Social Media Policy Overview
The policy is often thought of like the silver bullet when it comes to social media risk management. While this is a simplistic view, the policy is still a very important control that can help you manage social media risk, encourage appropriate behaviors and enable you to achieve your social media and business goals.
This has led many to ignore the policies altogether. So, you may wish to title the document ‘Social media guidelines’ or even a ‘Social media playbook’ to avoid having your employees think it’s just another one of those boring documents which they need to accept and which they don’t bother reading.
There’s nothing that requires you to name the document a policy; likewise, there aren’t any requirements that dictate what your policy should contain. For consistency, I’m going to refer to the document as policy throughout the rest of this blog.
I’m often asked if I can provide a generic, or template social media policy, which an organization can simply adopt without change. Unfortunately, it’s not quite that simple and this misses the point of the document.
The policy should be aligned to your own business goals and the goals of your social media programme, taking into account any applicable laws or regulations in force in your country or industry.
The policy should describe your own operating model and the rules and procedures that you have implemented to support your goals. Taking a generic social media policy from the internet or copying an existing one from another organization will not address the points that matter to you. It won’t encourage the right behaviors or align with your own culture and may just confuse your employees.
Having overly formal language around the rules of how employees engage in a predominantly informal platform such as social media is likely to confuse employees and encourage behaviors that don’t match your goals.
Consider which of the following two pieces of text is easiest to understand and delivers the point best:
1. Breaches, or suspected breaches, of any confidential information, as defined in information security policy section four paragraph two should be reported immediately to your line manager and failure to do so may lead to disciplinary action against you, including dismissal or, in some cases, criminal proceedings.
2. Share with care: some things need to be protected and you should never post confidential information on social media. If you are unsure if something is confidential or not, read the information security policy for more guidance [include a link so employees can easily access the policy].
It can be tempting to use overly formal language in policy documents but if you can say something in fewer words while keeping the same meaning, you should do so. Avoiding legal-sounding language and long sentences will make it far easier for your employees to understand the rules.
Remember, the existence of a long policy with intricate and precise details won’t protect your company. Instead, how your employees interpret and abide by the rules in the policy will protect your company.
You obviously want people to read and understand your social media policy, so you should try to keep it short and succinct. As soon as a user sees that a document is pages and pages long, they might just skip reading it altogether.
Keep your policy to only a few pages and instead of including detailed information within the policy itself, refer to, and include links to, other company policies.
Your social media policy should link well with other policies such as your code of conduct, IT security policies and other HR policies.
For example, in your policy, you might ask your employees to act in a professional manner when they use social media. This point might benefit from a link to your code of conduct, where the reader can find out more about what it means to act in a professional manner.
Creating an effective social media policy
Structure of the policy
Your policy should not be a long document that gives detailed guidance on every possible social media scenario which you can think of.
If you compare the social media policies from different organizations you’ll notice that the language, structure, and rules are different in each and there is no standard format accepted by all. That said, in my view the key sections to include are:
Introduction. This section should define the audience and set the scene for the content within the rest of the policy. Bear in mind that you may have people within your organization who are totally new to social media, so including definitions of key terms will help their understanding.
Include the objective of your social media programme early on so that your employees know the purpose of their engagement in social media.
Paragraphs of text, each with their own heading, which set out what you expect of the employees when they use social media, are a good way of setting out and breaking up the main content of your policy. Pictures are also a good way to bring your content to life; for example, including screenshots of ideal social media profiles or good and bad social media posts.
Do’s and don’ts. Including a list of do’s and don’ts, usually, side by side will help to emphasize any key points you feel deserve particular attention.
Frequently asked questions (FAQs). A list of frequently asked questions will allow your employees to quickly skim through the policy to find the answers to any, particularly common problems.
Top and tail of the policy
Policy documents change over time, particularly those that refer to social media. Because of this, it’s best practice to include a change history at the start of all policy documents.
The policy should be dated and include details about who is responsible for maintaining the policy as well as details of who approved it and when it came into force.
The change in history should show a table that includes high-level details and comments when changes were made when those changes were made and who approved them.
