Topic image

ICUC and the GDPR

The European Union’s General Data Protection Regulation (GDPR) comes into effect on May 25, 2018.  These laws have been designed to improve the protection of EU citizens’ personal data. The laws applies to all EU based businesses, and also to non-EU businesses that collect and process data of EU citizens.

What is “Personal Data”?

“Personal data” is defined within the GDPR as any information relating to an person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

This can include IP address, cookies along with obvious things like names and email addresses that will now be regarded as personal data if they are capable of being linked back to the individual.

There is no distinction between personal data about individuals in their private, public or work roles – the person is the person.

Data is considered “personal” if the data owners are re-identifiable no matter what the data are about. Re-identifiability depends on who can access the data and what they may know about the data owners from any external source (e.g. social media). People share a lot of personal data about themselves willingly or unwillingly which makes linking their real identity to their “pseudonymous” data easy. In addition, AI technologies are increasingly able to find relationships between seemingly unrelated pieces of data like facial photos and sexual orientation. Some data which may appear to be non-personal and/or insensitive today may turn out to be personal and or/sensitive tomorrow.

What does ICUC do with that data?

At ICUC, our entire organization is hard at work ensuring that our own practices are GDPR-compliant. We would also like to help you, our partners and customers, understand what the GDPR means for the social media data ICUC gathers on your behalf.

ICUC’s SocialPatrol platform gathers posts from multiple social media sites including Facebook, Twitter, Instagram, Pinterest and others. Those posts contain a user name (real or otherwise) as well as the post itself and any other information provided voluntarily in the post. SocialPatrol will see geotags when users voluntarily tag their posts. (less than 3% on Twitter) SocialPatrol does not access IP addresses, email addresses or other user profile data.

User data is stored based on the ICUC client location. For example, if the client is US based, data is stored in the US. If the client is EU based, data is stored in the EU.

ICUC may analyze that information and send it back to our client if the form of raw data reports or with analysis. In addition, the data can be used in an anonymized fashion, that is, stripped of all personal identification for such things as sentiment analysis or general locations. Selling lists for mailing or promotional purposes is not allowed under the GDPR. Your organization should determine what you can do with this data under the GDPR.

ICUC’s SocialPatrol platform retains downloaded data no longer than 6 months from the date of download, or 12 months from the date of publication. Raw data associated with a deactivated stream/account is purged 3 months after deactivation.

All the data that ICUC gathers for our clients belongs to the client. What you do with it is your decision. Please ensure that your organization is following the GDPR and other data protection policies.