Understanding the compliance requirements of using social media for business in the UK
With the proliferation of social media, today’s businesses realize that social media is a crucial sales and marketing tool that, when used correctly, will contribute to their bottom line. The business benefits of social media are many: social networks, including LinkedIn, Facebook, and Twitter, allow businesses to raise brand awareness, cultivate client relationships, generate leads and referrals, bolster sales results, recruit top talent, and enable employees to establish themselves as trusted experts in their field.
To reap the full benefits of social media, however, companies must plan and account for a slew of legal matters, including advertising and marketing rules, employment matters, proprietary and confidential protection, and privacy and branding issues that could plague a company if left unchecked. Additionally, financial services organizations in the UK must ensure that all of their social media activities comply with regulatory rules of communication and promotion as further detailed in the Financial Conduct Authority.
This article will only explore the privacy matters that businesses in the UK need to be cognizant of when using social media.
The UK Information Commissioner (“ICO”) (the UK privacy regulator) recently published new guidance on the use of social networking and online forums for business. The Guidance reiterates that businesses using social media must do so in compliance with the UK Data Protection Act 1998 (“DPA”). Accordingly, businesses that use social media should review their DPA obligations to ensure that they are in compliance when posting personal data or even when third parties can add personal data to their social media accounts. In addition, the guidance recommends that, where users use social media for both purely domestic and non-domestic (e.g. work) purposes, they create separate accounts. It is best that businesses require in their social media policy, to the extent possible, that their employees keep their business vs. person social media accounts separate.
If a business has a social media presence in the UK, the first step is to determine if it will be considered a data controller under the DPA. Under the DPA, a “data controller” is “the person (who either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.”
The ICO confirms that the operator of a social network will be a data controller in relation to any contact information or other personal data that the site operator processes about the users of such network, and will need to comply with the DPA. In addition, the ICO has confirmed that businesses using social networks for their own business purposes–for example, a business promoting its products using an official Facebook page or Twitter account–may fall under UK data protection legislation too. As such, if the business owns at least one social media page or account, it may be deemed as the data controller of such social media page or account.
Data controllers must take reasonable steps for accuracy of Personal Data. If an organization is deemed to be a data controller of its social media site, then it should designate administrators that will be responsible for taking reasonable steps to ensure that any personal data posted on its site (including by consumers or other third parties) are accurate and, where necessary, kept up-to-date in order to be compliant with the DPA.
ICO suggests the following reasonable steps:
- Clear and prominent policy for users about acceptable and non-acceptable posts;
- Clear and easy-to-find procedure in place for data subjects to dispute accuracy of posts or removal request; and
- Quickly responding to disputes about accuracy, and ability to quickly remove or suspend disputed content.
Technically ICO has the ability to investigate, fine, and take other actions against businesses which it finds are not complying with DPA obligations. More generally, ICO and other regulators are increasingly interested in businesses’ social media presence and in ensuring individuals’ rights are protected.
Protecting the personal information of individuals should always be at the forefront of any business risk mitigation. Social media is just another forum that businesses should consider for such risk mitigation.
It is clear that a significant amount of the information derived by or from social media sites constitutes personal data and that such information is therefore subject to the EU data privacy regime. A software solution like the Hearsay Social platform can assist with mitigating such risks by providing organizations with notifications when inappropriate keywords are used and enabling real-time remediation of problematic posts and tweets. With Hearsay Social, businesses can specifically monitor for and filter out any personally identifiable information such as phone numbers or national insurance numbers.
Hearsay Social’s enterprise technology enables top financial services firms and their advisors and sales representatives to more efficiently and successfully leverage social media to prospect, retain clients, and expand business, all while minimizing reputational and regulatory risk. Including the ways mentioned above, the Hearsay Social Compliance Solution helps legal and compliance teams with the social media regulatory requirements summarized above including policy, training, content, supervision, and record keeping. With customizable workflows and notifications, the solution radically streamlines the supervision and review process, while the Content Library enables marketing professionals to distribute pre-approved brand content to financial representatives in the field.
Disclaimer: The material available in this article is for informational purposes only and not for the purpose of providing legal advice. We make no guarantees on the accuracy of the information provided herein.