Social media tools, particularly Twitter and blogs, present a fantastic opportunity for organisations to promote their services. Before diving into the social media pool, organisations should be aware of the risks associated with social media and address them.
Informational risk associated with social media depends on whether the social media tool an organisation employs is an open or closed system. With an open system, all of an organisation’s employees can, for example, post blog entries or tweet and visitors to the blog can post comments on the blog, without moderation. All postings on a closed system are moderated before posting.
Open systems present greater informational risks. The first is the possibility for disclosure of trade secrets or client or supplier confidential information. Agreements with suppliers and clients will often contain non-disclosure provisions, which may not allow for disclosure of information belonging to the client or supplier’s business, or the organisation’s association or involvement with the said client or supplier.
Linked to this is data security. The Data Protection Act 1998 (“DPA”) requires an organisation to take certain data security measures to protect personal data against specified risks, such as unauthorised disclosure of personal data. Including trade secrets or client or supplier confidential information (to the extent that they constitute personal data) in a blog post or tweet without the requisite authority or consent would breach this DPA requirement.
Third parties may also interact with an organisation’s blog through registering to receive updates or making comments on blog posts.
With regard to registering, an organisation operating a blog would need to comply with the fair processing notice obligations contained within the DPA, which include providing registering visitors with certain information as to how their personal data was collected during the registration process and how it will be used by the organisation.
Allowing visitors to make comments on blog posts without having moderation procedures in place is also problematic, both when the comments made are negative and positive in relation to the organisation. Negative comments made by a visitor will have a significant impact upon the organisation’s image and public perception. Positive comments pose a particular risk where they constitute an endorsement of the organisation by individuals or another organisation with whom the organisation operating the blog would prefer not to be associated.
A final informational risk is data accuracy. It is important that blog posts represent the organisation’s current thinking, policy and branding. If older blog posts are available online, they may give rise to confusion, which may not be favourably perceived by visitors. A regular audit should be carried out to ensure there is consistency throughout the blog.
The decision on whether to use an open or closed social media system should be an easy one to make, provided the risks are managed appropriately. The first risk management step to take is to implement a social media policy. The policy should educate employees on the sensitivities and risks associated with disclosure of trade secrets and client / supplier-related information in blog posts and tweets. It should also contain the general rules of online etiquette in relation to the image that posts or tweets should portray. The policy may also extend to how employees engage with their personal social media, such as Facebook and YouTube, outside their working lives, particularly when making comments about their employer.
On the visitors’ side, the fair processing notice, discussed above, must be incorporated into the blog registration process. The terms and conditions regulating the use of an organisation’s website should be updated to include appropriate provisions around the content of, and the form which, comments posted must take.
For further information please contact Daradjeet Jagpal.