Regardless of how long you spend writing your policy, there will always be some people who have specific questions about what they can or cannot do on social media. Because of this, you should include contact details at the bottom of the policy to allow your employees to seek further guidance should they need it.
The writing style and content
Is your policy written in a way that is easy to follow and which does not include overly legal-sounding words and phrases?
References to other policies
Have you included references (and ideally links) within your social media policy to your other policies, such as your IT security policy or HR policies?
Frequently asked questions
Have you included a list of frequently asked questions?
Have you included practical examples of where social media has been used well and badly?
Have you pointed out the reasons that something is considered a good use of social media vs a bad use of social media?
Format and accessibility
Is your social media policy easy to find, and is it in a format which is easily accessible?
Change history and further queries
Have you included a change history, details about who is responsible for the policy, and whom to contact if someone needs extra guidance?
Location and format of your policies
You should consider how your employees will read or find out about your social media policy, where they will be when they are reading it and what they will be using to read it. Having a hard copy of policy somewhere in the office, pinned to a notice board is unlikely to be an effective place for it.
Consider making your social media policy as accessible as possible by making it available in a number of different formats, such as a PDF, a web page, or even a video to really bring the content to life. You could also use posters to make sure that it’s easy to engage with.
If you have an enterprise social network, I strongly advise that you ensure that your policy can be accessed easily regardless of which page a user is looking at. You could do this by including a link to it in the footer at the bottom of every page.
Most enterprise social networks can be configured to force users to read and accept your social media policy the first time they log into the network. It’s also possible to force existing users to reconfirm that they have read the policy. Therefore, if you make some significant changes to your policy, it’s worth making them reconfirm their agreement with the policy when they next log in.
However, being clear about what you are doing with users’ data will also make your organization more transparent and trustworthy.
The issue of data privacy has become a hotly debated topic. In 2013, Edward Snowden, an IT consultant, leaked classified information from the US National Security Agency (NSA).
The documents he leaked suggested that both the NSA and the UK’s General Communications Headquarters (GCHQ) had developed a global surveillance programme. This led to a great number of stories in the media and helped to further fuel the public debate about privacy.
Also, in 2013 the EU’s Court of Justice made a landmark ruling against Google Spain, which was brought by Mario Costeja González. Mr. González had demanded that Google remove links from its search results relating to his past social security debts, which had since been cleared.
The ruling has come to be commonly known as the ‘right to be forgotten’ and demonstrates how important the issue of data privacy has become. Both public and private sector organizations are going to come under more and more pressure to be transparent about the data that they are collecting and what they are doing with it.
Privacy policies are one of the things that organizations can use to explain how they use user data and in turn be more transparent about their activities.
This transparency will allow you to build trust with your user and this knowledge will give the user the choice to use your system or not. However, don’t get worried that it will deter users because a well-written policy will give confidence that you are handling their data appropriately and with their consent.
For example, it’s very common for website operators to use tools to track how a user got to their website. You might have noticed this type of thing yourself when the adverts you see on websites mysteriously show products that you have recently been researching.
Training and awareness
Many organizations require their employees to complete some form of training on an annual basis. This could be because of a requirement from a regulator for compliance purposes or because the organization has identified a particular risk area and needs to ensure their employees are trained accordingly.
Because of how quickly social media develops, I believe social media should be included in the mandatory annual training.
This is an excellent way of ensuring that your employees know about any major changes to your policies and procedures, and also gives you an opportunity to rearticulate the objectives of your social media programme.
If the annual training process is well managed, you’ll also be able to track who has, and who hasn’t received training so that you can catch any teams that might have slipped through the net.
An effective and popular way of rolling out training is through the use of eLearning. ELearn is electronic self-service courses that employees can access and complete at a time convenient to them.
Good eLearning usually incorporate text, exercises, pictures, diagrams, and videos. Some people find visual aids more engaging while others are happier reading text and answering questions.
By getting a good mix of content into the eLearn you’ll be more likely to engage all of your employees.
There are, however, two downsides to eLearn. First, it requires your employees to complete the training on a computer, something that might not necessarily be an easy task for all of your staff. Second, the cost of developing an eLearn can be quite high.
While you will need to justify the time taken to deliver training, the cost of using advocates may be significantly less than developing an eLearn.
