LinkedIn and GDPR – a ‘hot topic’ for all Business Development and Marketing Teams
The specialist Governance, Risk Management and Compliance Team (GRC) at Net Defence has been very busy with GDPR Gap Analysis work since the legislation came into force. Findings report LinkedIn is a real ‘Hot Topic’ when it comes to the use of it for prospecting.
Is using LinkedIn for prospecting or selling in breach of GDPR?
The GRC Team at Net Defence has put us right – here are some key points to help keep you and your team compliant with GDPR when it comes to the use of LinkedIn:
- Business to Business marketing is NOT exempt from GDPR – it’s a myth that it only applies to B2C (Business to consumer). If you trade with or engage with either, you must comply with GDPR.
- A business contacts name, email address and mobile phone number are all considered personal data under GDPR. Therefore using your LinkedIn contacts data must be done so in accordance with GDPR.
- The legislation comes in to play if you add a business card and its details to files, computer systems or databases. This will include downloading a copy of your personal contacts from LinkedIn.
It is important that your organisations’ policies include this to ensure that individuals do not increase your organisations’ risk of breach by not understanding that downloaded copies of LinkedIn contacts to an organisations’ computer automatically instigates a requirement to comply with GDPR.
- You must have a lawful basis for processing personal data, there are 6 available;
- Legitimate Interest
- Legal Obligation
- Vital Interest
- Public Task
- The most common reason that applies to marketing is ‘consent’ or ‘legitimate interest’. You need to assess each part of the three-part test, and document the outcome so that you can demonstrate that legitimate interests applies. We refer to this as a ‘legitimate interests assessment’ or LIA.
- You must have an opt out process at all times.
- Processing will include everything that the entity does with the data including receipt, collection, storing, amending, disclosure and destruction.
- You can rely on legitimate interests for marketing activities if you can show the way in which you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object to what you are doing.
Therefore when it comes to LinkedIn and compliance with GDPR you;
COULD – send an existing contact a message to seek agreement to email, call or meet about a topic including potential of their interest in goods or services for them or their organisation.
COULD – send a request to connect to someone you do not know expressing interest that you would welcome the opportunity to connect with them to explore potential interest in your goods or services.
COULD NOT – Use search finds of unknown contacts from LinkedIn to extract their email address or telephone number to issue company marketing.
‘Consent ‘and ‘legitimate interest’ are the 2 most common for B2B marketing activities.
In excess of £1.7 million fines in 2018 between May –and July were made by the ICO related to marketing activities.
Stay compliant and ensure that your processes and staff training are robust to reduce the risk of your organisation falling foul of GDPR. You can request a GDPR Gap Analysis if you are unsure.
DIRECTORS – Recent developments regarding Directors responsibilities for their organisations breaches also continue as reported here https://www.whitecase.com/publications/alert/uk-ico-recommends-personal-liability-directors-breaches-data-protection-law
For those curious about recent fine here are some more examples:
- Nuisance calls fines – https://ico.org.uk/action-weve-taken/nuisance-calls-and-messages/
- Lead generation firm responsible for over 46 million automated nuisance calls, has been fined £350,000 by the ICO – https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/02/record-fine-for-company-behind-staggering-46-million-nuisance-calls