For many charities, maintaining a presence on social media, is a key tool in building a profile and increasingly vital for marketing purposes; it can provide an easy way both to keep in touch with supporters and share news with an audience well beyond a traditional mailing list. But trustees need to ensure that they follow best practice in order to protect their assets and avoid the pitfalls which can lead to significant enforcement penalties (enforced by the Information Commissioner’s Office) and damage to reputation. Penalties may hit a charity hard, but it can take even longer to recover from a loss of public trust.
Like the Data Protection Act, the GDPR, which comes into force on 25 May 2018, will apply to the use of social media in a business (or non-domestic) context. The GDPR is intended to bring our data protection laws up to date, so that we are better able to deal with the advances in technology and the novel ways in which personal data can now be shared and used. The preferred approach under the GDPR is for an organisation to obtain specific and informed consent from individuals, before processing their personal data. It’s important that charities remember that this applies equally to social media as it does to more traditional marketing methods.
With any luck, a charity’s social media page will attract a number of followers. In following or supporting that page, the individual is likely to disclose their name and, potentially, a way of contacting them directly. Handling this data will engage the rules of the GDPR, for example, if the charity creates and maintains a list of followers. Before using that personal data or contacting any of those individuals directly, best practice requires the organisation to obtain their consent to do so unless such use can be justified for ‘legitimate interests’ (although it should be noted that in the case of any doubt on this the legitimate interests of the individual will prevail over those put forward by the charity). The charity should consider carefully whether the ‘legitimate interest’ justification may properly be used before doing so.
Any direct communication will also engage the Privacy and Electronic Communications Regulations 2003 (PECR), which apply to marketing by electronic means. Again, the organisation should obtain consent before sending any marketing material direct to an individual.
Maintaining an active online presence often involves uploading posts to social media. These posts themselves, whether uploaded for specific groups or for all the world to see, generally will not constitute direct marketing and so will not engage PECR. However, from a GDPR perspective, charities will need to consider the use of any personal data in the post itself. For example, has an employee specifically consented to the use of their name in that way? Similarly, has consent been obtained to use any photographs which identify supporters, or members of the public?
Whilst navigating the requirements of the GDPR may feel like a minefield, compliance is achievable and should be considered at the soonest opportunity and certainly before the new law comes into force next May. For further advice on how to comply and guidance on your responsibilities, please contact a member of our Charities team.
For more specific information on data protection compliance and the GDPR please contact Hannah Thorogood or Val Lambert via the following email addresses firstname.lastname@example.org.