Are employees breaching GDPR on social media?
BeReal is an app that sees users take a picture of whatever they are doing at the time they receive the notification, but if that picture is taken during work hours, there is a high risk of personal data being released and presents a dilemma for employers.
The app was released in 2020 and is quickly growing in popularity. The idea behind it is to be more “real” compared to other social media platforms. As part of this, users receive a notification at any time of the day where they can take a picture of whatever there are doing, be that at home watching the TV, on holiday or at work.
The General Data Protection Regulation (GDPR) deals with data protection, privacy and transference of personal data outside the EU. The regulation builds upon section 55 of the Data Protection Act (1998) by adding the offence of knowingly or recklessly retaining personal data without the consent of the data controller (e.g. employer).
The problem with the BeReal notification coming through during the working day is that people are taking pictures of their screens or their workplace, meaning that all of their friends can zoom in and see that information. There are many posts online of people saying how much they enjoy looking at their friends’ emails, so it is a huge cause of concern. Simply taking a picture of your work emails places you in breach of data protection laws as it is leaking a person’s information and making them identifiable.
Not only this, but most company handbooks and policies will contain clauses surrounding social media use and confidentiality, stating that any personal data cannot be shared and could lead to disciplinaries or dismissal.
Whilst BeReal is the most recent app to raise concerns regarding GDPR, it should not be considered to be the “worst” one. Remote working, which grew in popularity during the lockdowns, saw many people take to platforms such as TikTok and Instagram to produce content surrounding working from home. Often in these posts there were screens visible that could also have revealed confidential information.
What should employers do?
Some GDPR breaches are unintentional (e.g. sending an email to the wrong address) and some are intentional (e.g. sharing data with a competitor). In the instance of social media, it does not strictly fall into either one of these categories, but it is likely to be considered as neglect. Neglect covers an employee using their own personal devices for work data and although sharing these BeReal snaps may not be an intentional breach, the employee should reasonably know the risks.
As it is not possible to monitor everything employees are posting, consistent and regular training should be provided to help limit the issue. It is important that employees understand GDPR and how what they believe to be a harmless photo shared with friends, is part of a much wider problem. Although a lot of employers may consider it obvious to not post this content, training is essential to act as a reminder. This is especially important as BeReal gives users a very short window to take the picture so users may not have the time to think about what is in it.
Furthermore, the newer generations of workers have grown up with social media being a huge part of their lives so it will be very normal for them to share a lot online and not all of it is bad. There are many professional influencers who share content surrounding their work life in a safe way and it is education that will enable other people to do the same.
It is also worth checking your social media and confidentiality clauses in your handbooks/contracts so that in the case an employee does breach this, you are protected and able to act quickly.
If you need any help with understanding GDPR or help ensuring that your policies cover social media effectively, please contact: [email protected]
Article contributor, Louise Tindall