Consent Preferences

Social media

Social media within an organization is imperative to both its growth, community focus and survival. Social media can be very advantageous to any organization to grow its reach and membership and it is a free modem for them to advertise their activities, the ethos of their organization, and the benefits of joining the organization.

Given the amount of information that can be shared across social media, some of which we have already covered in previous modules, it is imperative that social media and the posts and platforms that are being used on behalf of the organization are being monitored and operated by a dedicated member of the organization. It should be somebody’s specific role to be in charge of all of the social media accounts that are tied to an organization and all logins and passwords should be held securely within that organization.


As previously discussed, when somebody leaves an organization all access and passwords that they obtain must be rescinded and handed back to an organization. If that person has been in charge of social media, then it is imperative that all access and administration responsibilities are passed to the new person who’s role it is to maintain the social media and if needed passwords should be changed on a regular basis.


It is worth considering what categories of posts you will be publicizing through your social media and what kind of personal or sensitive data you may share. It is very rare for an organization to have a closed platform on social media because this goes against the opportunity to advertise their platform to new members. If you are operating a closed platform for members only, then it is important that the membership of this group is actively maintained and when somebody leaves an organization then they are taken out of any closed membership groups. This should be dealt differently than an open social media platform for example if you have an Instagram or a Facebook page that is open to the public and you have hundreds or thousands of followers it should be the responsibility of either one person or a group of people to be in charge of all areas of social media.

Data Sharing

Underneath GDPR social media is a platform where personal and sensitive data can be shared in the direct message platform function. Any direct messages that are sent to any social media platforms should be responded to and if they contain any personal data, for example phone numbers or e-mail addresses then once they have been actioned upon these messages should then be deleted. This should be the responsibility of one or a group of people to manage depending on the size of the group. You should be reviewing all platforms where your organization has a presence every couple of weeks to make sure that you are not storing data unnecessarily and also that you are replying back to any direct messages promptly and efficiently.

You should also be aware of the data that you are sharing within your social media platforms. As previously covered in other modules you should be mindful of what images you are sharing on social media. If you are sharing images of children do you have the full consent of their parents for their images to be shared and if you are tagging anybody, do you have consents to do this as well or are they covered under the Household exemption (see module 6)? If you are unsure about any element of consent, then you consider blurring the images of any children or be prepared to take down an image of another parent asks you to.

The Importance of being Transparent

Also when you are either opening or taking over control of any social media platform it is worth putting in rules and guidelines at the beginning so that everybody who is on that platform are aware of the standard procedures in relation to information and content of posts that they may be either involved in or participating in.

You should also make it common knowledge how somebody can withdraw consent for their images to be shared across social media and how they go about contacting the relevant person to delete any images that may be contained. It should also be standard practice that within any closed membership platforms all social media images should not be shared in an open platform without consent. Also, the organisation should clearly forbid any images to be saved or shared from any posts without consent unless they fall under the Household exclusion clause of ‘personal and household activity”.

The important bits

Social media is an open platform where data can then be shared worldwide and that means then that you do not have control over the images or the content that is being shared. If you are working underneath an umbrella of an organization for example a network organization or a sports body, then you must adhere by their social media practices. Once somebody leaves the role of social media officer within an organization their logins should be rescinded, and they should delete access to any accounts that they have administration access to, and this information should be passed to the new person who will be dealing with that social media account. Any information that has been gained through their role as social media officer must be deleted or passed on to the new person who is in charge of that position and should not be retained, stored, downloaded or shared without consent of all involved.

How you operate your social media accounts can have a very real bearing as to how you operate your organization. If you are seen to be acting compliantly on your social media platforms then this would be a positive indication that you understand the importance of data that is being shared with your organisation. Make sure that everybody involved in all areas of social media management is aware of the policies and procedures that exist within your organization in relation to posting and sharing content amongst the platform. If there is ever a data breach or a question over data being shared without consent it is not a defence to say that you have not been trained in your role. You will be held responsible for any content that is shared incorrectly regardless of your level of knowledge or expertise in that area, so if you are unsure of any elements of the role that you are playing you must let the chairperson or president in charge of that organization know your concerns.

As they rule of thumb under GDPR I would recommend only storing the minimum amount of information that you are required to store in order to perform the agreement that the person has committed to join that organization. Once that person has left that organization then you should delete all information that is related to them unless there are grounds for any legal issues or if there are any accounting reasons for you to keep their information.

If in doubt about any information you are storing in relation to any of the members always raise this as an issue with the chairperson or the person in charge of that organization. I would suggest put it in writing via e-mail to make sure that you are covering yourself in case there are any issues that may come in in relation to data being shared stored or retained unlawfully.

Consent is always King and Queen in relation to storing of data- always remember if it was your data and you have decided to leave an organization would you want them still to be processing and storing and commenting about your information when you are no longer part of an organization?