Is GDPR (General Data Protection Regulations) an opportunity to boost CX (Customer Experience) or a threat that could put you out of business? It’s both. A great opportunity, if you work with it. A threat, if you dare to ignore it. You’ve only got until 25th May 2018 before it is fully applicable in the EU and elsewhere. We’ll use the SOSTAC® Planning framework to help you plan for your own GDPR adoption.

PR Smith’s SOSTAC® planning framework is used around the world by both blue chips and start-ups to write business plans, marketing plans, digital marketing plans, campaign plans, project plans, health & Safety plans, digital transformation plans, and now, GDPR transformation plans. Voted in the Top 3 Business Models around the world by the Chartered Institute of Marketing’s Centenary Poll, SOSTAC® has recently by adopted by Linkedin and KPMG Digital HQ and an array of other organisations as their preferred planning framework. It’s popular because of its simplicity and solid logic.

PR Smith’s SOSTAC® Planning Framework

Situation Analysis means where are we now?’

Objectives – where do we want to go?

Strategy – how do we get there?

Tactics – the details of strategy

Action – how to ensure excellent execution (internal marketing)

Control – how do we know we are getting there.

+  the 3Ms: the 3 key Resources Men (men and women – the human resource), Money (budgets) & Minutes (timescales)

Here’s PR Smith’s 4 minute SOSTAC®summary on video. Let’s have a look at how SOSTAC®  help you to prepare for GDPR.



Data is the Lifeblood of Any Business

Data can give you competitive advantage. Data (or lack of) can destroy a business. How long could you continue without access to your data? So data is the life blood of any organisation. Data is also deemed to be the most valuable resource in the world (more valuable than oil) states The Economist (see Part 2).


Do We Really Need General Data Protection Regulations?

The answer is ‘yes’ and here’s 6 big reasons why:


1. Falling Customer Trust (with their personal data)

Yet only one in four adults trust businesses with their information. UK adults fear sharing their information for marketing as much as sharing with criminals (Garreth Cameron, ICO 2017).


2.  Data Criminals Are Growing

Con-men, criminals, and even hackers see opportunities online. Many of the opportunities are in the form of data. Irresponsible organisations, sloppy organisations and unethical organisations all help potential criminals to exploit your data, your identity and possibly your money.  There is a global increase in cyber attacks. Hackers are everywhere, preying, probing, testing, pushing, waiting for a brief drop in security. And now that IoT is here (the Internet Of Things), it just takes one weak link in a chain of connected devices to give hackers access – watch your kettle in the kitchen!

Scary looking man with red eyes

Hackers are waiting for just one momentary lapse in security

The world’s largest reported hack was Yahoo (2013).  Yahoo lost $1 billion share value because of poor security (Jonathan Armstrong, 2017).

40,000 TESCO bank accounts were hacked with money disappearing from 20,000 of them (Ardi Kolah, 2017).

Equifax hackers access 143m US consumers (McLannahan & Cornish, FT 2017)

Mobile operators now report 210,000 accounts were hacked (not 133,827) as reported to CIO Nov 2016 (Ardi Kolah 2017).

Masked hacker working

Global Increase In Cyber Attacks (image courtesy of Henley Business School)

Lawrence Tracey (Data Specialist in Vancouver) says ‘Did you know the easiest path for a hacker to get through the corporate security is via an employee’s car? Cars are easy to hack into; you just have to do a quick scan of YouTube to see a frightening list of possibilities. Most of them show a hacker taking control of a car, however, many people have their smartphones set to auto connect to their car and to auto connect to their home network and the corporate network when in the office. Speaking of the office, the printer is deemed to be the most vunerable access point to a business system (see the frightening Wolf ads)

Christian Slater as the chilling Wolf revealing the importance of network security


3. GDPR Breach (Poor Data Security) Incurs Big Fines

€20 million or 4% of global turnover for primary infringement (if it impacts a data subject/individual) or €10 million or 2% set for secondary infringement (a breach of the regulations e.g. not carrying out technical and organisational measures as required) – whichever is the greater. We can also be compensated for stress, for data loss, for identity theft, from funds being stolen and or a class action suit. There are exemptions for companies with less than 250 staff.  Subject to the nature of the personal data breach /infringement of the GDPR, the Data Controller, Joint Data Controller or Data Processor could be subject to a financial penalty of up to 4% of global turnover of the preceding year or €20m (whichever is the greater).

The sanctions and fines can apply to both the Data Controller, Joint Data Controller and the Data Processor. “Remember there’s now under the GDPR,  joint and several liability” (Ardi Kolah 2017).  Note: Media Tactics (UK) were fined £270,000 and more recently, Keurboom Communications (UK),  £400,000 fine (May 2017) for breach of privacy with nuisance telephone calls.

Money thrown down the toilet

A £400k fine means a company (with 10% margins) must find £4m extra sales to cover this loss.


 4. GDPR Breach Can Close Your Business

You can be forced to stop processing personal data i.e. it can stop your business. ‘ICO has the power to order temporary or permanent ban on personal data processing.’ In the UK, the ICO has the power to order temporary or permanent ban on personal data processing.  Very detailed contractual arrangements are now required between DC (Data Controller) and DP (Data Processor). In fact, all contractual arrangements extending past 25 May 2018 need to be GDPR compliant.

