If you haven’t heard of the GDPR (General Data Protection Regulation), quite frankly I am in envy of you. Never has there been an IT security topic so heavily covered by those who wish to show they are literate and can re-write what they have read. Astronomical fines, forbidden non-consensual communication and mighty data subjects wielding new found rights have all been covered repeatedly and tirelessly.
But where is the practical advice? There is swathes of information regarding what it is, and not so much about how to do it, particularly in complex scenarios such as the use of social media. In fact, a search of the terms “GDPR” and “LinkedIn”, returns only GDPR articles published on the LinkedIn platform, nothing about its application.
[You may also be interested to read "7 GDPR Opportunities for the IT Security Channel"]
Regulating LinkedIn
LinkedIn, much to Microsoft’s glee, is undoubtedly the world’s number one business-orientated social media platform. With a reported member count just shy of 500 million, the platform has become a fundamental source of business connection, communication and information. To support this, one just has to observe the march toward extinction of the business card and CV (resume) in favour of a LinkedIn profile.
So, what will become of our beloved networking tool?
Applicability
As a service which collects personal information from data subjects located in the EU/EEA and profiles them for the purpose of targeted advertising, LinkedIn is certainly within scope of the GDPR as defined in Article's 2 and 3. However, whether your activities on the platform are in scope will depend on some exemptions to Article 2, namely personal use. If your use of LinkedIn is purely for personal activities and you do not offer a service or solution, irrespective of payment, your use of LinkedIn is not subject to the articles of the GDPR.
Accountability
The DPD (Data Protection Directive) 1995 and its replacement, the GDPR 2016 both categorise organisations using two terms: data controller and data processor. This exists under Article 4 in the GDPR.
In the case of LinkedIn, it collects and determines which items of personal data are required to build a profile on its platform, making it a data controller. As a member of LinkedIn, your activities constitute a data processor role, with your use of the platform strictly controlled by the data controller using features and restrictions such as a restricted view of and communication with non-contacts (we will come back to this in more detail). This is all laid out in a carefully written privacy policy which every member has to agree to, before signing up to the LinkedIn service.
LinkedIn Messenger and Connection Requests
As a business social media platform for the purpose of networking, making unsolicited connection requests using the LinkedIn messenger client to communicate with already connected members, cannot be considered prohibited.
Not only is accepting a connection request a valid form of consent to allow the requestee access to the features of the platform; but both activities can be considered legitimate business interests on the basis of reasonable expectation (Article 6 (1f)). In essence, by being a member of a business networking social media platform, there is a reasonable expectation to assume people will wish to connect and network with you, or in other words, use the platform for its advertised purpose.
If they do not wish to receive your communication or connection, they have the ability to disconnect or deny.
Where this becomes a little more complex is when you can directly mail second degree contacts or if you are a paying member of LinkedIn, directly mail anyone. Again, it can be argued that this is covered by reasonable expectation of legitimate business interests, however it would be a good idea to take a look at the PECR (Privacy and Electronic Communication Regulation) or the incoming European E-Privacy Directive for further requirements outside of the scope of this blog post.
Other Contact Details
Dependant of profile settings, some members display external contact details, such as an email address or phone number on their profile pages, which are only visible after a connection request has been approved. Despite what some may say about these items being fair game due to them being made public, the use of these contact details for the purpose of business when it is unsolicited constitutes a data export and thus makes you the data controller.
Where contact information is harvested from LinkedIn, a data controller will need to show the legal basis for processing, in reference to Article 6.
[You may also like "GDPR: Seek re-consent or burn your contacts database, really?"]
Data Subject Rights
With regards to specific data subject rights or powers, there is little as a member to be concerned with. These are handled by LinkedIn as the data controller. A data subject can retract permission for processing at any time by disconnecting from another member and can request or enact their own rectification should it be required. LinkedIn already has a feature for exporting profile content enabling the right of portability and presumably, although not personally witnessed, there exists an ability to be forgotten too.
Adaptation to Survive
Ultimately, the usage of LinkedIn as a business enabler will neither change nor cease. The GDPR makes plenty of allowances and exceptions for businesses to continue to operate in a sensible and ethical way. For all the accusations of being bad for business or interfering with new business generation activities, it only seeks to reduce the abuse of personal data and hand the power back to the owner, the data subject.
As with anything in life, it’s a case of adaptation to survive.
