GDPR, Business and Social Media

GDPR, Business and Social Media

In today’s digital world, social media has become an essential part of our daily lives, with millions of people using various platforms to connect with friends, family, and businesses. Social media platforms have revolutionised how people engage with each other and how businesses connect with their customers. However, concerns about data privacy have emerged with the growing use of personal data for advertising purposes. General Data Protection Regulation (GDPR) was introduced in 2018, significantly impacting how businesses use social media for marketing and advertising. This blog post discusses the impact of the regulations on business and social media.

Myths about GDPR and PECR

There are several myths that small businesses may have about social media, GDPR, and PECR. Here are five of them:

  1. People are communicating on social media so that I can contact them.
  2. GDPR and PECR only apply to large businesses, not small ones.
  3. Obtaining explicit consent for data collection is too difficult and time-consuming.
  4. Compliance with GDPR and PECR will harm my business’s marketing efforts.
  5. GDPR and PECR are just another government bureaucracy that doesn’t benefit consumers.

In reality, these myths are not accurate. People may be on social media, but businesses must know regulations like GDPR and PECR to avoid hefty fines. These regulations apply to all businesses, regardless of size. Obtaining explicit consent may require a little effort to set it up, but ensuring compliance and building trust with customers is necessary. Compliance with GDPR and PECR can improve marketing efforts by building customer trust. Finally, GDPR and PECR protect individuals’ rights and information. It is their data. Just because they may give it to you or put something on social media does not mean you can use it.


While most people have heard of GDPR and data protection, PECR is its lesser-known cousin. GDPR has been established to guarantee transparency in businesses’ use of personal data. Hence, businesses must have a legitimate reason for processing personal data, gather only essential data, and use the data fairly and transparently. Such regulations considerably impact firms that depend on social media for their marketing and advertising activities. Companies must obtain explicit consent from individuals to use their data for marketing objectives. For this, businesses must be upfront about the data they are collecting, its intended use, and with whom it will be shared. This also means you can not collect data for one purpose and automatically transfer it to another without permission.

PECR stands for the Privacy and Electronic Communications Regulations. These regulations work with GDPR to protect individuals’ privacy rights regarding electronic communications. Essentially, PECR regulates how businesses can use electronic communications to market their products or services. This means that businesses must obtain consent before sending marketing emails or text messages to individuals. Small businesses must understand PECR, as non-compliance can result in significant fines. By following PECR regulations, small businesses can build trust with their customers and ensure they operate ethically and responsibly.

The Impact on Social Media Advertising

Implementing GDPR and PECR has changed how businesses use social media advertising. Social media platforms like Facebook, Instagram, and X rely on personal data to personalise advertising to specific audiences. This means that businesses must be transparent about how they use personal data for advertising and allow individuals to consent to targeted advertising AND have the opportunity to opt out at any time. Consequently, businesses are shifting towards more generalised advertising on social media platforms as they face challenges in targeting specific audiences.

PECR and GDPR protect individuals’ privacy rights concerning electronic communications and ensure transparency in businesses’ use of personal data. By following these regulations, businesses can build trust with their customers and operate ethically and responsibly. These laws emphasise the significance of data privacy and make businesses responsible for using personal data. In the future, businesses are expected to continue using social media for marketing and advertising but must comply with GDPR and be open about handling personal data.

When implementing explicit consent for GDPR and PECR, businesses must provide individuals with a clear option to explicitly consent to targeted advertising. During data collection, this can be done through a pop-up message or a checkbox. Businesses must also ensure that their privacy policy is current and clearly explains how personal data is collected, used, and shared. By implementing explicit consent, businesses can build customer trust and ensure compliance with GDPR and PECR regulations.

The Future of Business and Social Media

The implementation of GDPR and PECR laws has emphasised the significance of data privacy and has made businesses responsible for using personal data. As a result, there has been a move towards more honest and ethical business practices. In the future, it is expected that businesses will still use social media for marketing and advertising. Still, they must follow GDPR and be open about handling personal data. This will establish trust with consumers and prevent businesses from facing substantial penalties for non-compliance.


To sum up, implementing GDPR and PECR has dramatically affected how businesses utilise social media for marketing and advertising. Businesses must adhere to GDPR and be upfront about how they handle personal data. This helps to establish trust with customers and prevents businesses from facing severe penalties for non-compliance. Businesses must prioritise data privacy and ethical practices as our society becomes more data-focused. By doing so, businesses can build a positive reputation and ensure a long-lasting relationship with their customers.

We believe in supporting businesses to understand data protection and embed it into regular practice. To learn more, check out here, or why not book a free discovery call to see how we can support you?

Five Tips for GDPR

Five Tips for GDPR

If GDPR and compliance are a concern for you or your organisation, don’t worry. Taking all the different aspects in at once can (and probably has) caused everyone to feel a little overwhelmed at some point. But it doesn’t need to. Here are the five tips to know about and why they matter.


When it comes to GDPR, transparency is a fundamental principle. The reason why that’s the case is simple. It gives individuals as much control over their data as possible and facilitates their rights.

Control and rights are both fundamental underpinning principles of GDPR.

How does a company demonstrate transparency? The content of privacy notices is a good start. Good, compliant examples include

  • the contact details of the company;
  • if required, the Data Protection Officer,
  • the purpose and lawful bases for processing the data
  • and the categories of personal data you hold to name a few.

Mapping your data

Data mapping confuses some, but its principle is relatively easy. Mapping your data means establishing what information you hold and exactly how it flows through your company. This type of audit (also known as a mapping exercise) should be performed regularly by assigned individuals.

Doing so ensures it is maintained and amended as needed by a person or persons who are aware of their responsibilities.

Reporting breaches

Breaches can unfortunately happen, and on a long enough timescale, something similar to the list below probably will.

Data breaches can take many forms, such as:

  • Device loss or theft
  • Phishing scams
  • Hacking
  • Lost or stolen external USB drives

Breaches can also result from carelessness or lack of awareness, such as unattended computers and, especially recently, working from home on unauthorised personal devices and unprotected networks.

Reporting breaches of personal data have been mandatory since before the GDPR came into force. It just became more visible,, and the assessment for reporting changed. The Information Commissioner’s Office has a dedicated section for more information about breach reporting.

Knowing your subject’s rights

Data subjects have a wide range of rights relating to the data you hold about them, making it essential to know why you are processing the information you hold about them.

Data subjects have some or all of the following rights:

The right to be informed (Including why you are processing their data, how long you intend to retain it and who you might share it with.)

A right of access (Typically referred to as a Subject Access Request or SAR which must be dealt with in a timely way.)

The right to rectification (If the subject feels their data is incomplete or inaccurate.)

A right to erasure (Also known as the right to be forgotten, sometimes for legal reasons this may not always apply)

The right to restrict processing (In certain circumstances, an individual as the right to store their data but to stop you using it.)

A right to portability (The right to obtain their data and reuse it for another purpose or service.)

Being accountable

For both controllers and processors, demonstrating compliance and putting measures in place to meet the requirements for accountability will mitigate the risk of enforcement action. Still, it will also build trust in your business and its services and raise you above the competition.

For help and advice around transparency, avoiding breaches, mapping the data you use, subject’s rights and accountability, get in touch today; I’d love to offer you help and advice in the field I specialise in.

Try our quiz