Apr 23, 2018

What does GDPR Mean for Social Media Strategies?

by Digital Marketing Institute

At the end of May 2018, new legislation will come into place that’s focused on ensuring strong data protection for customers in the EU.

The General Data Protection Regulation (GDPR) has already been in effect in an unofficial way for the past couple of years, but will officially be in place this year. It’s a trending topic in the tech space today, and especially in the realm of digital marketing, because with the extra focus on privacy, it may mean that marketers have less access to the type of data that they need to build successful digital campaigns.

But how much cause is there to worry? What does this mean for tech and big data? And how will the GDPR affect digital marketers who are actively engaged in social media?

What is GDPR?

Though this policy is primarily aimed at EU citizens it also covers those who are in possession of EU-based personal data. Its focus is to ensure that consumers have rights such as:

  • The right to erasure
  • The right to restriction
  • The right to object
  • Information notices

With this new legislation, firms will have to be explicit about the ways in which they collect personal data for marketing purposes, asking specific permission as they collect as well as offering consumers a specific reason for having the information.

One purpose is to prevent businesses from holding onto data for long periods of time and have it not be used -- essentially the policy puts an expiry date on data usage.

As companies acquire conscience they are getting into the habit of offering complete transparency when it comes to data acquisition and usage.

The point of the policy is to offer EU citizens optimal protection and their data is protected from misuse and remains fully under their control. One part of the policy that ensures this is that it offers consumers the capacity to withdraw consent.

Those who fail to comply with GDPR may be punished by fines at the equivalent of up to 4% of their annual turnover or €20 million.

What Constitutes Personal Data?

The GDPR classifies personal data as anything that can be used as part of identification. Beyond the obvious name, phone number, and addresses, this also includes:

  • Bank information
  • Photos
  • Any numbers pertaining to financial accounts
  • Medical information
  • Information (such as names) associated with social media posts

Some of these are more direct than others and to that extent, whether or not there is a “breach” could be more difficult to figure out.

For instance, there are new technologies which allow marketers to more easily track shoppers in real time based on their MAC address, which is similar to an IP address. Retailers will be able to track buyer behaviour which in itself isn’t a breach, however it would be considered a breach based on clauses that focus on monitoring behaviour -- essentially, anything that equates to spying, profiling or analyzing without permission is punishable.

To this end, it’s important that businesses understand that personal data also includes digital identifiers like IP and MAC addresses and cookies used for analytics, advertising and chat tools.

How Social Media Strategists can Prepare for GDPR

Businesses across many sectors but particularly those that focus heavily on the digital sphere, such as digital agencies and tech companies, are concerned that this set of rules, designed to ensure consumers feel protected, will be burdensome when it comes to enforcement.

Active Opt-Ins will be Key for Social Media Managers

Digital marketing professionals who aren’t directly in charge of storing and analyzing large amounts of data but who will be on the front lines of collecting significant amounts of personal data for marketing activities need to be aware of specific steps that they should be taking in order to be GDPR-compliant.

One key step in this regard is ensuring that they offer active opt-ins as people are newly engaging with content and social streams. Mobile opt-ins will be more connected to social media and typically take the form of a popup that asks for your authorization from the social app.

Though they are already regularly in use, the GDPR rules mean that the forms will be more detailed about what types of information is being collected and why it is being shared -- in other words, the privacy and compliance notices will typically consist of more than one “checkbox” in order to be explicit about the various types of data that they are collecting.

More Explicit Privacy Notices Connected with Social Usage

Social media professionals would be wise to have clearer privacy notices associated with all of their marketing activities in order to ensure that participants are clear about the way they’re using data. This is especially important for consumer confidence in light of recent data breach issues via Facebook.

Establish a Clear Social Media Policy

Another thing that social leaders will want to be aware of is to establish a clear policy within the structure of a given company that pertains to the GDPR specifically. This should be a detailed and formal document intended to educate and inform anyone involved in social media management what are the correct rules surrounding the GDPR. It can also outline the types of policies that are already in place on various networks, and discuss how to correct errors.

Major Social Sites are in Compliance

Facebook recently announced that they now have global privacy settings that are GDPR compliant. This means that transparency is built-in with the social platform, offering consumers more confident about the way they’re sharing data on the platform. LinkedIn, WhatsApp and other platforms will similarly have more detailed privacy notices automatically built in, which means that social managers don’t have to worry about any data that they collect via the sites constituting a breach of contract.

Still, it’s a good idea for marketers to ensure complete privacy and transparency, especially if they are agencies or otherwise not completely clear on the extent to which their clients have used data in the past. They can do this by helping to establish clear and easy-to-understand privacy notices when dealing with UK-based clients and partners.

Preparing for the GDPR

GDPR terms are focussed on EU consumers but businesses from the US and other countries still need to be aware of these rules and remain compliant if they have clients and customers in the EU. US sectors that are most likely to be affected by the policy include any bigger company that routinely collects cross-border data, including SaaS, hospitality, travel, and retail.

The policy applies to consumers who are in the EU at the time that the data is collected.

Any activity that is part of collecting data doesn’t have to involve any financial basis, which is why digital media managers across all spectrums including social media need to be wary of the policy.

The Information Commissioner’s Office has designed a guide for organizations and professionals to review as they prepare to become GDPR compliant.

Here are some key points covered:

  • Understand how to clearly asses the data that you have and that is shared with other parties. You need to have a clear idea of what is in your hands now so that there is no accidental breach.
  • Review the ways in which you’re currently approaching consent and document how you are handling all of your data and records, and understand what will happen should an individual requests access.
  • Know how you are going to manage information in reference to children and obtain proper consent from guardians.
  • Understand what will happen in the case of a privacy breach and know how to report it.
  • Designate or hire a qualified data protection officer to manage all areas of data collection and privacy.


The EU has put this policy into place because they are committed to ensuring privacy in the face of technology, big data and globalization policies that increasingly use personal data for marketing and other activities. The purpose is to facilitate trust and transparency and ensure that companies are managing data in line with a certain set of ethical standards.

All companies need to remain aware that the collection of data does certainly cross over into many digital marketing activities. So if you are a digital marketing firm that’s US-based but that’s working with EU-based firms, you need to have a conversation with them about what they’ve put into place.

To this end, digital marketers must be aware of the ethics behind personal data use, even if they’re not directly involved in the storage and handling of mass data like major tech and social media companies typically are. They must also be aware of what types of digital trends are associated with GDPR activities.

An explicit acknowledgement of such policies shows consumers that you care about their privacy and can go a long way towards facilitating trust and customer loyalty in the long term.

Learn the key digital specialisms with a Professional Diploma in Digital Marketing. Download a brochure today!

Upgrade to Power Membership to continue your access to thousands of articles, toolkits, podcasts, lessons and much much more.
Become a Power Member

CPD points available

This content is eligible for CPD points. Please sign in if you wish to track this in your account.