Follow me not
Social media is a wonderful thing. By searching social media, like Twitter and FaceBook, companies have been able to identify their customers and follow them. Collecting and analysis the data from FaceBook posts, likes, tweets and Instagram pictures to gain an in-depth understanding and build a closer relationship with their customers.
Indeed many technology companies have developed software assets to gather this social media data and present the analysis to clients. Tools like SAP Hybris Social Engagement Cloud allow you to monitor sentiment and trends, and respond to tweets and FaceBook posts in real time.
Packages like Hybris also plug into a companies CRM system and combine the customers social media data and their CRM data. They capture the complete history of social interactions, the customers public profiles and the influence the customers messages carry.
It is these more, shall we say, Orwellian functions that will become difficult to justify and utilise under the new General Data Protection Regulations (GDPR.)
Under the new GDPR, processing has to be lawful. That is to say, that one of the six lawful reasons for processing must be applicable, otherwise processing may not take place. Review Article Six of the GDPR and you’ll see that really there are only two possible reasons which a company might use to process social media data; a) The data subject has given their informed consent, or f) Processing is necessary for the purpose of legitimate interest pursued by the controller (company.)
In addition to being lawful the data subject must be informed, whether at the time of collection (Article Thirteen) or prior to processing (Article Fourteen), what their data will be used for. And that data may only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (Article Five)
Under the current Data Protection Regulations companies have adopted the stance that because the data is ‘public’, its on Facebook and Twitter etc. Then its fair game and they can collect and analyse.
Under the GDPR that changes.
Just because the data is on Facebook, or Twitter does not mean that you can collect and analyse it. You need a reason to process that data (Article Five); and your reason needs to satisfy the obligation of Article Six of the GDPR, that your processing is lawful and covered by one of the six lawful reasons.
If we take those two most probable reasons, Consent and Legitimate interests; The informed consent of the data subject will be damn near impossible to obtain. Imagine the response of a customer (data subject) when asked by a company if they can collect their social media data, FaceBook profile, posts, social network graph, tweets and Instagram pictures for the purposes of sentiment analysis, marketing and customer research.
Legitimate interest will also be very difficult to use to justify collection of social media data. The GDPR includes the caveat, “[…] except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data […].” Harvesting and analysing social media is invasive. Now many people may say that because the data has been published then its fair game. In publishing the item on social media the data subject has relinquished their right to privacy. And this is where the caveat applies; except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Data protection law has its origins in Article 8 of the European Convention on Human Rights, the right to a private and family life. Any company that thinks that their legitimate interests outweigh their customers right to a private, and family life and fooling themselves.
Any company that thinks that they can justify the enrichment of their CRM database on the basis of legitimate interest, is fooling themselves. Just because its been posted to a social media platform, does not mean that you have an automatic right to use it.
The GDPR presents a number of challenges for companies, and the majority of professionals are aware of them. However the GDPR also presents challenges for software companies who need to re-engineer assets such that they function in a manner conducive with the requirements of the GDPR. This is no easy task but it is one that customers are looking to them to undertake. Indeed faced with the prospect of being unable to utilise functionality which has been purchased at high cost, the pressure is on to quickly re-engineer functionality and sustain insight and value in a compliant manner.
Cross posted to my Linked-In blog