The General Data Protection Regulations (GDPR) is a  great opportunity, if you work with it. It is also, however, a threat, if you dare to ignore it. You’ve only got until 25th May 2018 before it is fully applicable in the EU and elsewhere. We are using the popular SOSTAC ® Planning framework to help you to plan and embed your own GDPR. Part 1 explored what it is GDPR and why organisations and customers need it.

Masked hacker working

In Part 2, we will look at setting a clear GDPR ‘Objective’ and also a crystal clear strategy to help you to embed GDPR. Part 3 will explore Tactics, Action & Control (the final sections of a SOSTAC® Plan).




SOSTAC ® Planning Framework highlighting Objectives

SOSTAC® Planning Framework


To be GDPR compliant within 12 months.

To protect customers, enquirers and visitors personal data & to only use it for legitimate purposes.


This is a major challenge and 12 months is deemed to be unrealistic by many experts. It might take 2 years. Be prepared.

An image of zero's and ones ie binary code.

Data Technology means GDPR is required more than ever before



SOSTAC ®Planning Framework highlighting Strategy

SOSTAC® Planning Framework



Change the Culture/Attitude Towards Data (from C Suite across the whole business)

Improve Data Management, Data Understanding & the Customer Experience (CX) simultaneously.

Start managing data much more seriously. Manage data better, quicker, faster and with far better security. Adhere to GDPR Guidelines within 12 months by appointing a data controller, initiate training, testing and reporting using a budget of £xyz. Adding GDPR audits to board agendae.

Ensure the Board understand that data is now the world’s most valuable resource, or as the Economist front cover stated: ‘The world’s most valuable resource is no longer oil, but data’ (6 May 2017).  Hence it has to be managed more carefully. In fact, competitive advantage can be carved out of clever use of data (just look at how both Uber and Air BnB use data to reduce the customer’s cognitive load, reduce prices, grow margins and establish an extremely competitive business). Watch Amazon & AliBaba use data to relentlessly improve the CX and thus create massive competitive advantage.

Economist front cover: The world's most valuable asset is no longer oil, but data

‘The world’s most valuable asset is no longer oil, but data’ The Economist 6 May 2017


Build a Data Protection Culture. Cultural change is critical. Attitudes to personal data must change. Personal data is a new currency. Training is not mandatory (well it is! But think of it like ‘Training is an opportunity’).  Embracing GDPR requires a cultural change. Michael winner once said that a ‘£60 fine for driving in a bus lane was very good value’ (source: Ruairi Thomas MD, DST Systems). So how do you stop people thinking that GDPR fines might be cheaper than changing the whole culture of the business into a customer-centric, customer caring, & data protecting – type of organisation?  GDPR is indeed an opportunity, but equally, it requires a change in culture.

Battery Looking Buldings

Build a data protection culture


Become transparent. The whole organisation must become transparent regarding collection and use of data and be accountable.

GDPR has a cost but also brings an opportunity for a better Customer Experience (CX) – which, in the long term, means better business.

Part 3 will explore Tactics , Action & Control – the remaining sections of a SOSTAC ® Plan.



Powers Of Observation:

Two goldfish in a fishbowl one says “it’s wet in here” the other says “wow, a talking goldfish”.

Are some organisations fully observant as to what is happening with this new GDPR?

                                                                                                          Ruairi Thomas


If you enjoyed this you might also enjoy:

Part 1 GDPR:  Opportunity to Boost CX or a Threat of Closure?

Part 3 GDPR: Tactics, Action & Control

How Trump Won by analysing data to deliver extremely relevant and highly targeted messages that worked.

How To Write The Perfect Plan in 4 minutes using the SOSTAC ® Planning Framework (4 min. video)



Armstrong, Jonathan (2017) Cordery: ‘All you need to know about GDPR but were too afraid to ask’, GDPR Conference Europe, 27 Apr

Cameron, Gareth (2017) ICO: ‘The pathway to implementation’, GDPR Conference Europe, 27 Apr

Kolah, Ardi (2017) Henley Business School: Sizing the risk – carrying out a data protection impact assessment Lite

Miller, Nigel (2017) Fox Williams:  Individuals’ Rights Under The GDPR, GDPR Conference Europe, 27 Apr

Smith, PR (2017) SOSTAC® Guide to your perfect digital marketing plan

SOSTAC® Portal for SOSTAC® Certified Planners

Thanks to 

Ardi Kolah, Executive Fellow & Programme Co-Director, GDPR Transition Programme, Henley Business school, University of Reading.

Nick James, CEO of Amplified Business Content, hosts of GDPR Europe Conference

Ruairi Thomas, MD, DST Systems for the gold-fish observation!