Influencer Marketing, Social Media And GDPR: How to Navigate the New Rules of Engagement
You may have heard the buzzing around the web about the May 25th implementation of Regulation (EU) 2016/689, most commonly known as the General Data Protection Regulation (GDPR). The regulation, which governs how brands, service providers, organizations, and marketers use the data they collect from EU residents, will be the most drastic change to affect data privacy in more than twenty years.
And it’s a big deal.
With 173 Recitals (business requirements) and 99 Articles (rules), the General Data Protection Regulation affects just about every business - including freelancers, influencers, and sole service providers - that engages in social media marketing, influencer marketing, or any form of list building.
The penalty for failing to comply can literally put you out of business. So, let’s spend the next few minutes unpacking everything you need to know about the GDPR, and how it will affect your influencer marketing strategies.
What Is GDPR?
The General Data Protection Regulation is an EU law that governs how an individual’s personal data is to be collected, used, processed, and stored. It is a unifying law for all 28 members of the European Union to ensure that all across the continent of Europe, data privacy and protection laws are the same.
Now, this doesn’t technically include post-Brexit UK, but you can expect the UK to adopt a comparable set of regulations, according to the UK’s Information Commissioner’s Office (ICO). The ICO is an independent authority that upholds information rights. The ICO will oversee the implementation of GDPR.
I’m going to do you a solid and tell you the two big, fat takeaways right now:
Privacy (use and collection)- GDPR makes it the responsibility of the marketer, organization, brand, FB group owner, etc. to prove that any EU citizen (data subject) on their list willfully chose to share their data. And as a marketer, you have to be able to prove it. The data subject retains control over the myriad ways in which you are allowed to use their personal information, how much of it you can use, and the length of time you are allowed to use it.
Protection (logistics)- After you get explicit, documented permission to use his or her personal information, you’d better make sure that information is protected, whether you process the data in-house or by using a third-party processor. The data collector is 100 percent responsible for what happens to a data subject’s personal information.
GDPR applies to you regardless of where you live or do business. If your target audience includes anyone living in one of the 28 member countries, GDPR governs how you gather and use that person’s information.
This is particularly important for social media influencers. Unlike traditional paid advertising that forces you to pinpoint specific cities, states, countries, and regions to target with your ads, influencers find their tribes on platforms like Twitter, Instagram, and Snapchat by using global hashtags that are not location specific.
So, a quick analysis of your target audience may reveal a significant percentage of your followers are in EU member states, which means you need to know these regulations well, at least well enough to protect yourself and your followers.
Before we get into the hows and wherefores, let’s look at why.
Why Do We Need GDPR?
First of all, it’s time. GDPR is an update to, and extension of, the Data Protection Directive (Directive 9546/EC), an earlier generation of data privacy regulations that predates both social media and the seemingly all-knowing Google search engine by about ten years. Yes. It’s from the 1990s. So, these new regulations are long overdue.
Who here hasn’t browsed through their Facebook groups only to find they’d been added to multiple groups without their knowledge or permission? Or desire? Can’t forget desire. GDPR is designed to give EU citizens control of their personal data. And the timing of this implementation couldn’t be better.
Facebook and the data privacy scandal
At the beginning of this month, Facebook CEO Mark Zuckerberg answered a barrage of questions from seemingly tech-unsavvy lawmakers on Capitol Hill during the Senate Hearing on Facebook data privacy. In the wake of the alleged Russian interference during the 2016 presidential campaigns, and the revelation that an estimated 87 million Facebook users had their data unknowingly shared by Facebook with Cambridge Analytica, people are more interested than ever in data privacy and protection.
Installation of ad blockers is up 30% since last year
There were 615 million devices using ad block software in 2016, and the primary reason for downloading, surprisingly had nothing to do with removing annoying ads to save time and make life more convenient. It was security.
Data breaches abound
2017 was a vicious year for data privacy and security. Let’s see if I can highlight the most chilling instances:
We found out just last year that 3 billion Yahoo! accounts were hacked way back in 2013. That’s every single Yahoo! account that existed at the time.
We learned in 2017 that a year before, an Uber breach had compromised the information of 57 million of its users around the world. At least 600,000 driver license numbers were stolen, information on 7 million Uber drivers, and 50 million Uber riders. Uber actually paid the hackers to keep it quiet so the public wouldn’t find out.
The Equifax breach exposed sensitive personal information about 143 million Americans.
