General Data Protection Regulation (GDPR) & Social Media

Jamie Jean Schneider Domm

Digital Strategist for the North American Division. ​​​

Source: www.eugdpr.org

What is the GDPR?
The General Data Protection Regulation (GDPR) is a new data privacy regulation that aims to give individuals in the European Union (EU) protection and control over their personal data. This affects how organizations can collect and use personal data starting May 25, 2018. These regulations are applicable to all organizations who process and hold the personal data of EU residents, regardless of the organization’s location. Organizations outside of the EU must comply with these regulations when collecting data on individuals living within the EU.

What constitutes personal data?
The GDPR applies to “personal data,” meaning any information relating to a person who can be directly or indirectly identified by the data collected. This includes, but is not limited to: name, identification number, location data, or online identifier, and may expand as the technology used to collect information about people changes. 

What are the penalties for non-compliance?
Organizations breaching GDPR can be fined up to 4% of annual global turnover or €20 Million Euro, whichever is greater. This is the maximum fine that can be imposed for the most serious infringements, e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines. For example, a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment. It is important to note that these rules apply to both controllers and processors—meaning “clouds” will not be exempt from GDPR enforcement.
For more in-depth information on the GDPR, visit www.eugdpr.org.

How does the GDPR affect organic social media marketing?
Since organic social media activities such as posting content and engaging fans do not involve the collection of personal data from people, these efforts will be largely unaffected by the regulation.

How does the GDPR affect social advertising?
If you run social media ads (especially lead generating ads) and use pixels, there are several things to be mindful of when placing these types of ads. Under GDPR, if you want to use your members’ data or track their behavior for promotions, you must obtain legal consent to do so. More clearly stated, you are required to obtain explicit opt-in consent from your members. Please refer to the regulations for the requirements for obtaining consent.
​
The following social advertising features use uploaded customer data, collect personal data, or track behavior and are, therefore, affected by the GDPR. This is not an exhaustive list; please refer to the resources provided by each platform on which you place advertisements. 

• Facebook Pixel
• Facebook Custom Audiences
• Facebook Lead Ads
• LinkedIn Matched Audiences
• LinkedIn Insight Tag
• LinkedIn Sponsored InMail
• LinkedIn Lead Gen Forms
• Twitter Pixel
• Twitter Tailored Audiences
• Pinterest Tag
• Pinterest Audiences

Facebook & LinkedIn lead forms now allow you to add a custom disclaimer, optional consent checkboxes, a link to your privacy policy, and room for custom text to state how you’ll be using the collected data.

For more information on how these advertising tools are affected, please refer to the following resources provided by the platforms:

• Facebook
• LinkedIn
• Twitter
• Pinterest
• Snapchat
• Instagram

While the GDPR does not apply to individuals residing outside of the EU, many of the requirements are still considered best practices and organizations are encouraged to follow them.

Additional resources:

• General Data Protection Regulation (the official website)
• GDPR: What Growth People Need To Know (by Reforge)
• MailChimp’s GDPR Guide (by MailChimp)
• GDPR Compliance for Email Marketing. A Step-by-Step Guide. (by We Compose)