The General Data Protection Regulation (GDPR) is a regulation that was adopted by the European Union in 2016 and went into effect in May 2018. The GDPR aims to give individuals more control over their personal data and impose stricter rules on organizations that collect, store, and use personal data.
As LinkedIn operates in the EU and processes personal data of EU citizens, it must comply with the requirements of the GDPR. In this article, we will look at how LinkedIn has adapted its data practices to align with the GDPR.
What is the GDPR?
The GDPR establishes requirements for organizations that process the personal data of EU citizens, regardless of where the organization itself is based. Some key principles of the GDPR include:
- Transparency – Organizations must clearly communicate with individuals how their data will be collected and used.
- Lawful processing – Personal data can only be processed under strict conditions, such as with the individual’s consent.
- Data minimization – Only data that is necessary should be collected and retained.
- Data security – Organizations must implement appropriate security measures to protect individuals’ data.
- Breach notification – Data breaches must be reported to authorities within 72 hours of discovery.
- Individual rights – Individuals have the right to access, correct, delete, and export their personal data.
Organizations that fail to comply with the GDPR can face significant fines of up to €20 million or 4% of global annual revenue, whichever is higher.
How does the GDPR impact LinkedIn?
As a professional social network with over 700 million members globally, LinkedIn processes large volumes of personal data. This includes profile information, connections, posts, messages, job applications, and more.
Here are some key ways the GDPR impacts LinkedIn’s practices:
- Obtaining valid consent – LinkedIn must obtain clear, affirmative consent from users to process their data. Pre-checked boxes or implied consent are not allowed.
- Expanded rights – LinkedIn must enable users to access, correct, delete, restrict, and export their data upon request.
- Data portability – LinkedIn must allow users to obtain their data in a structured, commonly used format to transfer to another service.
- Privacy notices – LinkedIn must provide transparent privacy notices that clearly explain its data practices.
- Data protection – LinkedIn must implement cybersecurity controls, data minimization, retention policies, and protocols for breach notification.
- Record keeping – LinkedIn must maintain detailed records of its data processing activities and compliance procedures.
These obligations require significant investment and oversight for LinkedIn to embed privacy and consent into its product design and organizational processes.
How is LinkedIn complying with the GDPR?
LinkedIn has taken several steps to comply with the GDPR requirements and align its data practices with the regulation. Some examples include:
Updated Privacy Policy and Consent Management
LinkedIn updated its privacy policy and settings to provide more transparency around data collection and use. Users must now explicitly opt-in and consent to certain types of data processing when signing up for a LinkedIn account.
Access and Data Portability
Users can now directly request access to the data LinkedIn holds on them. LinkedIn has also implemented data portability tools that allow users to download their data or transfer it to another platform.
Global Operations
LinkedIn has centralized its international operations under LinkedIn Ireland to streamline compliance with the GDPR across the EU.
Record of Processing Activities
LinkedIn maintains records of its data processing activities as required by the GDPR, detailing the types of data collected, legal basis for processing, third-party disclosures, retention schedules, security measures, etc.
Data Protection Officers
LinkedIn has designated data protection officers (DPOs) who oversee privacy strategy and GDPR compliance. The DPOs advise on risk assessments, due diligence, and remediation.
Incident Response Plans
LinkedIn has implemented incident response plans to promptly identify, report, and mitigate any potential personal data breaches as mandated by the GDPR.
Privacy by Design
LinkedIn has adopted “privacy by design” practices to minimize data collection, retention, and access to only what is necessary. Privacy reviews are built into product development cycles.
Audits
LinkedIn conducts periodic audits and testing to identify any gaps in its technical and organizational privacy measures. Third-party audits provide an independent assessment.
Lawful Basis for Processing
LinkedIn relies on consent, legitimate interests, and contractual necessity as lawful bases under the GDPR for collecting and processing personal data.
Processor Contracts
LinkedIn has processor contracts in place with vendors to ensure any data sharing complies with the GDPR.
What data does LinkedIn collect and how is it used?
LinkedIn collects various categories of personal data from its users. Here are some examples of the types of data LinkedIn may collect and how it is generally used, subject to users’ consent preferences:
Data Category | Examples | Uses |
---|---|---|
Profile Information | Name, photo, contact info, experience, education, skills | Populate user profiles, enable connections |
Connections | LinkedIn connections, contacts imported | Make suggestions, enable messaging |
Posts & Activity | Article shares, comments, group posts | Personalize feed, surface relevant content |
Communications | Messages, notifications, inMail | Send correspondence, service updates |
Job Information | Position searches, job applications | Recommend jobs, support hiring |
Analytics | Page visits, clicks, search terms | Improve site experience, recommendations |
Advertising | Interests, demographics, page visits | Deliver relevant ads |
LinkedIn states that they do not sell personal data to third party sites or advertisers. However, they do use data for targeted advertising and personalized content within the LinkedIn platform and services.
What are LinkedIn’s data retention policies?
According to LinkedIn’s privacy policy, they retain user data for as long as an account is active. If a user deletes their account, LinkedIn engages in a multi-step process to remove their personal data from active systems within 30 days.
However, some types of data may be retained in backup storage or aggregates for longer periods if necessary for legitimate business purposes. This includes:
- Compliance with legal obligations like financial audits or court orders
- Detecting and preventing fraud, spam, or security incidents
- Enabling product functionality like contacts, messaging, and social features
- Product improvement based on aggregates like usage patterns and metrics
For job seeker accounts, LinkedIn may retain profile data for up to two years post-deletion to continue powering features like recruiter messaging and analytics. Full deleted profiles are anonymized during this period.
