On 25th May 2018, the most important change in data protection and privacy regulation for 20 years is being enforced, GDPR. In this blog, we take a look at how the GDPR is set to affect social media marketing and the key things you should be aware of.

The new legislation could not be more relevant, with a data privacy, online security and user consent making daily headlines thanks to Facebook’s huge Cambridge Analytica data breach scandal. This is legislation moving with the times of the current digital landscape, and will future-proof businesses and consumers for the future. 

GDPR is worrying a lot of business owners, but we believe the regulation of companies using and retaining customer information can be seen as a positive. It will ensure that there is much more trust between brands and customers. No more spam emails, for example – hoorah!

We’ll explain more about why this is a positive in this blog, as well as offering a variety of great resources to discover more about GDPR.

Image courtesy of Convert GDPR

What is GDPR?

The General Data Protection Regulation applies to companies who are based in the EU and global companies who process personal data about individuals in the EU.

Many of the principles are built on current EU data protection rules, the GDPR has a wider scope, more prescriptive standards and substantial fines.

Key changes involve legitimate use of data, and the requirement for user consent. Businesses will need to ask user permission for gathering personal data, and will need to supply a legitimate reason for needing to use that data.

The GDPR applies to personal data, meaning any information relating to an identifiable personal, who can be directly or indirectly identified in particular by a reference to an identifier. This includes a wide range of data, including name, ID number, online identifier, location data etc. This includes data gathered by cookies, such as a Facebook Pixel.  

Individuals will need to consent to giving their personal information through clear and prominent mechanisms – The Information Commissioner’s Office

You may have heard the term ‘active opt-in’, which the Information Commissioner’s Guidance recommends in its GDPR consent guidance.

This means individuals will need to consent to giving their personal information through clear and prominent mechanisms. You may have already seen popups or received emails detailing new privacy terms from companies, where you have been required to consent.

Individuals should also be able to withdraw consent from a business easily too, offering them more power and control over their personal data. 

Without this opt-in consent, you won’t be able to send an email, or drop cookies on users without making your privacy policy and your cookie policy extremely clear to your users.

You can read more about this in the ICO’s excellent GDPR guidance and checklist here.

How does the GDPR affect social media marketing?

Social media sites such as Facebook, Instagram, LinkedIn, WhatsApp and Twitter already have robust privacy terms which cover users rights and requirements for consent. This means your business will not need to gain additional consent from your communities and followers on each of the platforms.

They key areas where GDPR affects personal information are:

  1. Email marketing subscriptions

Anywhere in social media where you are collecting and storing and transferring personal data falls under the GDPR. Typically, this will be places where you are collecting email addresses via sign-up forms, such as a Facebook tab within a Page dedicated to driving subscribers to an email newsletter.

The changes mean that your followers will need to give clear and unambiguous permission (opt-in). Consenting to marketing communications has to be recorded, verified and unambiguous. This will likely be a checkbox that should be ticked by the user to accept the business’ privacy policy.

Under GDPR it is a mandatory requirement to be able to prove that the recipient had given valid consent and a double opt-in procedure is a highly-recommended and well-established process of proving that. Double opt-in requires a subscriber to ‘tick a box’ to receiving marketing material, and then receive an email asking them to confirm their email address. No pre-ticked boxes, or opt-out boxes will be allowed.

For more information on double opt-in, which is recommended if you are based in the EU, take a look at Mailchimp’s information here. Oh, and check out their handy guide on GDPR. Mailchimp has just released a brand new GDPR friendly forms, so you can reach out to your subscribers before 25th May to check if they wish to opt-in to continue to receive your emails. Look out for ours!

We would not advise ‘bribing’ or ‘incentivising’ people to opt-in to your subscribers list (with a discount code for example) as this might be considered as a customer freely offering their information. 

We’d really recommend listening to the We Are Spectacular Marketing Podcast on GDPR here

2. Social Media Competitions

If your business is running social media competitions, where you require a customers email address in return for an entry, then again you need to ask for consent.

The alternative to this would be running a competition where you do not require and gather customer data, such as asking people to comment on an Instagram or Facebook post. As this activity is happening within the social media platforms, they are known as the ‘data controller’. This means that their own privacy policies will cover how they manage and store this information.

3. Facebook Advertising through Custom Audiences

Any advertising within social media should automatically be covered by the terms and conditions stated by the platform. However, there are some options within Facebook, Twitter and LinkedIn that allow you to upload your own bespoke customer data, and send highly targeted adverts to these customers. 

Let’s take Facebook Custom Audiences as an example. There are two ways you can use Custom Audiences; email and website traffic through Cookie Data. If you have uploaded customer email addresses to Facebook, these email addresses are encrypted – but you must ensure that your customers are aware that they are going to be marketed to via adverts within these social media platforms. This is an update to your privacy policy, and then ensuring that your customers have agreed to your privacy policy through an email or website popup.

With any Custom Audience, we hash your data, cross-check the data with ours and create your audience for you. The data that is hashed, is only used to match an audience and to protect the privacy of the people who use our platform, this information is not distributed – Facebook 

If you collect your web traffic data using a Facebook Pixel, and then advertise to these visitors – again you must be clear about this on your website. They must have information about how you plan to advertise to them.

4. Children under 16 

Children under the age of sixteen will need their parents consent before accessing social media platforms.

5. Outsourcing your social media

If you are outsourcing social media management, then you will need a data processing agreement with any suppliers. There must be a written contract when one business processes personal data on behalf of another business.

You can read more about GDPR and outsourcing your social media in this excellent blog post by our fellow accredited Facebook trainer, Luan Wise. 

It is a wise idea to ensure all company staff members have awareness of the GDPR and have an understanding of how personal data should be managed.

Although GDPR will cause you some extra work, this is a fantastic opportunity to clear up your database and ensure the customer data you gather is meaningful and valuable. The customers who offer their data are actually going to be interested in your products and services – rather than someone who will delete every email they receive, or scroll past an ad they see in Instagram from you.

The ICO will be investigating and by all counts will be fairly enforcing this. If they can see you have broken the rules, they will begin a conversation with you – rather than fine you straight away. A lot of the principals in the GDPR are self-entreprented, so if your business has a good reason or can fairly back up why you are using certain methods, then you should be just fine.

Final tip: You need to check out Suzanne Dibble’s Facebook Group here. She is a small business legal expert, and answers key questions in videos and live chats. 

*All of the information above has been gathered from various credible sources online, we do not claim to be legally qualified and the above should not be taken as the final law.

**We will be updated this blog as and when we receive more information.