Can you just DM us your shoe size and BMI for #dataprotection

By Daragh O Brien
June 17, 2015
19min read

Last time I wrote here about the data protection compliance issues arising from the use of Twitter DMs as a direct marketing channel and why that is simply a very bad idea unless you have a strategy to obtain prior consent. In this post I will look at another bug bear of mine from a Data Protection compliance point of view:

The use of Twitter DMs as an inbound customer service channel where customers are asked to provide personal data for customer service queries.

I’ve seen this from both sides of the fence, as a customer and in the course of audits we have performed on clients and DPC audits we have assisted clients with. Bluntly it is a disaster waiting to happen as it is more often then not incompletely thought through, with only the “are we engaging with the customer” needs considered in the design of processes and governance. And that’s in large companies with budget to spend on expensive consultants (more expensive than the team at Castlebridge Associates).

This raises a number of key data protection compliance issues around:

  • Retention of Data
  • Risk of unauthorised access to data
  • Risk of cross border data transfer through the use of outsource support agencies or tools in 3rd countries

Other issues arise in terms of compliance with other Regulatory obligations. For example, Irish telecommunications operators are required to retain records of communications relating to customer service issues for at least 12 months from the date of communication and be able to readily retrieve them. The use of DMs for inbound customer service creates challenges to this.

Retention of Data

How long do you hold DMs for? Why Do you have a process for deleting them? Do you have a process for preserving them if you need to (for legal discovery, in anticpation of litigation etc.) How do you filter the DMs that relate to customer service issues from general DMs?

A clear Data Retention policy is required for DMs, particularly those that contain personal data. Failure to have one could constitute an offence under the Data Protection Acts. Of course, you could adopt the position of deleting all DMs once the issue is resolved with the customer. But that may give rise to breaches of other Regulatory provisions, particularly if you are required to keep a record of certain types of customer communication.

As part of your Data Retention strategy for DMs you might want to consider how and where you would archive them. Tools like Socialsafe may present one option for archving data from Twitter or other social media sites, but again, you still need to be clear why you are retaining any personal data in your archives…

Risk of Unauthorised Access/Disclosure

Twitter accounts get hacked or compromised every day. If you are asking customers for personal data in a DM channel, congratulations… your twitter account hack constitutes a breach of personal and potentially sensitive personal data about your customers. Do you know how many are affected? (probably not, the bad guys have locked you out) Can you contact them to let them know? (probably not, the bad guys have locked you out). Do you know what kinds of data have been provided? (In general yes, but it’s free text…).

And, for the period of time a hacker has control of your twitter account the very tools you use to do backups and archiving of your tweets and DMs are available to them to do a dump of your tweets for off-line browsing later. So, does your Data Security Breach action plan include treating a Twitter account breach as something more than a cosmetic brand image impacting event? Given that a compromised account will expose ALL the personal data that has been shared with you via DMs (names, addresses, account numbers, phone numbers, dates of birth, “data protection validation questions”, answers to “secret code word” questions etc.), does it feel smart now?

And that is just the spectactular external threat. The use of shared social media accounts which can see the same twitter stream and DM stream creates the possibility that internal actors could mine for data. It is a constant and pernicious threat in call centre environments. Do your internal controls and protocols for social media engagement address this risk?

And let’s not forget how easy it is for messages intended to be DMs to be broadcast to the masses. Even Twitter’s CFO has fallen foul of that…

Crossborder data transfer

Many strategies for social media engagement that are in use, particularly in larger businesses, make use of 3rd party agencies to provide the platform and provide outsourced human resources to manage and respond to comments in real-time. The use of tools that are not based in the EU/EEA and the use of outsourced partners brings with it the inevitabie risk of cross border data transfer in the course of running your social media processes. While Twitter might now be trying to be more Irish then the Irish themselves, many of the tools, services, and service providers in the wider social media engagement ecosystem are not (SocialSafe mentioned above is based in the UK). When using Twitter DMs to obtain personal data from customers in a customer service context, it is important that you have appropriate systems and controls in place to ensure that that data is being processed in compliance with the Data Protection Acts through out its life cycle. Organisations need to consider:

  • Contractual clauses with Data Processors
  • Implications of Safe Harbor or no Safe Harbor in the supplier agreement
  • Potential customer feedback if they learned data was being transferred overseas.

Alternative Approaches

One approach to mitigating and managing these risks is to have a process whereby the customer interaction is taken out of DMs as quickly as possible, ideally before any detailed personal data is shared. By segregating the data in this way you improve security… a hack of your twitter account won’t reveal your customer’s shoe size and first childhood pet. You also can move the conversation into an appropriate forum and a more appropriate toolset (e.g. a proper helpdesk tool or an outbound customer service call). You can also ensure that the record of the customer service interaction is recorded in the correct way to meet other Regulatory obligations and to conform with your data retention policies. Streamlinging the flow into a single channel can also reduce the number of “cloud” locations where critical personal data about customers is being held, simplifying your Information Asset Register for ISO27001 compliance and other regulatory standards.

Think through the life cycle of information and how it can and will be used. How will your call centre know that the customer has been DMing frantically about the issue? How will your marketing teams know to exclude @unhappypunter365 from the next email marketing blast because they have a serious billing issue that is being dealt with?

But asking me for my phone number and shoe size in a DM… that’s a little too personal.

Related Insights


Keep up to date with all our latest insights, podcast, training sessions, and webinars.