Restaurant with 'Sorry We Are Closed' sign

A breach of GDPR could kill your business


5. GDPR Breach Can Send You To Prison

You can go to prison for both a breach (of security) and also for non-compliance with GDPR i.e. even if you don’t suffer a breach, if you are inspected and found not to be GDPR compliant, they can go after you.  ‘Under the GDPR, Member States have powers to bring in criminal sanctions for failure to comply with the GDPR. This will apply where there are serious infringements and where the accountable individual at Board level is responsible as Data Controller’ (Ardi Kolah 2017).

person behind bars of a prison cell

A breach of GDPR could send you to prison


6. GDPR Protects Individuals & Your Customers

This should really be the number 1 reason. Genuinely customer centric businesses will list this as the number one reason.The General Data Protection Regulations protects individuals and their private data. It came into force 24th May 2016 (ie it was adopted by the European commission) and after a two year transition period, it becomes fully applicable 25th May 2018 across all 28 EU member states (UK is supposedly adopting EU laws). Are you ready? 

Shaking hands with each other

Adhering to GDPR can improve customer trust


Everyone Has Rights Under GDPR

Personal Data includes: genetic data, bio data, voice data, finger prints and recognition data, CCTV, photos, recorded calls, CRM and after sales, search strings, web reports systems log IP addresses, accounts and finance, financial records, HR records, communications tools such as emails messenger messages, social networks and marketing databases and profiles*.

Placard with 'Customers have Rights'

Customers have rights.


Customer Rights

Consent means that the customer freely gives his/her information and is informed of why it is being collected.

This should be documented and verifiable.

Data should be easy to find and easy to withdraw (if an individual, or ‘subject’ requests this).

Collecting & using data should be legitimate. NB using data for marketing may not be legitimate (unless you explicitly explain how it will be used e.g. to send you weekly emails).

Rights to information: transparency; concise policies in plain language; accountability; individual rights; Subject Access Request (SAR) is free of charge must be completed within one month.

  • Right to rectification: if data is inaccurate or incomplete.
  • Right to object to the Marketing Profiling and automated decision-making.
  • Right to data portability. Can get a copy that other companies can use in the required format. Provide all data in a format which third-party companies can easily process.
  • Right to erasure (the ‘right to be forgotten’)

Customer Rights: Nigel Miller, Fox Williams, Individuals Rights

Blurred man - the right to his data being erased

The right to be forgotten. Customers can ask for their data to be erased, wiped out or ‘forgotten’.


Essentially, GDPR requires ethical capture and ethical use of all customers’ personal data.


GDPR Applies to Every Organisation

GDPR applies to both B2C and B2B businesses and organisations established in the EU either as a Data Controller (DC) or a Data Processor (DP).  It also applies to ‘non EU DCs & DPs that offer goods or services in the EU (or who monitor the behaviour of individuals who are in the EU’) Ardi Kolah, Henley Business School.

GDPR even applies to robots – well if you consider Artificial Intelligence to be at the heart of robotics (more on AI and Robotics).

Accountability goes all the way up to the CEO.


GDPR Opportunity or Threat?

Some companies will go bust because of it. Some companies will see it as an opportunity to create/strengthen competitive advantage by improving the CX (Customer Experience) & adopt world-class marketing standards in data collection & protection, that reassure and satisfy customers.

Now It Is Easy To Report A Nuisance Call or Message 

It is getting easier for customers to complain about how they are being harassed by =nuisance phonecalls and spam emails. Here’s how easy it is in the UK to complain via the Information Commissioners Office (ICO).

How to complain about misuse of your data

ICO Tips on how to complain about misuse of your personal data


So there’s the Situation Analysis – customers, courts and regulatory bodies are tired of personal-data mis-use, or even sloppy personal-data management. So, manage your data very very carefully as neither customers nor courts will forgive you for any breaches of GDPR. Part 2 addresses setting your Objectives (where do you want to go with GDPR) and Strategies (how you are going to get there) i.e. to help you to plan to embrace GDPR in your business. Part 3 will look at the Tactics (the details of strategy), Actions (required to ensure excellent execution of GDPR) and finally, Control (how do you know you are always fully compliant with GDPR).

SOSTAC circle



Armstrong, Jonathan (2017) Cordery: ‘All you need to know about GDPR but were too afraid to ask’, GDPR Conference Europe, 27 Apr

Cameron, Gareth (2017) ICO: ‘The pathway to implementation’, GDPR Conference Europe, 27 Apr

Kolah, Ardi (2017) Henley Business School: Sizing the risk – carrying out a data protection impact assessment Lite

Miller, Nigel (2017) Fox Williams:  Individuals’ Rights Under The GDPR, GDPR Conference Europe, 27 Apr

McLannahan, B. &  & Cornish, C. (2017) Equifax hackers access details of 143m US consumers, FT 8 Sep

Smith, PR (2017) SOSTAC® Guide to your perfect digital marketing plan

SOSTAC® Portal for SOSTAC® Certified Planners

Thanks to 

Ardi Kolah, Executive Fellow & Programme Co-Director, GDPR Transition Programme, Henley Business school, University of Reading.

Nick James, CEO of Amplified Business Content, hosts of GDPR Europe Conference


If you enjoyed this, you might also like:

GDPR Opportunity or Threat To Your Business? (Part 2)

How Trump Won by analysing data to deliver extremely relevant and highly targeted messages that worked.

How To Write The Perfect Plan in 4 minutes using the SOSTAC ® Planning Framework (4 min. video)