From Data Protection to GDPR and the impact on social media

With the General Data Protection Regulation (GDPR) fast approaching for all organisations, it is important to understand where it has come from and the potential impact of GDPR on social media management from a business perspective.

Blog post image 28Mar2018.pngIn 1998 the current Data Protection Act (DPA) came into force, designed to protect an individual’s ‘Personal data’ stored electronically or in an organised paper filing system, and is enforced by the Information Commissioner’s Office (ICO). It gives legal rights to individuals who have their personal data ‘processed’.

The EU’s new General Data Protection Regulation (GDPR) rules which are due to come into effect on May 25th 2018, are essentially an update to the Data Protection Act (DPA). Some of the existing elements are retained, but importantly it introduces much stricter rules (and punishments for organisations breaking the rules) related to getting explicit consent from individuals to store and process their personal data, and how organisation’s are required to respond to any changes to the stored data. As such, the new rules will potentially have an impact on marketing, communications and other customer-facing teams who regularly capture and store data of prospects and customers.

Find out what SoCrowd is doing to prepare for GDPR by visiting our GDPR Compliance page here >>

Key GDPR definitions

At this point it is worth explaining some of the key terminology associated with the GDPR:

Data controller

Data Controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed .

Data processor

Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.


Processing, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data

Personal data

Personal data is any information that would identify a living individual from the information that is held on the individual and includes any opinion expressed about the individual, but excludes anonymised data.

Personal data is categorised as either non sensitive or sensitive, whereby sensitive data includes things such as; Racial or ethnic origin, Political opinions/membership of trade union, Religious beliefs, Physical or mental health condition, Sexual life and any Alleged offences/legal proceedings.

The Data Protection Act sets out eight principles governing the use of personal information which all organisations must comply with, unless an exemption applies. In summary these are:

  1. Personal data must be processed fairly and lawfully (2 individual tests)
  2. It should only be collected and processed for limited purposes
  3. The information must be adequate, relevant and not excessive
  4. It must be accurate and kept up to date
  5. It should not be kept for longer than is necessary
  6. It should be processed in line with the rights of the data subject
  7. Personal data must be protected by ‘appropriate technical and organisational measures’
  8. It should not transferred outside of the European Economic Area unless the country the data is being sent to has ‘adequate’ data protection

GDPR regulations

The EU’s General Data Protection Regulation (GDPR) are introducing strict new guidelines which all organisations who handle an individual’s data (who live inside the EU) must adhere to. It builds on the original Data Protection Act and has the following additions;

  • Same basic principles as current Data Protection law, but strengthened
  • Greater accountability for both organisations and employees
  • New rights for individuals, and strengthening of existing rights
  • A requirement to report any breaches
  • Data Protection Officers need to be put in place and organisations need to conduct Data Protection Impact Assessments
  • Higher penalties for non-compliance
  • Data processor will also be liable

There is a huge amount of guidance in this area and marketing managers must contact their organisations for more clarity around this area. If in doubt please visit the ICO website the ICO website.

Impact of the GDPR on organisations

The best way to combat GDPR is to go back to basics when it comes to the data you collect and store. The key theme coming from the EU is ‘privacy by design’. This means you have to plan and decide how an individual’s personal data can pass through your organisation in a safe and secure way. This data can vary from:

  • Name and email address of marketing leads in your CRM database
  • Home address details of paying customers

Prior to ascertaining this data, as an organisation you will have to ask individuals for permission to use their personal data, whilst simultaneously supplying them with a legitimate reason as to why you need their information, transparency is key to being compliant. Once it is decided legitimate use of the data has expired the information will have to be erased (this can vary in time).

Impact of the GDPR on social media & marketing

It’s good news! Much like the SoCrowd platform, the social media networks themselves have privacy notices already built-in which ensure they are compliant. Audiences on social media, already give clear and transparent consent to organisations in the way of ‘liking’ or ‘following’ a business on social.

In the eyes of GDPR these consumers have given their consent to receive marketing messages via social. However, they can stop this just as quickly by opting out from receiving updates and marketing communication, by unfollowing or un-liking the social media page. As such, the challenge for organisations of getting consent is virtually eliminated specifically on social media. Further, it allows brands to increase engagement by producing content that your audience are genuinely interested in.

To read more about GDPR and SoCrowd visit

Disclaimer: The information given on this website is neither a definitive guide to EU data privacy nor legal advice for your company to use in complying with EU data privacy laws such as GDPR. Instead, it provides background information to help you better understand how SoCrowd has addressed some important legal points. This legal information is not the same as legal advice, where an lawyer applies the law to your specific circumstances, so we insist that you consult a lawyer if you‚Äôd like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.