EU user data specifically is retained only within the EU region. LinkedIn states they periodically review and purge unnecessary data in compliance with GDPR deletion mandates.
How does LinkedIn protect user data privacy and security?
LinkedIn utilizes a range of technical and organizational controls to safeguard user privacy and data security, including:
- Encryption – Data is encrypted in transit and at rest using industry standard protocols like TLS and AES-256 encryption.
- Access controls – Employee data access follows the principle of least privilege. Production data is anonymized or masked for testing.
- Network security – LinkedIn systems are protected by firewalls, intrusion detection/prevention systems, and endpoint malware defense.
- Incident response – LinkedIn has an incident management process for promptly identifying and mitigating breaches.
- Audits & testing – Regular audits, risk assessments, penetration testing, and compliance reviews are conducted.
- Vendor oversight – Vendors and service providers are bound to privacy commitments contractually.
- Training – Employees and contractors undergo privacy and security training.
- Privacy reviews – Privacy impact assessments are integrated into new product design and development.
LinkedIn continuously evaluates and enhances its data protection posture to align with industry best practices, its expanding services, and evolving threats.
What options do users have to control their LinkedIn data?
LinkedIn provides users with various account controls and settings to manage their privacy preferences:
Ad personalization
Users can opt out of interest-based advertising personalization via their account settings or through LinkedIn’s ads preference manager.
Activity broadcasts
Users can limit notifications about their LinkedIn activity shown to their connections.
Profile visibility
Visibility settings allow users to select whether their profile is fully public or only visible to connections or recruiter subscribers.
Data exports
Users can download a copy of their LinkedIn data including profile info, posts, connections, messages, interests, etc.
Account deletion
Users can permanently delete their LinkedIn account which erases their personal data from active systems.
Revoking consent
Users can manage their consent preferences from their account settings, which revokes LinkedIn’s permission to process data for unchecked purposes.
In addition, users can contact LinkedIn to access, correct, restrict, object to the processing of, or delete any specific pieces of their personal data as required under GDPR data subject rights.
What is LinkedIn’s process for data breach notification?
Under the GDPR, LinkedIn must report eligible personal data breaches to supervisory authorities within 72 hours of becoming aware of the incident. LinkedIn outlines its breach notification process as follows:
- Promptly investigate and confirm details of any suspected security incident.
- Assemble an internal response team including legal, compliance, security, and other stakeholders to assess the breach.
- Determine if the breach involves EU individual personal data that could put individuals at risk.
- Document details of the incident and affected data subjects.
- Notify the relevant EU supervisory authority within 72 hours if GDPR notification criteria are met.
- Carry out remediation steps like notifying impacted users, mitigating risks to affected individuals, applying learnings to boost security maturity.
LinkedIn’s breach notifications provide details on the nature of the breach, categories of data affected, estimated number of impacted users, likely consequences, and remedial actions taken. Users may receive separate breach notifications as appropriate.
How can users contact LinkedIn for data requests or complaints?
LinkedIn provides the following channels for users to submit GDPR data requests or lodge privacy complaints:
- LinkedIn support form – Online web form to file data requests like access, correction, deletion, etc.
- LinkedIn privacy email – [email protected] email to contact their privacy team.
- LinkedIn Ireland office – Submit postal requests to their EU headquarters.
- LinkedIn website contacts – Find phone and contact details for local LinkedIn offices.
- Data protection officers – Users can contact LinkedIn’s designated DPOs with privacy concerns.
LinkedIn aims to acknowledge user requests within 48 hours and provide information or comply with requests within 30 days as required under the GDPR. However, more complex requests may take up to 90 days.
What fines or enforcement action has LinkedIn faced under the GDPR?
Thus far, LinkedIn has not incurred any major fines or enforcement action under the GDPR. As a large multinational company, LinkedIn has allocated substantial resources towards compliance to proactively adhere to GDPR obligations.
Some smaller compliance incidents LinkedIn has faced include:
- Non-transparent privacy policy wording regarding third-party data sharing in 2017 – Addressed via subsequent privacy policy updates.
- Temporary glitch in May 2018 preventing some users from accessing data portability tools – Resolved within a few weeks of reporting.
- Insufficient data retention procedures noted in Ireland’s 2020 GDPR audit – LinkedIn implemented recommended improvements.
While no substantial penalties have been levied, LinkedIn remains under strict scrutiny by EU regulators to verify ongoing GDPR compliance across its handling of EU user data. Non-compliance could still result in significant fines in the future depending on any regulation breaches.
Is LinkedIn GDPR compliant – conclusion
In summary, LinkedIn has undertaken extensive efforts to comply with GDPR standards across its policies, processes, and systems for handling EU user data. Ongoing audits and reviews help ensure LinkedIn adapts to evolving regulatory guidance and user expectations around privacy.
Key indicators that LinkedIn appears committed to GDPR alignment include:
- Public commitment to GDPR compliance from its leadership.
- Renewed privacy notices, consent flows, and user account controls.
- Creation of data portability tools and access request processes.
- Institution of data protection officers and breach response protocols.
- Demonstrated security program maturity via audits and certifications.
- Centralization of EU data handling under its European HQ.
- No major compliance failures, user complaints, or regulatory penalties to date.
While there is always room for improvement, LinkedIn seems to have embraced GDPR requirements to give users more transparency and control over data use. Continued adoption of privacy-enhancing technologies, robust security, and detailed record-keeping appear to position LinkedIn well for maintaining GDPR compliance into the future.