Heck, a few weeks ago, my own city was paralyzed when a ransomware attack disabled the City of Atlanta’s online services, Fulton County Courts, bill pay, direct deposits, Wi-Fi, and compromised the banking and personal data of city workers.
The thick and the thin of this whole thing is we all want to feel our personal data is secure, and that our private information will remain our private information. The EU is doing something about it.
Does GDPR Affect You?
I’m going to go out on a limb and say if you’re reading this article about influencer marketing, then yes, GDPR affects you. Not to worry. You can find out for sure because GDPR comes with two applicability tests.
If you collect and/or process digital data for the purpose of monitoring the online behaviors of people who happen to be within the EU, profile their past behaviors, identify their personal preferences, or analyze and predict their future behaviors online or offline, GDPR affects you.
This includes things like using cookies on your blog, installing Facebook pixels to retarget users with smart ads later, and even includes being able to identify device IDs to prevent one user account from receiving multiple logins from different devices. That sort of thing may be important if you’re selling a course and you want to ensure the person who paid for the course is the one person actually taking the course.
The Inner Workings of GDPR
So, let’s start with the basics. There are two parts to data protection and privacy, and with GDPR, both parts are crucial.
Are you a Data Controller or a Data Processor?
There are two types of data handlers specifically addressed in the regulations, a data controller and a data processor.
A data controller is the agency, influencer, or brand that controls the data being received. So, if you add a link to your Instagram bio that goes to a landing page where people can opt into your list in order to download your awesome new makeup tutorial, you would be considered the data controller. You are the person who is collecting personal data and determining how you will use it.
A data processor takes directions from the data controller on what to actually do with the data. So, if you’re a one-person-army, you may be processing your own data using an Excel spreadsheet.
Or you may have connected your opt-in form to a simple auto-responder tool like Mailchimp. In that case, Mailchimp is the data processor. Whoever hangs on to the data after you get it is the data processor.
Most marketing agencies will be data controllers. If they aren’t collecting names and emails themselves to grow their leads, they are certainly requesting personal information of their employees, contractors, and their clients. This is the sort of information that may live in the HR database, the AR database, and other administrative departments.
As a data processor, a marketing agency may be using the data they collect from their clients’ target audience to build marketing campaigns. In this case, the agency is acting as a third-party data processor for their client while still being a data controller for their own organization.
The definition of data (it includes more than you probably think)
GDPR is essentially a way for the EU to make sure influencers, brands, and marketers are engaging in ethical practices as it relates collecting the personal data of anyone in their target audience over the age of 13 (16 in some member countries) who might also be an EU citizen. Personal data includes things like:
Contact info: Name, email, address, phone
Sensitive info: Date of birth, driver license number, social security number / national insurance number
Sensitive identifiers: Religion, sexual orientation, biometrics, health, financial information, information about a user’s children and family members
Online identifiers: Cookies, tags, pixels, device ID, IP address, GPS location
Five Ways GDPR Protects a User’s Data Rights
The highlights of the General Data Protection Regulation includes a catalog of data privacy and protection rules and requirements. Well, this is where we’re going to talk about them, starting with your follower’s data rights.
#1 EU Subscribers and Followers Have the Right to be Forgotten by You
Data subjects have the right to be forgotten, meaning they can unsubscribe from your list and leave your group. They also have the right to request you remove any public or private indication they were every affiliated with your organization, including web pages, images, logos, and testimonials. You must do so without delay.
Users have the right to know what data you have on them, where it exists (both in your data management systems and on the web), and they can request that you delete their data from your systems and online properties altogether.
At the beginning of April while Mark Zuckerberg was being grilled by Senate, Google was losing a landmark “right to be forgotten” case in the UK, brought by a businessman who wanted Google to remove search results about his previous conviction.
The businessman remains unnamed (for obvious reasons), but the finer points of the case are that a decade ago, he served six months after being convicted of conspiring to intercept communications. His argument was that the conviction was no longer relevant to the public. And the courts agreed. Google had to remove any and all search engine results that had to do with his crime or conviction.
Now, don’t get excited. The right to be forgotten isn’t a reputation management tool. In fact, another businessman came with a similar claim and lost his case because the courts said he had committed a more serious crime for which he had not shown remorse, leading those who interpret the laws to believe he may still be a threat to the public.
According to NPR.org, since 2014 when the Court of Justice of the European Union first ordered Google and other search engines to allow individuals to request search engines delist questionable pages, Google has processed 650,000 “right to be forgotten” requests out of about 2.4 million of them. And some US lawmakers are pushing to have comparable rights available to Americans.