Of course, this will depend on the size of your organization and the resource that you have at your disposal. Your advocate group should be trained up so that they can deliver your social media training updates and push the key messages out among their peers and teams.
Your social media training should familiarize your employees with your social media policy and provide practical examples of how they can use social media while remaining compliant with your policy.
You should highlight examples of good and bad practice, preferably from your industry sector. Quizzes and discussions are also effective; for example, you might include some examples of tweets and ask them to debate which tweet will have the best effect.
US Airways tweets pornographic image to the customer
In April 2014, US Airways made quite a spectacular mistake on Twitter. In response to a tweet from a passenger who was complaining about a delayed flight, US Airways tweeted back ‘We welcome feedback, Elle. If your travel is complete, you can detail it here for review and follow-up…’
They then included a link which was supposed to go to a form where the user could submit a complaint. Fairly harmless, you would think. However, the link that they included was actually an explicit photo of a naked woman with a toy plane somewhere… that you probably wouldn’t expect it…
It shouldn’t come as a surprise that the tweet was retweeted many times before it was deleted about an hour later and was reported in media channels across the world. US Airways then tweeted an apology for the inappropriate image and said that they were investigating.
The image had apparently been tweeted to the US Airways Twitter account earlier and the person responsible for the account had accidentally included it in the tweet. US Airways said that they would not fire the person who sent the tweet as it was an honest mistake; however, it was reviewing its processes to stop this sort of thing happening again.
When commencing a social media programme, an important part of the project is an awareness campaign. The purpose of the campaign is to tell your employees about your social media programme, to raise awareness about what you expect of them and to familiarize them with the policy.
I recommend that you include some of the following ideas in your campaign in order to drive awareness:
Posters. Put them everywhere you can! Eye-catching, colorful posters with bold headings can be a great way of getting your employees’ attention. Include key messages and perhaps even a question for them to consider.
A drop-in session is an opportunity for people to ‘drop in’ to get one-to-one help on any particular social media issue they might have. They’re like training sessions, but are usually less formal and might take place over lunch.
I’ve personally found that offering free doughnuts at these sessions is a very effective way of enticing people to attend! The sessions could easily be run by your advocates, which would be a good way for them to raise their profiles and won’t require much time from your core team.
Internal communications. Most organizations have company-wide internal communications which include key information or news. Write a selection of texts, each with catchy titles, about the launch of your social media programme or your updated policy and feed these into the company-wide internal communications each week.
Be on the look-out for real success stories from around your organization which you can showcase.
Webcasts are becoming commonplace. A webcast is a presentation that takes place virtually and means that people from across your organization, regardless of where they are physically situated, can join the webcast and participate in the presentation.
Advocates. Contact your advocate community and make sure that they are all aware of the changes to your policy. Reinvigorate them and encourage them to push out the key messages to their own teams.
The awareness campaign is important because, without it, you run the risk of your social media policy being just another one of those documents people cast their eyes over once or twice as part of their annual training.
The ideas above can have a big impact, but I recommend you and your team explore other creative ways to push out your key messages in the most effective way for your organization.
Finally, we looked at techniques for driving awareness about your policies throughout your organization, such as communications campaigns and training.
Strategy, we also looked at how advocates can encourage positive behaviors. This is something that is particularly relevant when thinking about how to push out the key messages from your social media policy.
Unfortunately, no matter how much work goes into managing the risks of social media, at some point in time an incident is likely to occur.
In this blog section, we’re going to look at how regulation impacts social media. Regulation differs around the world, and the laws and regulations that are applicable to your organization will depend on the country, or countries, in which you operate, as well as your industry.
As such, rather than include a long list of regulations that impact social media worldwide I’m going to highlight the key themes that these laws and regulations aim to control.
In doing so, you’ll get a broader view of what to look out for in the countries in which you operate and understand what practical steps you can take to manage social media risk and achieve compliance with these laws and regulations.
Ultimately, you will be responsible for researching, understanding and applying any particular regulations that might impact your social media programme. However, this blog will equip you with the knowledge of the types of regulation that might impact your programme and provide ideas as to how you might fulfill any regulatory obligations.
