How to Ensure Compliant Social Media and E-communications During COVID

This post is for you if your organization must retain and supervise social media and e-communications, or even if you are only trying to reduce the risk of exploding internal and external social media use. I’ll start by discussing the trends leading to governance challenges during COVID, then we’ll explore the risks of the various channels, and finally I’ll present four best practices that when used together ensure that your firm will have compliant social media and e-communications during and after COVID.

Trends Leading to Social Media and E-communications Challenges

The current confusion in governance of social media and e-communications results from three trends:

  1. COVID has caused an explosion of remote and social media use across all channels, outpacing traditional methods of governance
  2. Social media options have exploded – more vendors and products have entered the market, most of which are expanding to address multiple channels
  3. Trends #1 and #2 are not slowing down

We have found that the firms who are doing the best in navigating the challenging trends above were already well on their way in executing and governing their digital transformation.

What Exactly are the Risks Posed by the Current Explosion of Social Media?

Let’s start by explaining the specifics of the nature of the risk caused by the explosion of social media use across multiple channels, applications, vendors and products. These are the risks that must be explicitly addressed in your SM policy.

The Most Popular and Riskiest Channels

The most popular social channels are Instagram, text messaging, Facebook, collaboration platforms, encrypted channels, Twitter, LinkedIn and email. Most of our clients believe that text messaging is the greatest source of risk, followed by collaboration platforms. Your policy should address whether these channels are allowed or prohibited. If allowed, the policy should establish whether the content needs to be supervised, archived, or both.

Risks of Channel Switching

One of the primary risks today is social media channel switching in business communications. An employee starts a conversation on LinkedIn, then moves to Outlook to set up a meeting in Zoom, then sends a reminder in Slack chat, and then keeps switching channels to address the meeting action items. When one or more of the channels is not addressed by your governance and retention policies, or where you are not tracking the flow of the communication through the channels, the switching presents significant compliance challenges.

Risks of C2C (Consumer-to-Consumer), Encrypted and Ephemeral Applications

iMessage, WhatsApp, and Snapchat were designed as consumer applications, not business communications, and leave firms exposed, since it’s hard to capture these communications. Some enterprises have responded by promoting similar apps that were designed for business use. These include Microsoft Teams, Slack, Facebook Workplace Chat, and Google Hangouts (which has done a pretty good job evolving from purely consumer to business use).

Risks of Collaboration and Meeting Tools

Office and Slack are the most popular collaboration tools. But they are so interactive, multi-channel, and multi-function (voice, video, apps, persistent chat, doc sharing), that they introduce types of risk far beyond email and your organization’s email and static chat policies.

For example, Microsoft O365 has a very aggressive update policy that introduces new problematic capabilities every month or so. Some firms have responded aggressively to such updates and new capabilities by turning them off. But doing so often has unintended negative consequences, by hindering other desirable, low risk capabilities. Your policy should establish an evaluation process to assess each new set of capabilities for these tools.

Meeting solutions such as Teams, Slack, Zoom, WebEx, Workplace (that now support chat, recording, file sharing, etc.) also present governance challenges. Your policy should also address these solutions and include an evaluation process.

Four Best Practices to Ensure Compliant Social Media and E-communications During and After COVID

As I alluded to in the introduction, we strongly recommend that you complete four initiatives. One of them is to align and update your social media rules into a single social media policy. The good news is that the other three are best tackled at the same time that you are defining the social media policy.

We strongly recommend that you complete the following four initiatives:

  1. Align and update the relevant social media policies and procedures.
  2. Update and align all relevant roles and responsibilities – including corporate communications, compliance, legal, information technology, records management, and the business.
  3. Define the stage-gate processes for onboarding and approving new social media channels, applications, and use cases.
  4. Consolidate and standardize the social media tools your firm must and can use.

1. Update and Align All Your Social Media Rules – and Then Put Them in a Single Social Media Policy

Your social media policy should specify rules around platform use such as which platforms can or must not be used by advisors, what is acceptable personal use versus business use, and which devices can or must not be used by advisors.

Your policy should address how social media content should be approved before it’s shared publicly, and what security measures should be taken to ensure firm social media accounts are protected from unauthorized use.

The policy should also address how it will be enforced. Include direction on which social media activities will be supervised, how they will be supervised, and what corrective actions should be taken when non-compliant content is shared publicly.

Updating and aligning your firm’s social media rules will likely necessitate including requirements from several other existing policies, procedures, and standards – typically addressing communications, information security and privacy, device usage, legal hold, and records management. These sets of rules will likely also need to be updated and aligned to meet current information governance requirements – but that’s a topic to be addressed in another article.

2. Update and Align All Relevant Roles and Responsibilities

In updating the social media policy, you’ll have to clarify the roles and responsibilities of all relevant stakeholders – typically compliance, corporate communications, legal, information security and privacy, IT, and often records management and others. You’ll have to clarify not only who reviews and approves new social media channels and applications, but also the social media policy itself.

3. Define the Stage-Gate Processes for New Social Media Channels, Applications and Use Cases

This will address not only if and where each candidate is permitted, mandated, or prohibited, but also what capabilities and governance controls are required, such as retention and supervision. While the hood is open it should also be assessed for its other information security, privacy, records management, and legal hold requirements.

4. Consolidate and Standardize the Social Media Tools Your Firm Must and Can Use

Your organization should consolidate down to a standardized digital communications toolbox, combining multiple channels into a small product set when it makes business sense and can facilitate governance. Then communicate “what to use and what to do” in clear guidelines and policy.

Your consolidated toolbox could center around one product (e.g. Office 365 and its services) but if you’re a financial services provider this is highly unlikely because financial services requires niche communication tools with capabilities that the mainstream solutions don’t provide. Do what you can. 10 products is better than 50, and five is better than 10.


With numerous interconnected compliance issues at stake during the current explosion of social media and e-communications options, getting governance right is critical – especially now that COVID has introduced new challenges. If you need to move quickly, it helps to have a subject matter expert on your team who’s done this work before. Please reach out if you’d like to start a conversation.

New call-to-action

Rich Medina
Rich Medina
I’m a Principal Consultant and co-founder of Doculabs, and the resident expert in using ECM for information lifecycle management.