If you work for a global company, chances are that Privacy Shield is on your radar - and if it's not, it should be.
Privacy Shield is a set of frameworks put in place by the U.S. Department of Commerce, European Commission and Swiss Administration to help companies securely transfer personal data between the U.S. and the EU. Participating companies must take "reasonable and appropriate measures" to protect personal data from "loss, misuse and unauthorized access, disclosure, alteration and destruction".
For social media managers, now is a good time to review your processes and procedures to prevent unauthorized access to data, ensure disclosure when you're storing data and how you handle and destroy that data once it's no longer needed.
Unauthorized Access
First things first, if you're not using a third-party tool to manage your social media account access, change that immediately. No one should use their personal social media account to conduct company business; if they ever get hacked, your company accounts are at risk, too.
Make sure that you regularly review what user permissions each employee has within your management tool. If an employee is only conducting social listening, limit their user permissions to only see social listening dashboards and not the ability to publish content. It's also a good idea to keep written documentation of each user's role and responsibilities within the tool. This helps prevent unauthorized access to data and also lowers your chance of having inappropriate content (accidental or otherwise) published to your accounts.
If your tool doesn't prompt users to do this automatically, reach out to them every 90 days and ask them to change their passwords. This is a good opportunity to confirm that each user still needs access (and remove those who may not).
Disclosure
Disclosure is also a chief concern - and not just the disclosure language or privacy policy on your website or landing page that lets visitors know how and when you collect and store their personal data (which you should absolutely have, by the way).
If you have an employee advocacy program, educate your employees that they need to disclose their employment relationship with you when posting on social media about the company. The FTC recently fined celebrities and bloggers for not doing this, and your employees fall under the same realm. This is especially important if your employees are posting links to gated assets that require providing (and storing) personal information in exchange for a free download.
Transfer and Destruction
If you're using social media to resolve customer support issues, and an exchange of personal data takes place to conduct offline conversation, make sure that you're securely transferring that data to the party that needs to follow up.
Ideally, your customer support contact has a login to your social relationship management tool so that these situations can all be resolved and archived in one main location. If not, however, make sure you're using secure transfer methods like e-mail encryption or via password-protected file.
Additionally, only store that customer data until the issue is resolved. Once you no longer have a need to contact that individual, you should delete their contact information from your social media tools and accounts to prevent accidental exposure or misuse.
Even if your company doesn't conduct business in the European Union, it's still a good idea to have guidelines in place for the proper handling of sensitive customer data via social media. Better to be safe than sorry, right?