For each request, Google has this to say:
"Determining whether content is in the public interest is complex and may mean considering many diverse factors, including—but not limited to—whether the content relates to the requester's professional life, a past crime, political office, position in public life, or whether the content is self-authored content, consists of government documents, or is journalistic in nature."
Right to be forgotten requests are the data controller’s responsibility. So, you can’t really turn around and say, “Talk to Constant Contact about it.” For influencers, e-comm sites, brands and marketers, the onus falls on you to make sure delete requests are handled quickly and thoroughly. That means, you need a policy in place for how you will facilitate right-to-be-forgotten requests.
There may be times when you get a delete request that you cannot complete, either for tax reasons or legal reasons, or some other valid reason. Generally, employers are allowed to hang on to the personal information of a former employee, but there may be information you will need to purge from your system and other information you can keep. We’ll get to that later.
#2 Subscribers Have the Right to Move Their Data from Your Database to Another Database
Data portability is the right and ability of a subscriber or follower to see and move their digital data from your database. You may already be familiar with Facebook’s download function, which enables you to download information from more than 50 different data categories. Below is a screenshot of the initial download page from my personal Facebook account followed by a separate screenshot of the first dozen or so data categories that I would receive information on upon downloading.
GDPR provides that data controllers have a place where users can go to see all the information being stored about them. Facebook does this with the Activity Log. The downloadable file you get with Facebook is a zip file containing multiple media formats. So, the videos I uploaded to Facebook since creating my account are included in the zip folder as mp4s.
I will admit I initially thought my Facebook download would look like a tax transcript - just letters and numbers organized into columns. But that’s not the case. And for influencers and agencies, it really can’t be the case, as GDPR requires data controllers to make data both portable and easily reusable by data subjects.
Ease of use is why I am able to download, as mp4s, every random video format I’ve uploaded to Facebook from my desktop, laptop, tablet, or phone since 2008.
As you can see, GDPR compliance isn’t really something any of us can wing. This time the “let’s just wait and see” approach won’t work. Having the technical processes in place to facilitate these kinds of requests quickly requires planning.
#3 Subscribers and Followers Have the Right to Know of a Data Breach
Few things shake your faith in a company like finding out it knew millions of its loyal customers were compromised by a data breach, and failed to report it.
GDPR requires data controllers to report data breaches to the local authorities in each EU member country that has citizens affected by the breach within 72 hours of becoming aware of the breach (Article 33).
You must have a fail-proof process in place to detect breaches immediately
If you use a separate data processor, the company must be trusted, reliable, and secure enough to be able to prevent data breaches altogether, and in the rare instance one happens, be able to detect it as soon as it happens
Your data processor has to be able to detect the breach and inform you of the breach quickly. The wording used in Article 33 is “without undue delay.”
You need to have written Incident Response Plan in place for how your team (and your processor’s teams) will handle data breaches
You need to go back through your data processor service agreements to make sure they are GDPR compliant
You may need to get updated service agreements
Under GDPR, influencers, brands, marketers, agencies, and ecomm sites can no longer defer to the data processor to handle all data processing problems. In fact, even if the data breach is with your processor, you are still on the hook for that breach if it affects your EU-based subscribers. That means you are 100 percent responsible for what happens to the data you collect from your audience, followers and subscribers.
It’s best to have a contingency plan in place that clearly outlines how your team will handle a data breach so you can spend your 72 hours repairing the breach and reaching the appropriate authorities rather than trying to figure out what you need to do.
#4 You Need to Create Transparency and Uphold Integrity - It’s the Law
The old school definition of integrity is to do what you say you will do whether or not anyone else is around to hold you accountable for getting it done. GDPR now makes that a law.
GDPR makes sure data controllers do what they say they will do with the personal information of your subscribers, followers, and other data subjects, and the first step is to say what you are going to do with their data in a concise, customized Privacy Notice.
#5 Subscribers and Followers Have the Right to Have Their Data Protected
Whereas privacy is making sure no one sees their data, protection has to do with making sure no one grabs their data.
So, the obvious things go into making sure data is properly protected. You and your processor need to use top-of-the line security features to protect your database. It means making sure your SSL certificate is installed on your site, especially if you have contact forms, surveys, opt-ins, or a payment gateway. The industry standard right now is an SSL certificate with bank-level encryption, which is 128-bit or 256-bit encryption.
