Thank you for reading this. If you would like alerts about my future posts please enter your email address in the ‘Subscribe to Marketing Insights’ in the right-hand column.
Perhaps also connect with me on Twitter Linkedin Instagram Youtube or in our weekly chat in the SOSTAC® Plans Club in the Clubhouse App on Fridays at 1pm.
—
Is GDPR (General Data Protection Regulations) an opportunity to boost CX (Customer Experience) or a threat that could put you out of business? It’s both. A great opportunity, if you work with it. A threat, if you dare to ignore it. You’ve only got until 25th May 2018 before it is fully applicable in the EU and elsewhere. We’ll use the SOSTAC® Planning framework to help you plan for your own GDPR adoption.
PR Smith’s SOSTAC® planning framework is used around the world by both blue chips and start-ups to write business plans, marketing plans, digital marketing plans, campaign plans, project plans, health & Safety plans, digital transformation plans, and now, GDPR transformation plans. Voted in the Top 3 Business Models around the world by the Chartered Institute of Marketing’s Centenary Poll, SOSTAC® has recently by adopted by Linkedin and KPMG Digital HQ and an array of other organisations as their preferred planning framework. It’s popular because of its simplicity and solid logic.
PR Smith’s SOSTAC® Planning Framework
Situation Analysis means where are we now?’
Objectives – where do we want to go?
Strategy – how do we get there?
Tactics – the details of strategy
Action – how to ensure excellent execution (internal marketing)
Control – how do we know we are getting there.
+ the 3Ms: the 3 key Resources Men (men and women – the human resource), Money (budgets) & Minutes (timescales)
Here’s PR Smith’s 4 minute SOSTAC®summary on video. Let’s have a look at how SOSTAC® help you to prepare for GDPR.
SITUATION
Data is the Lifeblood of Any Business
Data can give you competitive advantage. Data (or lack of) can destroy a business. How long could you continue without access to your data? So data is the life blood of any organisation. Data is also deemed to be the most valuable resource in the world (more valuable than oil) states The Economist (see Part 2).
Do We Really Need General Data Protection Regulations?
The answer is ‘yes’ and here’s 6 big reasons why:
1. Falling Customer Trust (with their personal data)
Yet only one in four adults trust businesses with their information. UK adults fear sharing their information for marketing as much as sharing with criminals (Garreth Cameron, ICO 2017).
2. Data Criminals Are Growing
Con-men, criminals, and even hackers see opportunities online. Many of the opportunities are in the form of data. Irresponsible organisations, sloppy organisations and unethical organisations all help potential criminals to exploit your data, your identity and possibly your money. There is a global increase in cyber attacks. Hackers are everywhere, preying, probing, testing, pushing, waiting for a brief drop in security. And now that IoT is here (the Internet Of Things), it just takes one weak link in a chain of connected devices to give hackers access – watch your kettle in the kitchen!
Hackers are waiting for just one momentary lapse in security
The world’s largest reported hack was Yahoo (2013). Yahoo lost $1 billion share value because of poor security (Jonathan Armstrong, 2017).
40,000 TESCO bank accounts were hacked with money disappearing from 20,000 of them (Ardi Kolah, 2017).
Equifax hackers access 143m US consumers (McLannahan & Cornish, FT 2017)
Mobile operators now report 210,000 accounts were hacked (not 133,827) as reported to CIO Nov 2016 (Ardi Kolah 2017).
Global Increase In Cyber Attacks (image courtesy of Henley Business School)
Lawrence Tracey (Data Specialist in Vancouver) says ‘Did you know the easiest path for a hacker to get through the corporate security is via an employee’s car? Cars are easy to hack into; you just have to do a quick scan of YouTube to see a frightening list of possibilities. Most of them show a hacker taking control of a car, however, many people have their smartphones set to auto connect to their car and to auto connect to their home network and the corporate network when in the office. Speaking of the office, the printer is deemed to be the most vunerable access point to a business system (see the frightening Wolf ads)
Christian Slater as the chilling Wolf revealing the importance of network security
3. GDPR Breach (Poor Data Security) Incurs Big Fines
€20 million or 4% of global turnover for primary infringement (if it impacts a data subject/individual) or €10 million or 2% set for secondary infringement (a breach of the regulations e.g. not carrying out technical and organisational measures as required) – whichever is the greater. We can also be compensated for stress, for data loss, for identity theft, from funds being stolen and or a class action suit. There are exemptions for companies with less than 250 staff. Subject to the nature of the personal data breach /infringement of the GDPR, the Data Controller, Joint Data Controller or Data Processor could be subject to a financial penalty of up to 4% of global turnover of the preceding year or €20m (whichever is the greater).
