<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

How will GDPR affect how we use LinkedIn?

Topics: Data Loss Prevention, Regulation, GDPR, European Union, General Data Protection Regulation

Posted: 01 November 2017

LinkedIn Data Subject Rights After GDPR Implementation

If you haven’t heard of the GDPR (General Data Protection Regulation), quite frankly I am in envy of you. Never has there been an IT security topic so heavily covered by those who wish to show they are literate and can re-write what they have read. Astronomical fines, forbidden non-consensual communication and mighty data subjects wielding new found rights have all been covered repeatedly and tirelessly.

But where is the practical advice? There is swathes of information regarding what it is, and not so much about how to do it, particularly in complex scenarios such as the use of social media. In fact, a search of the terms “GDPR” and “LinkedIn”, returns only GDPR articles published on the LinkedIn platform, nothing about its application.

[You may also be interested to read "7 GDPR Opportunities for the IT Security Channel"]

Regulating LinkedIn

LinkedIn, much to Microsoft’s glee, is undoubtedly the world’s number one business-orientated social media platform. With a reported member count just shy of 500 million, the platform has become a fundamental source of business connection, communication and information. To support this, one just has to observe the march toward extinction of the business card and CV (resume) in favour of a LinkedIn profile.

So, what will become of our beloved networking tool?


As a service which collects personal information from data subjects located in the EU/EEA and profiles them for the purpose of targeted advertising, LinkedIn is certainly within scope of the GDPR as defined in Article's 2 and 3. However, whether your activities on the platform are in scope will depend on some exemptions to Article 2, namely personal use. If your use of LinkedIn is purely for personal activities and you do not offer a service or solution, irrespective of payment, your use of LinkedIn is not subject to the articles of the GDPR.


The DPD (Data Protection Directive) 1995 and its replacement, the GDPR 2016 both categorise organisations using two terms: data controller and data processor. This exists under Article 4 in the GDPR.

In the case of LinkedIn, it collects and determines which items of personal data are required to build a profile on its platform, making it a data controller. As a member of LinkedIn, your activities constitute a data processor role, with your use of the platform strictly controlled by the data controller using features and restrictions such as a restricted view of and communication with non-contacts (we will come back to this in more detail). This is all laid out in a carefully written privacy policy which every member has to agree to, before signing up to the LinkedIn service.

LinkedIn Messenger and Connection Requests

As a business social media platform for the purpose of networking, making unsolicited connection requests using the LinkedIn messenger client to communicate with already connected members, cannot be considered prohibited.

Not only is accepting a connection request a valid form of consent to allow the requestee access to the features of the platform; but both activities can be considered legitimate business interests on the basis of reasonable expectation (Article 6 (1f)). In essence, by being a member of a business networking social media platform, there is a reasonable expectation to assume people will wish to connect and network with you, or in other words, use the platform for its advertised purpose.

If they do not wish to receive your communication or connection, they have the ability to disconnect or deny.

Where this becomes a little more complex is when you can directly mail second degree contacts or if you are a paying member of LinkedIn, directly mail anyone. Again, it can be argued that this is covered by reasonable expectation of legitimate business interests, however it would be a good idea to take a look at the PECR (Privacy and Electronic Communication Regulation) or the incoming European E-Privacy Directive for further requirements outside of the scope of this blog post.

Other Contact Details

Dependant of profile settings, some members display external contact details, such as an email address or phone number on their profile pages, which are only visible after a connection request has been approved. Despite what some may say about these items being fair game due to them being made public, the use of these contact details for the purpose of business when it is unsolicited constitutes a data export and thus makes you the data controller.

Where contact information is harvested from LinkedIn, a data controller will need to show the legal basis for processing, in reference to Article 6.

[You may also like "GDPR: Seek re-consent or burn your contacts database, really?"]

Data Subject Rights

With regards to specific data subject rights or powers, there is little as a member to be concerned with. These are handled by LinkedIn as the data controller. A data subject can retract permission for processing at any time by disconnecting from another member and can request or enact their own rectification should it be required. LinkedIn already has a feature for exporting profile content enabling the right of portability and presumably, although not personally witnessed, there exists an ability to be forgotten too.

Adaptation to Survive

Ultimately, the usage of LinkedIn as a business enabler will neither change nor cease. The GDPR makes plenty of allowances and exceptions for businesses to continue to operate in a sensible and ethical way. For all the accusations of being bad for business or interfering with new business generation activities, it only seeks to reduce the abuse of personal data and hand the power back to the owner, the data subject.

As with anything in life, it’s a case of adaptation to survive.

7 GDPR Services VAR's can offer their customers

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts