This last few weeks, we at Social Bods have been getting both ourselves ready for the new GDPR regulations. It’s been a distraction that we could have done without as a small business, to be honest, but we’re on our way to showing that we are, as we pretty much always have been, compliant with at least the spirit of the regulations.

What is GDPR?

GDPR – The General Data Protection Regulation – is an EU regulation on how companies collect, store, and use data on EU residents. It aims to give more control to individuals over the what, whens, and wheres of their data, and put more onus on companies and organisations to use personal data more responsibly and ethically. Overall, it’s a good thing for us as EU individuals, even though it is making more work for companies of all sizes in the meantime.

Do we need to worry about our social media marketing under GDPR?

Yes and no.

It’s quite good news actually. The major social media networks – Facebook (who also own Instagram and WhatsApp), Twitter (who also own Periscope), and LinkedIn have been working hard towards GDPR compliance for a long time now. This isn’t unfamiliar territory to these organisations who have had the US version – The Privacy Shield – for a couple of years.

Learn more about how #GDPR affects what you do on #socialmedia Click To Tweet

For all intents and purposes, social media networks are both data controllers and data processors – for a full breakdown of what this means, see 

When someone signs up to a social network, such as Twitter, Twitter tells them what information they collect on them, and for what purpose. Twitter becomes the data controller – they decide what information to collect, why, and how they use it. For us as users, we don’t need to worry about getting ‘consent’ to market to our audience through Twitter as Twitter have already done that for us. It’s the same for LinkedIn, and for Facebook.

If someone wants to follow us, or one of our clients, on a social network, then they have consented to seeing our/their content in their newsfeeds from time-to-time. If they don’t like what they see, then it’s easy for them to unfollow again. No user is forced to follow a brand page or account, and no personal data that they haven’t volunteered already passes to the brand who is being followed. It’s quite an ethical way of doing marketing if you think about it, and GDPR will make it even more secure.

Social media is fully consensual, as long as you keep activity within the scope of the platform. As Twitter themselves say…

“Twitter is primarily designed to help you share information with the world. Most of the information you provide us through Twitter is information you are asking us to make public.”

If someone doesn’t want to be marketed to on social media networks, they can choose not to follow brands, choose to maximise their privacy settings or choose not to be on social media at all. If they want to access your company’s products and services, then there are plenty of other ways to do this without being present on social media sites.

To see Twitter’s privacy policy, see 

What about private messages?

Private messages within a social network could potentially be classed as marketing messages under GDPR. If you send one without permission, then this is likely to be classed as an unsolicited marketing message. However, this should all be covered in the social network’s own privacy policy. If the network allows direct messages, then this should be fine. The individual can easily take away consent for receiving further messages from you by taking easy, reasonable actions. For example, on Twitter, this can be unfollowing you so you can’t send them a direct message. Saying that, sending too many of these is never a good idea, whether from a GDPR, or a PR perspective.

LinkedIn has confirmed that inMail (a service provided to paid members) are perfectly acceptable under GDPR. LinkedIn seek that consent from within their privacy policy, so you don’t have to.

HOWEVER, you must still be careful. If you as a business abuse this facility to an individual (though it could be argued that all users on LinkedIn are individuals, even if they are acting on behalf of their company) then you may fall foul of GDPR, as well as making yourself look like a stalker. Don’t forget that the deadline for GDPR compliance has not passed yet and there is yet to be any precedent for who gets prosecuted and fined – don’t become a test case!

What’s the big problem?

The problem with marketing on social media is when data is taken from the platform and used for other purposes. When someone joins a social network and then follows your brand page, they are consenting to being on social media, sharing certain amounts of personal data (depending on their privacy settings), and seeing your social media updates.

They are NOT consenting to you using their email address or otherwise to be sent an email, be cold called, or send marketing materials through the post. GDPR says you must get explicit, granular consent for the data you collect for marketing purposes.

For example, a client once asked us how they could download a list of their contacts on LinkedIn complete with email addresses so they could add them to a mailing list. You can. It’s an option in there and it’s very easy to do. The issue would come from if, using this list of emails, you then went on to contact individuals in a way that they haven’t consented to. In downloading the emails from LinkedIn, you would cross the line from data processor into data controller, and you then need to take appropriate and reasonable measures to ensure the accuracy and security of that data, specifically that which relates to individuals rather than businesses.

In this instance, you would almost certainly want to separate out company email addresses (info@ for example) from individual email addresses (johnsmith@ for example) to ensure full compliance with GDPR.

You could argue that data you’ve taken from your LinkedIn connections is ‘legitimate interest’ rather than falling under consent, but I know that I would be cross if I’d chosen to connect with someone on LinkedIn only, and then found myself being spammed on email instead. You have to consider the needs and rights of the individual and balance that with your own legitimate interest.

I can’t think of any other instances in social media marketing where we’ve been asked to take data off-platform and use elsewhere. On a day-to-day basis, GDPR will not affect how we carry out social media marketing activity for our clients. The compliance bit comes in how we process data which comes to us through social media, such as when people send in CVs or disclose their date of birth or other data to us thinking that they’re talking to someone who works directly for the brand. That’s the tricky part of social media – how you can grant access to the accounts to people such as your staff or a contractor and be able to maintain data security and integrity. In a lot of cases you can’t, but you can train your staff about the significance of GDPR and write policies which explain how such data should be processed. If you are an agency, or any business, which employs staff who process data, then you certainly should be providing GDPR training.

Facebook and targetted advertising

In the case of Facebook advertising, Facebook has confirmed that when you pay for an advert on their site, they use their users’ data to decide who gets shown that advert based on the parameters you set when paying to boost a post or set-up an advert. You don’t need to see the data of individuals – Facebook does all that. You are a paying customer who is neither a data controller nor a data processor. Facebook is the data processor.

When you upload a list of your current customers’ email addresses to create a custom audience, then you are the data controller, and Facebook becomes the data processor – you have the responsibility to ensure the integrity of the data you are supplying to Facebook. There are rumours that Facebook is dropping the ‘custom audience’ feature, but I’ve also spotted this recently which suggests that Facebook is keeping the custom audiences feature but putting the onus back on the brand to make sure the data is OK to use and that consent has been obtained. 

Either way, if Facebook does continue with the custom audiences feature, then you have to make sure that you have received consent to upload your customers’ data to Facebook with the purpose of ‘re-marketing’. We’re not sure whether this is realistic, but it’s a good compromise which clears Facebook entirely of misusing your customers’ data.

GDPR is not a major problem if you use the social media networks ethically and are always bearing in mind the issue of ‘consent’. Under normal day-to-day use, GDPR has minimal impact on the use of social media for brands and businesses.

Need to know more about how GDPR affects your business? I have found Suzanne Dibble’s GDPR module of her Small Business Legal Academy to be invaluable – there are document templates which could cost you hundreds of pounds, and a fantastic Facebook group which is a supportive community of other business people facing the same questions and issues in order to get GDPR compliant for the 25th May. Watch the 2-hour seminar now to see what action you may need to take to show your own compliance.

If you need help with GDPR and quick, then come and join her community at  *affiliate link 

In the meantime, please be assured that we at Social Bods are doing everything necessary to show our compliance with GDPR. We already do things properly, but GDPR is helping us to do things properly-er!


Learn more about our newsletter