Here’s where things get a little more interesting: With GDPR, minimizing exposure to threats also means collecting less of their information, sharing less of their information, and purging unnecessary information from your database more frequently.
In theory, this means you must be able to justify needing someone’s last name if you’re having people opt in to get access to a free 5-day mini course. GDPR forces an answer to the perpetual question, “Why?”
Why would you need the last name of a person who has only agreed to watch a free, pre-recorded webinar on your site, and read a few 300-word emails?
Why would you need a phone number from your subscriber if you’re not conducting a strategy call, or something that would require you to be able to access the person by phone?
GDPR aims to trim back the fat in data collection and data hoarding, if you will. It outlines the six legal reasons you can collect someone’s personal information. For most influencers, marketers, and brands, data collection will fall under the “legitimate interest” basis, which is a rabbit hole in and of itself.
We’ll talk about that more in the next post.
The big takeaway here is protecting data is a significant part of GDPR, and sometimes the best way to protect someone’s personal information is not to have it in the first place.
For agencies with remote employees and contractors who are EU citizens, it is true that you will need to keep information related to someone’s work history, salary, job duties, and performance reviews on file for a while, but GDPR says there really would be no justifiable reason for an immediate supervisor to hang on to the early dismissal schedule from the elementary school attended by the son of a former employee, even though having that schedule on-hand was essential to planning during the person’s employ.
The Sky-High Penalties of Being Found Non-Compliant
The penalties for non-compliance are astronomical fines. There are two tiers of regulatory fines, and both are hefty. The first type of fine can be levied for a number of faults, and it can go as high as $12 million or 2% of your company’s annual gross revenue. The second tier of fines is double the first - $24 million in fines or 4% of your annual gross revenue.
Nothing pretty about that. It’s already being estimated that UK-based companies will shell out more than $5 billion in GDPR fines in the first three years of the law’s enactment. I pulled this paragraph from the RSA’s publication, “A Practical Guide to GDPR Compliance.” The link to this guide is at the bottom of this post. With regard to GDPR fines:
“There are major penalties for non-compliance with GDPR, and these are set in two tiers (Article 83). Administrative fines of up to €10 million or two percent of the total worldwide annual turnover (that's revenue, not profit) for the organization can be levied for various infringements, such as not enacting data protection by design and by default (Article 25), failing to keep adequate records of processing activities (Article 30), and not ensuring appropriate security of processing (Article 32), among many others. The failure of an audit of GDPR compliance, which will be a more common event than a violation of the GDPR itself, can also result in penalties. The higher tier of fines – which are up to €20 million or four percent of total worldwide annual turnover – is for more serious wrongdoing, such as not following the basic principles of collecting and processing data (Article 6), failing to acquire adequate consent from a data subject (Article 7), and not providing data subjects with their rights (Articles 12 to 22).”
Unsettlingly high fines aside, GDPR is a good thing. GDPR offers an unprecedented amount of protection to EU citizens that will make you work smarter as a marketer. Think of it as a trip back to pre-cookie marketing. It’s mad men and David Ogilvy sitting in smoke-filled offices coming up with iconic campaigns. It’s Sandi Krakowski and Gary Vaynerchuk trying to master a thing called CPC ads and email marketing back in the 1990s, back when you could buy the broadest of keywords for a nickel a click. It’s figuring out how to do more effective marketing with less information and get better results.
In the next post, we’re going to talk more about how to get those results, and stay within the framework of GDPR.
* * * *
Super-helpful resources to help you dissect this massive regulation:
GDRP Main Page - https://ec.europa.eu/info/law/law-topic/data-protection_en
A Practical Guide for GDPR Compliance (download) - https://www.rsa.com/content/dam/pdfs/7-2017/A-Practical-Guide-for-GDPR-Compliance-Osterman-Research.pdf
BetterCloud presentation on GDPR Compliance: Explain Like I’m Five with Data Privacy, presented by Jodi Daniels https://www.youtube.com/watch?v=nG9RJLhDTXc
ICO’s Guide to the General Data Protection Regulation https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Wait! We have a disclaimer!
On behalf of the fine folks here at TheShelf.com, it must be said that we are not lawyers. Please do not consider this post legal advice. If you are dealing with GDPR issues, or joining the rest of the digital world in the mad scramble to become GDPR compliant, you should seek appropriate legal counsel to assist you. Also, while GDPR has far-reaching impacts the world over, this particular post is geared toward our North American readers.
Get Started Today!
Or give us a quick call : (212) 655-9879