The social media regulatory mix
Regulations that impact social media are more developed in some countries than others. In the majority of cases, however, laws and regulations have not had a chance to catch up with social media.
This makes it difficult to understand how a particular regulation might apply in social media or how you might remain compliant with regulation through your use of social media.
Most regulators have chosen not to change their rules, but to publish guidance about how social media can be used within the existing constraints of the rules.
I often hear regulation cited as a reason why an organization is not fully embracing social media, however, I believe that it’s possible to use social media and experience its benefits while remaining compliant.
Regulations that impact social media can be split into three main categories. These categories overlap with each other because of the way that social media has grown organically and because it impacts so many people.
Communication and advertising
Organizations need to comply with laws and regulations when communicating with their customers. The key points covered in this section are:
financial promotions; and
Many countries have laws that govern how a company can advertise its products and services. The purpose of these laws is to protect the buyer by ensuring that companies don’t mislead consumers by making false claims about their products.
Clearly, social media is a great place to advertise products and services; however, there are new constraints and challenges that organizations face.
A simplistic example is that a company can post an advertisement on a bus stop, which complies with advertising, standards, and hope that passers-by notice it.
However, on social media, a company can do more because it can interact with its customers directly and can encourage other social media users to make recommendations about its products. For example, a company might give a celebrity-free product in return for a positive social media post.
This sort of behavior gets a bit
murky and is where some companies have got into trouble. The celebrity’s followers might see their tweet and think that they genuinely do like the product they are recommending, when in fact they are recommending it only because they have been paid to do so.
This can mislead the customer and is why regulations exist to help make consumers aware of this activity and not be unfairly influenced into buying a product or service.
The same is true for other types of endorsements, such as retweets. In response to this, it is becoming common practice to include the hashtag #ad or #spon (sponsored) within advertising endorsements to highlight to social media users that the post is sponsored.
Financial products are contracts that stipulate the movement of money between two parties. Banks, credit card companies and insurers all offer financial products, such as bank accounts, mortgages, loans or insurance.
There are strict rules around how financial products can be advertised and these rules apply to both online and offline advertising.
However, space constraints make it more difficult for companies to include any necessary disclaimers that they would include as a matter of course in offline or print advertising.
The most important point is that financial promotions should be fair and not misleading. Financial promotions should be balanced so that consumers have an appreciation not only of the potential benefits but also of any relevant risks.
The reason that regulations that cover financial promotions are stricter than standard promotions is that of the impact that a bad investment decision can have on someone’s livelihood.
In some cases, a bad investment can make unlimited losses. Banks and financial institutions are not known for their innovative use of social media, mainly due to their caution when it comes to social media regulation.
Financial regulation is complex and governs how financial institutions operate. Promoting financial products through social media has been seen widely as difficult or risky.
For example, financial institutions are often required to include terms and conditions in any financial promotions, something that can be difficult in the space-constrained world of social media.
In March 2015 the UK’s financial regulator, the Financial Conduct Authority (FCA), published guidance on how to use social media for financial promotions.
The rules themselves weren’t a change to existing regulation but instead provided guidance to financial institutions on ways that they could use social media to promote their products and services while remaining compliant with existing regulation.
Financial regulators understand the benefits of social media and want to encourage companies to use it, provided it’s used fairly and rules are not broken.
Publicly listed companies, whose shares trade on the stock market, have extra levels of regulation that they need to abide by. One such example is related to the disclosure of investor information. Information about a company’s performance will be of particular interest to investors because it might have an impact on the company’s share price.
Because of this, regulation exists to ensure that the disclosure of such information is done fairly. Social media is a communications medium and it’s not surprising that companies want to use it to engage with their customers, the public and their investor community.
If they’ve performed well during a particular quarter, they will want to share the story through social media, as well as through their traditional channels, such as press releases.
However, most regulators are still catching up with social media; therefore, if they believe that information has been inappropriately released on social media before investors or shareholders had been informed, they might take action against the company.
Regulators are, however, catching up and the US Securities and Exchange Commission (SEC) now allows companies to disclose information through social media, provided the company’s investors have been notified to expect to see such information there.
