that GDPR only affects those handling personal data every day, or for email marketing, but it can play a role in social media marketing. This is because GDPR is all about personal data…and by the very nature of ‘social’ media, we deal with people.

It affects you if you:

- Handle community management and have ever had to pass on a customer’s phone number, email address or customer number to customer support

- Run competitions that requires customer data

- Upload custom audiences to Facebook or any other channel

- Run lead generation ads on any channel

- Take photos of people for social

- Share user generated content (UGC) with people’s faces in it on social

What’s the difference between a data controller v data processor?

You may think that GDPR compliance isn’t your responsibility – it’s the company you work for, or in the case of those who work at an agency, it’s the responsibility of the client. However, responsibility lies on both sides.

There are two ‘levels’ of accountability when it comes to GDPR to make sure that everyone that plays a role is held responsible.

It’s important to know which of these you are, as both have different responsibilities.

Data controller

The data controller has the most responsibility of the two levels: essentially, they control the purpose of the data, and decide how and why it is being used.

Data controllers tend to have autonomy over how the data is processed, make the decisions on the data gathered and – in most cases – have a commercial gain from the processing.

Controllers also hold a level of responsibility for the compliance of the data processors.

Data processor

The data processor – as the name suggests – processes the data given to them by the controller. In most cases, the processor is a third-party company chosen by the controller to process the data – potentially an agency or a channel such as Facebook.

A data processor may use tools to gather personal data, as well as process it, for the controllers, or be responsible for storing the data gathered.

You can read more about the two roles and what they mean in this Information Commission Office (ICO) guidance – Data controllers and data processors: what the difference is and what the governance implications are.

What are the lawful bases for using data under the GDPR?

There are 6 lawful bases for using data:

- Consent

- Contract

- Legal obligation

- Vital interest

- Public task

- Legitimate interest

The two main legal bases for using data in the social media marketing sphere are consent and legitimate interest. Let’s discuss these in a little bit more detail.


Consent can be used as a legal basis if you receive clear permission from a consumer for the processing of their personal data – for example, they fill in a lead generation form and tick a box to say that they are happy to receive newsletters and other marketing.

For social media, this will mostly be used for custom audiences and for retargeting – but only if customers agree that their data can be used for marketing. If a customer consented to receive newsletters, but no other marketing was mentioned, consent cannot be the basis for adding them to a custom list on social: the data can only be used for the purpose it was agreed.

Consent must be freely given, informed and unambiguous – a person must know exactly what they are agreeing to. They can’t be ‘forced’ into it. You also need to keep documented evidence of the consent: such as a signed form or proof of a ticked box.

This takes us to another part of consent: it is opt-in and cannot be assumed. People need to tick a button, sign a form, click a link or in some other way manually accept this. Facebook and LinkedIn have changed their lead generation forms to give such a button and offers a general or personalised disclaimer and privacy policy. It’s worth noting for checkboxes for consent – they can’t be prefilled: they must be empty, with the user having to tick it to accept.

As consent is opt-in, people are also allowed to change their mind. There must be some way for the consumer to get in touch with you to do this: whether it is filling in a form or through an email address.

Legitimate Interests

Legitimate interests is a little less clear cut, and while it is very useful for marketers, some businesses take it very lightly: this may be the basis given by callers asking about a ‘recent accident’ or why you still receive emails from a hotel you haven’t been to in 10 years.

Correctly used, however, legitimate interests can help consumers.

For social media, it is mainly used when you have a previous relationship with a consumer – for example, people who direct message your page asking for help, or who have bought from you in the past. Essentially, people who you believe are your target audience and who will have a reasonable expectation that you would use their data in this way.

To be able to use this as your legal basis, you need to: identify a legitimate interest (this could be that it is essential for your business, or even based on their individual interests), show that processing is necessary to achieve it, and balance it against the individuals interests and rights.

You can find out more about the test for legitimate interests on the ICO website.

Unlike consent, legitimate interest is opt-out, not opt-in. You don’t need to ask permission…but there needs to be a way people can opt-out again: for emails, this could be a tick box to say ‘don’t contact me’ or a line in the privacy policy saying ‘email xxx@xxx to opt out’.

Keeping compliant under GDPR

Even if you have a legal basis for processing data, there are still further steps to make sure you are compliant.

If you hold raw data e.g. a spreadsheet of names and email addresses, this must be password protected – and email addresses and computers should also be password protected, and locked when not in use. Where possible, data should be anonymised. Data should also only be kept as long as it is needed: this timescale should be agreed, and any data not needed deleted after this date.

GDPR is a complicated area, and the above is our understanding of it. If you are in doubt about anything related to GDPR, we recommend that you read the full ICO guidance and contact a lawyer for advice.


bottom of page