Is GDPR (General Data Protection Regulations) an opportunity to boost CX (Customer Experience) or a threat that could put you out of business? It’s both. A great opportunity, if you work with it. A threat, if you dare to ignore it. You’ve only got until 25th May 2018 before it is fully applicable in the EU and elsewhere. We’ll use the SOSTAC® Planning framework to help you plan for your own GDPR adoption.
PR Smith’s SOSTAC® planning framework is used around the world by both blue chips and start-ups to write business plans, marketing plans, digital marketing plans, campaign plans, project plans, health & Safety plans, digital transformation plans, and now, GDPR transformation plans. Voted in the Top 3 Business Models around the world by the Chartered Institute of Marketing’s Centenary Poll, SOSTAC® has recently by adopted by Linkedin and KPMG Digital HQ and an array of other organisations as their preferred planning framework. It’s popular because of its simplicity and solid logic.
Situation Analysis means where are we now?’
Objectives – where do we want to go?
Strategy – how do we get there?
Tactics – the details of strategy
Action – how to ensure excellent execution (internal marketing)
Control – how do we know we are getting there.
+ the 3Ms: the 3 key Resources Men (men and women – the human resource), Money (budgets) & Minutes (timescales)
Here’s PR Smith’s 4 minute SOSTAC®summary on video. Let’s have a look at how SOSTAC® help you to prepare for GDPR.
Data is the Lifeblood of Any Business
Data can give you competitive advantage. Data (or lack of) can destroy a business. How long could you continue without access to your data? So data is the life blood of any organisation.
Do We Really Need General Data Protection Regulations?
The answer is ‘yes’ and here’s 6 big reasons why.
1. Falling Customer Trust (with their personal data)
Yet only one in four adults trust businesses with their information. UK adults fear sharing their information for marketing as much as sharing with criminals (Garreth Cameron, ICO 2017)
2. Data Criminals Are Growing
Con-men, criminals, and even hackers see opportunities online. Many of the opportunities are in the form of data. Irresponsible organisations, sloppy organisations and unethical organisations all help potential criminals to exploit your data, your identity and possibly your money.
There is a global increase in cyber attacks. Hackers are everywhere, preying, probing, testing, pushing, waiting for a brief drop in security. And now that IoT is here (the Internet Of Things), it just takes one weak link in a chain of connected devices to give hackers access – watch your kettle in the kitchen!
The world’s largest reported hack was yahoo (2013). Yahoo lost $1 billion share value because of poor security (Jonathan Armstrong, 2017).
40,000 TESCO bank accounts were hacked with money disappearing from 20,000 of them (Ardi Kolah, 2017).
Mobile operators now report 210,000 accounts were hacked (not 133,827 as reported to CIO Nov 2016 (Ardi Kolah 2017).
3. GDPR Breach (Poor Data Security) Incurs Big Fines
€20 million or 4% of global turnover for primary infringement (if it impacts a data subject/individual) or €10 million or 2% set for secondary infringement (a breach of the regulations e.g. not carrying out technical and organisational measures as required) – whichever is the greater. We can also be compensated for stress, for data loss, for identity theft, from funds being stolen and or a class action suit. There are exemptions for companies with less than 250 staff. Subject to the nature of the personal data breach /infringement of the GDPR, the Data Controller, Joint Data Controller or Data Processor could be subject to a financial penalty of up to 4% of global turnover of the preceding year or €20m (whichever is the greater).
The sanctions and fines can apply to both the Data Controller, Joint Data Controller and the Data Processor. “Remember there’s now under the GDPR, joint and several liability” (Ardi Kolah 2017). Note: Media Tactics (UK) were fined £270,000 and more recently, Keurboom Communications (UK), £400,000 fine (May 2017) for breach of privacy with nuisance telephone calls.
4. GDPR Breach Can Close Your Business
i.e. you can be forced to stop processing personal data i.e. it can stop your business. ‘ICO has the power to order temporary or permanent ban on personal data processing.’ In the UK, the ICO has the power to order temporary or permanent ban on personal data processing. Very detailed contractual arrangements are now required between DC (Data Controller) and DP (Data Processor). In fact, all contractual arrangements extending past 25 May 2018 need to be GDPR compliant.