Netflix SEC disclosure
Netflix is a subscription service for watching TV programmes and movies. In July 2012, Netflix CEO and co-founder Reed Hastings posted on his personal Facebook account that for the first time in his company’s history viewers had consumed over 1 billion hours in one month.
The US Securities and Exchange Commission (SEC) issued what is known as a Wells Notice to both Reed Hastings and Netflix, which meant that they intended to pursue enforcement action over the inappropriate disclosure of investor information.
However, in April 2013 the SEC announced that it would not be bringing an enforcement action against Netflix or Reed Hastings and issued a report which said that companies were free to use social media networks to announce key information, provided that investors had been told where to expect this information to be published.
This example shows the difficulty that many organizations face when engaging in social media but it also shows that regulators are changing the way that they view social media.
The issues that arise from the use of social media for recruitment are mainly in relation to discrimination. Many countries have strict laws to combat discrimination. It’s now common for employers to look at a candidate’s social media footprint as part of the recruitment process. There are valid reasons to do this.
A person’s social media account can give insight into a job candidate’s experience and character. In LinkedIn, recommendations from previous employers or connections are listed on the user’s profile as well as a list of skills endorsed by colleagues and associates. I’ve heard many recruiters talk about how a person’s LinkedIn profile is often a more accurate representation of a candidate than a CV.
Job candidates tweak their CV for the job that they are applying for, but it’s harder to tweak a LinkedIn profile for specific jobs because the recommendations and endorsements are provided by other users.
But, reviewing a candidate’s social media profiles without their knowledge is an area for concern. This concern is heightened when a company uses deceptive techniques to gain access to a candidate’s social media profile, for example by sending connection requests to candidates from a fake account.
Companies face a risk when reviewing candidates’ profiles due to the potentially large amount of sensitive personal information that might be available in the candidate’s profile, such as their gender, age, religion, sexual orientation, political views etc.
Organizations need to ensure that they do not discriminate against candidates as a result of information gleaned from social media because an unsuccessful candidate could claim they have been discriminated against due to the personal information in their social media profile.
If you intend to review a candidate’s social media footprint as part of the recruitment process, the best course of action is to inform candidates that you will be conducting a review. This is fair as it gives the candidate a chance to review their profile and remove anything they might want to keep private.
You should also give the candidate an opportunity to defend any findings from your review as this will remove the risk of making assumptions or decisions based on inaccurate information.
An example of this is the appointment of 17-year-old Paris Brown as Britain’s first youth police officer and crime commissioner. After her appointment, she was found to have posted offensive and potentially racist messages on Twitter.
As a result, she resigned and Kent Police and Crime Commissioner faced criticism in the media for not having conducted appropriate background checks.
Employment and HR
Organizations need to comply with an array of laws and regulations relating to employment. In social media, the key issues that arise are:
ownership of social media accounts;
acceptable behavior and conduct;
bullying and harassment; and
Discrimination, whether active or passive, will cause problems for companies. Because of a large amount of personal information in social networks, it’s possible that employers might discriminate against recruitment candidates or their own employees based on their personal characteristics.
Laws around the world prohibit discrimination and companies must ensure that they don’t discriminate when engaging in social media. Companies need to provide equal opportunities for their employees, regardless of race, religion, gender, age etc.
Ownership of social media accounts
It can be difficult to determine the ownership of social media accounts. While corporate social media accounts are fairly easy to distinguish, uncertainty arises when an employee uses their personal account as part of their work.
If that person has a prominent position in the company or if they have gained a large number of followers or connections, the company that they work for may feel that they can claim ownership of the person’s account and that they should either have access to the account or that the account should be handed over if the person leaves the company. Regulations exist to make the rules around this sort of thing clear.
It’s unlikely that an organization will be able to legally state a claim over an employee’s social media account. If an organization requests access to an employee’s social media account they are likely breaking both the law and the terms and conditions of the social network in question.
Most social networks state in their terms and conditions that accounts cannot be transferred and that passwords should never be disclosed to anyone.
If you are concerned that an employee might leave your company and take with them a long list of contacts, the best way to combat this is by encouraging your employees to log new relationships on the company’s customer relationship management (CRM) system.
