Is prospecting through LinkedIn a breach of GDPR?

Navigating data privacy in professional networking

LinkedIn has become an indispensable tool for businesses, facilitating networking, lead generation, and brand awareness. However, the use of LinkedIn for prospecting raises important questions about compliance with data privacy regulations. Since the introduction of the General Data Protection Regulation (GDPR) in May 2018, businesses have had to adapt their processes to ensure they respect individual privacy rights.

The UK’s independent authority for upholding information rights, the Information Commissioner’s Office (ICO), has demonstrated its commitment to enforcement by issuing substantial penalties and fines to organisations that fail to comply. This makes it more crucial than ever to conduct your activities in a compliant way. This article will help you understand how to navigate GDPR in relation to LinkedIn prospecting.

What is GDPR?

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals (also known as data subjects) who reside in the UK and the EU. Its primary purpose is to give individuals control over their personal data. For UK businesses, GDPR compliance is not just a legal obligation; it’s also about building trust and demonstrating respect for individuals’ privacy. It applies to any organisation that processes the personal data of UK residents, regardless of where the organisation is based.

The ICO is combining GDPR along with PECR (Privacy & Electronic Communications Regulation 2003) to ensure organisations are taking appropriate actions to protect the privacy of individuals and behave within the guidelines.

One area that the ICO is regularly taking action against is marketing, and with more and more organisations using the global social media platform LinkedIn for marketing and awareness campaigns, it is imperative to be aware of these regulations and conduct your business activities in a compliant way.

Is prospecting through LinkedIn in breach of GDPR?

This is a question many professionals grapple with as they navigate the complexities of digital networking. To provide clarity, here are some key points to consider:

• Business-to-business marketing is NOT exempt from GDPR – it’s a myth that it only applies to B2C (Business-to-consumer). If you trade with or engage with either, you must comply with GDPR.
• A business contact’s name, email address and mobile phone number are all considered personal data under GDPR. Therefore, using your LinkedIn contacts data must be done in accordance with GDPR.
• The legislation comes into play if you add a business card and its details to files, computer systems or databases. This will include downloading (digital or handwritten) a copy of your personal contacts from LinkedIn. It is important that your organisation’s policies and procedures cover this to ensure this does not undermine the organisation’s level of compliance with GDPR. All personal data (including B2B contact details) must be adequately protected from data loss and or breach.

You must have a lawful basis for processing personal data; there are six available:

1. Consent

The individual has given clear permission for you to process their personal data for a specific purpose.

2. Legitimate interest

Processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

3. Contract

Processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

4. Legal obligation

Processing is necessary for you to comply with the law (not including contractual obligations).

5. Vital interest

Processing is necessary to protect someone’s life.

6. Public task

Processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

• The most common reason that applies to marketing is ‘consent’ or ‘legitimate interest’. You must have a clear and easy opt-out process at all times.
• Processing will include everything that the entity does with the data including receipt, collection, storing, amending, disclosure and destruction.
• You can rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object to what you are doing.
• Legitimate interest is easily demonstrated by using a Legitimate Interest Assessment (LIA).

LinkedIn and GDPR: What you CAN do

Messaging existing contacts

You can send messages to your existing LinkedIn connections to discuss potential business opportunities.

However, it’s crucial to:

• Ensure the message is genuinely relevant and personalised to the recipient’s interests and professional role.
• Document any Legitimate Interest Assessments (LIAs) if relying on that legal basis for processing the data.
• Provide a clear and easy opt-out mechanism within the message.
• Be mindful that even with existing contacts, aggressive or overly frequent messaging can be perceived as spam and may damage your professional reputation, as well as breaching GDPR.

Sending connection requests

You can send connection requests to individuals you don’t already know, expressing a genuine interest in connecting for professional reasons.

However, you should:

• Accompany the request with a personalised message explaining the reason for connecting.
• Avoid sending generic, mass connection requests.
• Refrain from using connection requests as a pretext for immediate, unsolicited marketing. The emphasis should be on building a genuine professional relationship.

LinkedIn and GDPR: What you CANNOT do

Data scraping for marketing purposes

You cannot use search functions or other methods on LinkedIn to extract email addresses, phone numbers, or other contact information of individuals you do not know and use that information for unsolicited marketing campaigns.

Data scraping and using extracted data for unsolicited marketing is a clear violation of both GDPR and PECR.

The ICO is increasingly clamping down on these digital offences, and penalties for such violations can be severe.

The cost of non-compliance

Ignoring GDPR and PECR can have serious consequences. The ICO has demonstrated a willingness to issue substantial fines for violations, particularly concerning illegal direct marketing.

In 2023, the ICO issued £1.62 million in penalties, specifically for illegal direct marketing under PECR. This continued in 2024, with reports indicating over £2.59 million in fines issued against companies responsible for nuisance calls, texts, and emails during a portion of the year.

Last year, fines issued under PECR for marketing violations exceeded the total amount of fines for UK GDPR breaches. This suggests an increasingly strong emphasis on regulating electronic marketing communications.

For example, in January 2024, HelloFresh was fined £140,000 by the ICO for sending 79 million spam emails and 1 million spam texts. Their opt-in was misleading, bundled with age confirmation and failed to disclose 24 months of post-cancellation marketing data use, highlighting the importance of clarity in all marketing and online networking communications.

With this in mind, LinkedIn can be a powerful tool for professional networking and business development, but it’s essential to use it responsibly and in a GDPR and PECR-compliant manner. By understanding the current regulations and adhering to best practices, you can leverage LinkedIn effectively while respecting individual privacy rights, building trust, and avoiding costly penalties.