The Countdown is on: GDPR & Employee Advocacy


Lauren Durfy

General Data Protection Regulation (GDPR) will be enforced starting May 25, 2018, and with fines up to €20 million or 4% of total revenue, organizations are taking notice. This regulation is designed to provide more protection for EU citizens’ personal information – how it’s collected, used, and stored.

For reference, personal data refers to “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer’s IP address.”

Non-EU companies will also be held accountable to GDPR if they currently possess or plan to collect any data from an EU resident or if their organization markets to anyone within the EU.

With continuing stories of data breaches and misuse, this regulation is a relief to many consumers who felt their privacy was being invaded. While this is great news for individual’s privacy, within the EU, it will also have a tremendous impact on marketing and sales departments throughout the globe.

What are the basics of these regulations?

  • Before using any personal data (emails, name, etc.) permission must be obtained from the individual
  • This permission must be a voluntary opt-in (i.e. no pre-selected boxes on forms)
  • Companies must inform users for how long and for what reasons you’re collecting data (terms of services and cookies) and if any other third-parties will have access
  • User data cannot be later transferred to a third party
  • Profiling (retargeting) of collected data without opt-in consent will no longer be allowed
  • Must mention how consent can be withdrawn
  • The language for these statements must be unambiguous and use plain language (i.e. not full of legalese)
  • An organization will now have 72 hours to report any loss of data or breach

What Does that Mean for Marketers?

Most privacy policies, as well as terms of service, will need to be updated to comply with GDPR. The language will need to be simplified (removal of legal jargon) and cover what data is being collected as well as all of the intended use cases.

For example, if you will use cookies for a Facebook remarketing pixel:

  • You will need to update your privacy policy to reflect this
  • Let website visitors know immediately upon landing on your site
  • Obtain opt-in consent to use their information in this manner

Importing third-party data and exporting social media contacts to update info on another social media platform, CRM or Marketing Automation Platform will now be illegal as will using “black magic” tools to find a contact’s email. Remarketing campaigns will also be limited as not to interfere with the new profiling regulations.

Email and Search Engine Marketing (SEM) are no doubt taking a hit — social media will as well, but to a lesser extent. While this seems like a setback, GDPR does provide some opportunities for savvy marketers.

GDPR & Social Media

Because social media platforms require users to read and agree to their terms of service, they have opted-in, meaning the data they’ve provided to that platform is data they’ve voluntarily opted-in to share. The only caveat is, this data is platform specific; marketers cannot take data from, let’s say, LinkedIn to use for Facebook retargeting.

GDPR will not affect one-to-one communication and sharing on social. If an employee wants to directly engage with another user to promote a company message, they can freely do so.

GDPR & Employee Advocacy

It is not breaking news that organic reach on social has seen a massive decline. Many marketers pivoted and began to create more ads and boosted posts in response; unfortunately, GDPR regulations might affect these strategies. Savvy marketers will once again pivot strategies and employee advocacy is one way to remain completely compliant — as mentioned above, one-to-one communication is permitted.

Employee advocacy leverages the reach and network of your employees to connect with relevant audiences on social. While GDPR removes an organization’s ability to communicate with a prospect unless they opt-in, employees connecting with their network as part of an employee advocacy program will not be held to those restrictions.

Next Steps for Marketers

The most important next steps for marketers is to review and update privacy policies, terms & conditions, and opt-in forms. All of these materials need to reflect the ways in which you will be collecting and using this data. All marketing campaigns (SEM, social media, email, etc.) should be reviewed to ensure they are compliant.

Once the foundations of your marketing campaigns are GDPR compliant, it will then be time to experiment with other forms compliant marketing like employee advocacy. Adopting an employee advocacy program provides a way for organizations to still reach and engage with target audiences. Leveraging this ability and empowering employees to be brand advocates and share company content with their social network allows brands to continue generating new leads and creating new GDPR approved marketing touchpoints.

To learn more about Employee Advocacy & PostBeyond, request a demo today!


Ready to get started with employee advocacy?

Request Demo