How will GDPR effect my brand in Social?

07 November 2017 / Sally Rushton

At the recent DMA UK Legal Update in Manchester, Jaywing’s Head of Digital Engagement and DMA Social Council member, Sally Rushton, joined a panel of industry experts discussing the opportunities and challenges that GDPR presents for brands. Here, Sally discusses how GDPR will effect brands in Social Media, and how brands can review their social media strategy in light of the new legislation.

Much is being written about the impact of GDPR for brands and businesses as we fast approach May 2018. The new regulation will empower individuals over the data held by businesses and the rights they allow. Understandably, legislative changes of the scale of GDPR have raised concerns amongst those managing social media activity for brands as they try and make sense of how this will impact them.

Existing regulation (the Data Protection Act) has been deemed largely out of date, thanks in part to the large volume of personal data generated online. The implications of GDPR will neccesitate clearer consent in order to reach out to any potential consumer, across all channels. Brands cannot assume opt in, cannot pre-opt people positively, and can only keep data for a “fair use” amount of time before needing a re-subscribe. They must also offer individuals the right to remove all of their data easily, including backups and cookie data.

A key objective of GDPR is around creating more balanced, mutually beneficial relationships between consumers and brands. This reflects a position that has always been understood in social media – that fans are in control and can unfollow or unlike with a single click. Because consent is present in nearly all social media communications already, GDPR is likely to have less direct effect on social media marketing. That said, brands should nonetheless review and fully understand the new requirements, review existing data processes and assign someone with responsibility for maintaining compliant data records.

Transparency is key

In response to the forthcoming legislation, Facebook has embraced a transparent approach to privacy that empowers consumers to control how much personal information they share and with whom, and providing a clearer understanding of how their data is used on the social network. They released a public statement after the initial GDPR announcements, welcoming the news and aligning the plans more broadly with the company’s ongoing commitment to ‘giving users the tools to control their personal data’. The social media giant also took the opportunity to reaffirm their own terms and conditions, emphasising that “Facebook users have the ability to add, share or remove data however they choose, including to delete their entire accounts. Facebook users also have the choice to download their data, pictures, comments and full profile from the service.”

As far as consent and data use is concerned (two of the new rights under GDPR), these will effectively be covered by the terms and conditions and privacy notices of each of the social media software tools; updates to terms and conditions will inform users of what they are agreeing to by liking pages. However, for brands active on social platforms, there are some specific watch-outs:

While social media users will need to be presented with a clear privacy notice or similar, which is available for their consideration before they decide to sign up and start participating, that does not exempt brands from exercising proper care with use of personal data from social media followers. For example, it will not be acceptable to take a customer’s email address and then look to use that in any undeclared marketing or data processing activities.

If a social media handle is attached to a CRM account, then that would need to be provided voluntarily and not added independently. There is a growing number of examples of organisations who have ‘enhanced’ personal data beyond that provided. It is vital that brands don’t just assume that the person is happy to have their personal data held on an electronic system, especially if there is an intention of passing or selling that data on to a third party that the data subject has no existing connection to.

Given that the nature of a social media relationship is usually informal, a brand’s best approach could be to specifically ask whether people agree to having their details held on a CRM system. You might disclose this within a privacy notice, but regardless of your method, users do have a right to know and subsequent rights to validate their data, and even request that you permanently remove it.


GDPR is an opportunity for brands to review their social media strategy. It’s time to understand your online audience and what they need, want and expect of your brand. Remember:

  • Responsible data management is the responsibility of the entire business

    GDPR may sit within a designated team as an immediate task but ultimately it is the responsibility of everyone in the business. How you collect, manage and use customer data as a business is just good, ethical marketing.

  • Consider your value proposition

    Increased competition for consumer engagement will put further emphasis on the need for compelling content, a killer brand story and value proposition. Trust is taking on a new meaning and occupies a place of greater importance for social media marketers. Look to embody authenticity in the content you create in order to win and maintain the trust of your customer.

    Work with the brand experts in your team or agency to interrogate your brand and proposition. Be clear about what you have to offer in social media and how you can best represent the views of your customer to ensure everything you offer has value.

  • Define your role

    Competitions and promotions have their place, but attracting real fans and fostering long term relationships will arguably become much more challenging. Define your role – make it meaningful for your business and your audience.

  • A brand and business response

    Any conversations about the implications of GDPR on social media should be part of a wider brand and business response. An open dialogue and listening organisation has always been an integral ingredient to successful brands in social media. It is likely that many consumers will turn directly to brands in the coming months, asking questions about GDPR and data. Brands need to ready themselves to answer these questions, learn from wider online listening about the questions their customers have regarding data collection, management and use.

Permission is

Why listen to us?

If you had to create a consultancy specifically for GDPR, it would look a lot like Jaywing. We’re a data science-led creative marketing agency working with leading brands across many sectors, managing their data, risk and marketing.

Maria Vardy

Managing Director

Gavin Shore

Creative Director

John McDermott

Consultant

Inderjit Mund

Data Practice Director

Philip Slade

Director of Strategy


Work with us on your GDPR strategy.

Email hello@jaywing.com or call us on 0114 281 1200.