The recent Court of Justice of the European Union ruling that the administrator of a fan page (aka a Facebook company page) on Facebook is jointly responsible with Facebook for the processing of data of visitors to the page has caused a bit of a stir amongst marketers and data protection specialists.

Marketers are worried about Data Protection Officers (DPOs) restricting their activity on social media. DPOs are concerned about what this means in terms of GDPR and PECR compliance – and, given recent events – they might be a little twitchy about sharing responsibility with Facebook for anything to do with personal data privacy.

However, by focusing on regulation compliance, organisations are missing the massive security hole that some companies expose themselves and their customers to by their use of social media in general and Facebook company pages in particular.

How Companies use Facebook

There is no doubt that Facebook is a phenomenon of our time. Just look at the numbers.

Facebook’s Q1 2018 results show 2.2 billion monthly active users and 1.45 billion daily active users.

Facebook is big in Europe – 377 million monthly active users and 282 million daily active users.

Chances are you have a Facebook account and your company probably does, too.

Some companies simply create a Facebook page with some basic company information, links to their main website and leave it sitting there.

However, many companies see their Facebook company page as a key channel for marketing to and interacting with their customers and prospects.

By building Facebook followers (or ‘fans’), organisations can build brand awareness and communicate with a target audience that is more likely to purchase their products and services.

Beyond this, many companies use their Facebook page as a recruiting tool – showing how fantastic their company is to work for and featuring their staff and company events like charity fundraisers, award ceremonies, etc.

An increasingly popular use for Facebook company pages is to provide a customer service and support function.

This often happens by accident – a disgruntled customer, perhaps unable to contact the company through the normal channels, takes to Facebook (or Twitter) to express their dissatisfaction with the service they have received.

Companies soon realised that as well as being a way to connect with their ‘fans’, Facebook was a pretty good way for customers to voice their complaints (marketers call this ‘engagement’ and ‘interaction’).

Some companies embraced this customer service role through Facebook and more than a few even use it as their primary channel for customer support.

Whatever way a company decides to use its Facebook presence, you can guarantee there will be lots of personal data involved.

Even to create a company page, you have to be a Facebook user. Want more than one person to work on the company page? They have to have a Facebook account as well.

Asking people to follow your page, ‘like’ or share your posts and articles? You are then exposing their personal data on your public Facebook company page – and who knows what’s happening with that data at Facebook behind the scenes?

Posting staff pictures and/or video from the latest company event – perhaps a charity cycle ride, run or dragon boat race?

Whatever the event, it will inevitably involve publishing personal data of employees – who are also data subjects and have rights under GDPR.

Using a Facebook Page for Customer Service and Support

Using a Facebook company page for customer support might seem like a good idea and it does give organisations with better than average customer service departments an opportunity to show how much better they might be than their competitors.

However, from a data protection point of view (and often from a purely commercial perspective), using social media for customer support can be the proverbial can of worms.

Take a look at the recent trials and tribulations of TSB. An IT migration that didn’t go as smoothly as planned resulted in customers having problems accessing accounts and conducting their normal banking business online, over the telephone and in branches.

With the TSB telephone support system overwhelmed with callers, many customers took to social media with their questions, complaints and on occasion downright abuse.

A quick browse through the comments on TSB’s Facebook page will give you an idea of the number of posts, likes and shares over TSB’s problems in the aftermath of their data migration issues.

Whenever there is a problem – especially with a financial institution – the fraudsters are on alert. Remember that social media is a key channel for criminals, too.

Everyone who posts, likes and shares on a bank’s Facebook page is likely going into the sales funnel of criminals – and they will be targeted in various ways to try to extort some money by one technique or another.

Of course, users bear some responsibility as well. If you post your problems logging on to your bank account in a public forum, don’t be surprised if you get a phone call or an email from the bank’s ‘fraud department’ asking you some security questions and confirming your account details!

Criminals have access to the same tools and techniques as recruiters, debt collectors and top sales people – all experts at finding contact details from your online footprint or with a couple of phone calls.

Criminals also have the unfair advantage of not having to bother with GDPR, DPA, PECR or any other data privacy legislation which is supposed to protect you.

A Facebook company page with an active ‘community’ is a great way to get a list of customers – both satisfied and dissatisfied. With large organisations – especially when there has been a well-publicised problem – there could be many thousands of ‘leads’ available for fraudsters (and competitors).

Should you even have a Company Facebook Page?

For many businesses – especially small local businesses, Facebook company pages (and Facebook ad campaigns) can be a great tool for getting your name out there and finding new customers.

If you are a brand like Coca-Cola, Starbucks or Oreos, Facebook can be a great platform for brand awareness, product launches, competitions and promotions that might engage ‘fans’ of your brand.

All pretty harmless  – and by revealing you are a consumer of a particular brand of beverage or buscuit, you aren’t giving away information that might be used by scammers.

However, banks and other financial organisations whose customers are likely to be the target of fraudsters might want to think long and hard about how they use their company pages – or whether they have one at all.

Some businesses seem to forget that social media is a public forum.

You wouldn’t get far if you ‘phoned up one of the big banks and asked for a list of customers, but they all seem to be happy to present them to you on their social media pages and their Facebook company page in particular.

However, knowing that criminals use social media to target their victims might put DPOs in an interesting position when it comes to compliance with the General Data Protection Regulation and other privacy laws.

If you allow or even encourage customers to post on your Facebook company page, you are exposing personal data that is held on your customers’ Facebook account through your company page. If the company is jointly responsible, you won’t be able to rely on Facebook’s privacy policy or terms and conditions if things go wrong.

We doubt there is a bank that doesn’t include some statement in their privacy policy about data privacy and security being a primary concern, and we all know that they have lots of people working in fraud prevention and detection.

So what kind of a risk assessment results in a bank deciding to use a Facebook company page as a customer support channel? Or even having a Facebook page that allows posts from users?

Interesting times for consumers, Facebook and Data Protection Officers!

Need help or advice on security, data privacy and GDPR compliance? Use the form on the right to arrange a no-obligation call to see if we can help.

Need to speak to an expert about data privacy and protection?


Need help with your compliance strategy for GDPR and other data protection legislation?


Complete the enquiry form to arrange a no-obligation call to see if we can help.