Many organizations require all work relationships to be logged and tracked through their CRM system, which means that even if the employee leaves, the company will retain details about the relationship including contact details.
This may seem like quite an onerous task; however, you could incentivize your people to update the system by reporting on how many new connections, opportunities or sales each person or team made to encourage competition between teams.
Acceptable behaviors and conduct
Many employers have regulatory responsibilities to ensure that their employees maintain certain levels of professionalism. Most organizations already have codes of conduct in place that set out what behaviors they expect from their employees. These behaviors should also be reflected in the company’s social media policy.
Bullying and harassment
Unfortunately, bullying and harassment exist in both society and business. Because of the perceived anonymous nature of social media, there have been many cases of abuse online, such as cyberbullying. Some people think that normal rules of politeness and human interaction don’t apply in social media.
The court heard that one tweet started with an expletive and continued ‘Die you worthless piece of crap’. Caroline was also told to ‘go kill yourself’. Many countries have laws to stop this type of behavior and organizations need to be aware of these laws and ensure that abuse does not take place within their organizations, either offline or online.
In some countries, there are restrictions on how social media can be used as a tool for assessing employee performance. Germany is one country where such activities can be meet with opposition from works councils. A works council is an organization that represents workers and that complements national labor laws.
Organizations that operate in Germany, or other countries that have the concept of works councils, should involve works councils in discussions from beginning to end to agree on how employees will use an enterprise social network or another social system.
The works councils are entitled, by law, to be involved in any discussions around the use of security cameras or IT tools that are able to monitor and assess employee performance.
Dealing with character limitations
One of the main challenges to regulatory compliance on social media is that many social networks impose character limits on posts.
For example, Twitter posts can include a maximum of 140 characters, videos on Vine are six-second loops, adverts on Facebook allow 25 characters for the title and 90 characters in the body.
This makes it challenging to include both your key messages and any relevant terms and conditions or additional information within a single social media post.
There are a couple of things that you can do to overcome these limitations. Firstly, you can split your content across two or more posts.
Splitting content across two or more tweets is a common way of including more content than the 140 character limit allows on Twitter; however, to be effective the tweets must come in quick succession. Otherwise, a user might see the first tweet, but miss the second tweet, or vice-versa.
Another way to include extra content is by embedding an image within a tweet. So, you could include the headline in the text of the tweet and include a picture that includes more details as well as any necessary disclaimers, terms or conditions.
However, it’s possible for users to turn off images so it’s important not to use an image for the disclaimers only; instead, the whole advert should be included within the image itself and the text should remain compliant on its own.
Finally, don’t try to hide any disclaimers by making the font size so small that it’s difficult to read. If you do this, a regulator will probably rule that the advert is neither fair nor clear.
Future of regulation
Regulators are catching up with social media, which is why we’re already seeing them issuing guidance to companies about how they should use social media and manage risk.
Social media and digital technology continue to evolve, with new social media networks gaining popularity and existing social networks adding new functionality.
In January 2015 Facebook announced that it had begun testing a service, called ‘Place Tips’, which will deliver information about nearby shops and landmarks to Facebook users.
If successful, this new functionality could offer businesses new advertising and marketing opportunities. Even if it fails, I have no doubt that other new developments and functionality will come along and change the dynamics of business–customer interaction.
Changes in the social media and the digital landscape will continue to make regulators reassess the rules and guidance that they set out for businesses. Regulators don’t like to make knee-jerk reactions to incidents and prefer instead to observe how companies and the public react.
Because of this, regulators will remain behind the curve when it comes to regulations that impact social media and digital technologies.
That said, organizations will need to keep a watchful eye on any upcoming rules or regulations to ensure that they maintain compliance and safeguard the future of their business.
In this blog, I introduced the social media regulation mix, which is a useful way of categorizing the types of regulation that impact social media. The laws and regulations related to social media around the world differ and the specific regulatory requirements in the countries where you operate will differ from other companies.
You are now aware of what to watch out for and you should seek advice from your risk, compliance and legal colleagues for specific details about how to ensure that your social media programme remains compliant.
There are practical steps you can take to help you deal with character limitations on social media, and elsewhere in this blog, I have highlighted other strategies to help you manage risk and maintain regulatory compliance.