Social Media in the Workplace, a GDPR Headache?
Social media has grown exponentially in the last few years from Facebook, LinkedIn and Twitter to platforms such as Instagram, TikTok and BeReal. We are using social media and in reflection, organisations are adapting their business strategies to mirror these trends. However, it is important to recognise where there are increasingly clear risks involved when using social media, both in terms of for work related purposes as well as personal use of social media in the workplace.
An example of an overlooked risk is when the UK Parliament started using TikTok. TikTok is a platform with 1 billion monthly active users and therefore, a huge platform. However, TikTok is owned by Bytedance, a Chinese company. As a result of UK Parliament using TikTok, they were essentially giving the Chinese company and by extension the Chinese government access to information associated with the day to day activity in UK Parliament. Consequently, the account was quickly deactivated and the content deleted.
The lesson to learn here is that when organisations are using social media platforms, they need to be aware of who they are potentially sharing information with, as well as the type of information being shared. Considering this in more detail, highly regulated sectors such as law, accounting, pharmaceuticals, banking and financial services all deal with vast amounts of personal data, some of which is very sensitive personal data. Therefore, if you are a professional in one of these sectors or a similarly highly regulated field and are posting regularly on social media platforms, be aware of who may be viewing the information shared.
This principle is reflected in ‘newer’ platform BeReal. BeReal essentially works by sending out a notification to all users at the same time, encouraging them to take a picture of what they are doing at that moment exact moment, pressuring a user to respond in the 2 minute time frame. Seems harmless enough, right? … The reality is, that if you are taking a picture at work, you may well be midway through sending an email to a client. Which may include personal information such as the client’s email address, phone number and any other additional personal information.
Applying the principle of sharing photos from a different perspective, Digital Law recently had our office photos updated. Consequently, this meant staging our office accordingly, so that no client data such as names or documents were on display. This is because these pictures would be on the website which can be accessed by anyone. The same principle here applies in that when you are posting on social media, you should consider what is visible in the pictures and any information being shared. Can any confidential, personal or business critical information be seen in the background? Could the spine of a file, address on a letter or contents of a document be seen? Bear in mind that the high resolution on smartphone cameras often means that details become visible should a user zoom in on an image.
These examples highlight why an organisation should have a strong social media policy to ensure all employees are clear on how they should be using social media in the workplace, both for the company as well as for personal use. This is because GDPR can inadvertently be breached and therefore, employees should be clear on the dos and don’ts within your workplace. Similarly, any such policies should be followed up with additional training as well as an assessment, in order to check employee knowledge.
Should you want any advice in relation to creating an adequate social media policy please contact us at firstname.lastname@example.org.