5. GDPR Breach Can Send You To Prison
for both a breach (of security) and also for non-compliance with GDPR i.e. even if you don’t suffer a breach, if you are inspected and found not to be GDPR compliant, they can go after you. ‘Under the GDPR, Member States have powers to bring in criminal sanctions for failure to comply with the GDPR. This will apply where there are serious infringements and where the accountable individual at Board level is responsible as Data Controller’ (Ardi Kolah 2017).
6. GDPR Protects Individuals & Your Customers
This should really be the number 1 reason. Genuinely customer centric businesses will list this as the number one reason.The General Data Protection Regulations protects individuals and their private data. It came into force 24th May 2016 (ie it was adopted by the European commission) and after a two year transition period, it becomes fully applicable 25th May 2018 across all 28 EU member states. Are you ready?
Everyone Has Rights Under GDPR.
Personal Data includes: genetic data, bio data, voice data, finger prints and recognition data, CCTV, photos, recorded calls, CRM and after sales, search strings, web reports systems log IP addresses, accounts and finance, financial records, HR records, communications tools such as emails messenger messages, social networks and marketing databases and profiles*
Consent means that the customer freely gives his/her information and is informed of why it is being collected. This should be documented and verifiable. Data should be easy to find and easy to withdraw (if an individual, or ‘subject’ requests this). Legitimate collecting & using data. NB using data for marketing may not be legitimate (unless you explicitly explain how it will be used e.g. to send you weekly emails).
Rights to information: transparency; concise policies in plain language; accountability; individual rights; subject access request (SAR) is free of charge must be completed within one month.
- Right to rectification: if data is inaccurate or incomplete.
- Right to object to the Marketing Profiling and automated decision-making.
- Right to data portability. Can get a copy that other companies can use in the required format. Provide all data in a format which third-party companies can easily process.
- Right to erasure (the ‘right to be forgotten’) Customer Rights: Nigel Miller, Fox Williams, Individuals Rights
GDPR requires ethical capture and ethical use of all customers’ personal data.
GDPR Applies to Every Organisation
GDPR applies to both B2C and B2B businesses and organisations established in the EU either as a Data Controller (DC) or Data Processor (DP). It also applies to ‘non EU DCs & DPs that offer goods or services or monitor the behaviour of individuals who are in the EU.’ Ardi Kolah, Henley Business School GDPR even applies to robots – well if you consider Artificial Intelligence. Accountability goes all the way up to the CEO.
GDPR Opportunity or Threat
Some companies will go bust because of it. Some companies will see it as an opportunity to create/strengthen competitive advantage by improving the CX (Customer Experience) & adopt world class marketing standards in data collection & protection, that reassure and satisfy customers.
Now It Is Easy To Report A Nuisance Call or Message
It is getting easier for customers to complain about how they are being harassed by =nuisance phonecalls and spam emails. Here’s how easy it is in the UK to complain via the Information Commissioners Office (ICO).
So there’s the Situation Analysis – customers, courts and regulatory bodies are tired of personal-data mis-use, or even sloppy personal-data management. So manage your data very very carefully as neither customers nor courts will forgive you for any breaches of GDPR. Part 2 addresses setting your Objectives (where do you want to go with GDPR) and Strategies (how you are going to get there) i.e. to help you to plan to embrace GDPR in your business. Part 3 will look at the Tactics (the details of strategy), Actions (required to ensure excellent execution of GDPR) and finally, Control (how do you know you are always fully compliant with GDPR).
Armstrong, Jonathan (2017) Cordery: ‘All you need to know about GDPR but were too afraid to ask’, GDPR Conference Europe, 27 Apr
Cameron, Gareth (2017) ICO: ‘The pathway to implementation’, GDPR Conference Europe, 27 Apr
Kolah, Ardi (2017) Henley Business School: Sizing the risk – carrying out a data protection impact assessment Lite
Miller, Nigel (2017) Fox Williams: Individuals’ Rights Under The GDPR, GDPR Conference Europe, 27 Apr
Smith, PR (2017) SOSTAC® Guide to your perfect digital marketing plan
SOSTAC® Portal for SOSTAC® Certified Planners
Ardi Kolah, Executive Fellow & Programme Co-Director, GDPR Transition Programme, Henley Business school, University of Reading.
Nick James, CEO of Amplified Business Content, hosts of GDPR Europe Conference