The sanctions and fines can apply to both the Data Controller, Joint Data Controller and the Data Processor. “Remember there’s now under the GDPR, joint and several liability” (Ardi Kolah 2017). Note: Media Tactics (UK) were fined £270,000 and more recently, Keurboom Communications (UK), £400,000 fine (May 2017) for breach of privacy with nuisance telephone calls.
A £400k fine means a company (with 10% margins) must find £4m extra sales to cover this loss.
4. GDPR Breach Can Close Your Business
You can be forced to stop processing personal data i.e. it can stop your business. ‘ICO has the power to order temporary or permanent ban on personal data processing.’ In the UK, the ICO has the power to order temporary or permanent ban on personal data processing. Very detailed contractual arrangements are now required between DC (Data Controller) and DP (Data Processor). In fact, all contractual arrangements extending past 25 May 2018 need to be GDPR compliant.
A breach of GDPR could kill your business
5. GDPR Breach Can Send You To Prison
You can go to prison for both a breach (of security) and also for non-compliance with GDPR i.e. even if you don’t suffer a breach, if you are inspected and found not to be GDPR compliant, they can go after you. ‘Under the GDPR, Member States have powers to bring in criminal sanctions for failure to comply with the GDPR. This will apply where there are serious infringements and where the accountable individual at Board level is responsible as Data Controller’ (Ardi Kolah 2017).
A breach of GDPR could send you to prison
6. GDPR Protects Individuals & Your Customers
This should really be the number 1 reason. Genuinely customer centric businesses will list this as the number one reason.The General Data Protection Regulations protects individuals and their private data. It came into force 24th May 2016 (ie it was adopted by the European commission) and after a two year transition period, it becomes fully applicable 25th May 2018 across all 28 EU member states (UK is supposedly adopting EU laws). Are you ready?
Adhering to GDPR can improve customer trust
Everyone Has Rights Under GDPR
Personal Data includes: genetic data, bio data, voice data, finger prints and recognition data, CCTV, photos, recorded calls, CRM and after sales, search strings, web reports systems log IP addresses, accounts and finance, financial records, HR records, communications tools such as emails messenger messages, social networks and marketing databases and profiles*.
Customers have rights.
Customer Rights
Consent means that the customer freely gives his/her information and is informed of why it is being collected.
This should be documented and verifiable.
Data should be easy to find and easy to withdraw (if an individual, or ‘subject’ requests this).
Collecting & using data should be legitimate. NB using data for marketing may not be legitimate (unless you explicitly explain how it will be used e.g. to send you weekly emails).
Rights to information: transparency; concise policies in plain language; accountability; individual rights; Subject Access Request (SAR) is free of charge must be completed within one month.
- Right to rectification: if data is inaccurate or incomplete.
- Right to object to the Marketing Profiling and automated decision-making.
- Right to data portability. Can get a copy that other companies can use in the required format. Provide all data in a format which third-party companies can easily process.
- Right to erasure (the ‘right to be forgotten’)
Customer Rights: Nigel Miller, Fox Williams, Individuals Rights
The right to be forgotten. Customers can ask for their data to be erased, wiped out or ‘forgotten’.
Essentially, GDPR requires ethical capture and ethical use of all customers’ personal data.
GDPR Applies to Every Organisation
GDPR applies to both B2C and B2B businesses and organisations established in the EU either as a Data Controller (DC) or a Data Processor (DP). It also applies to ‘non EU DCs & DPs that offer goods or services in the EU (or who monitor the behaviour of individuals who are in the EU’) Ardi Kolah, Henley Business School.
GDPR even applies to robots – well if you consider Artificial Intelligence to be at the heart of robotics (more on AI and Robotics).
Accountability goes all the way up to the CEO.
GDPR Opportunity or Threat?
Some companies will go bust because of it. Some companies will see it as an opportunity to create/strengthen competitive advantage by improving the CX (Customer Experience) & adopt world-class marketing standards in data collection & protection, that reassure and satisfy customers.
Now It Is Easy To Report A Nuisance Call or Message
It is getting easier for customers to complain about how they are being harassed by =nuisance phonecalls and spam emails. Here’s how easy it is in the UK to complain via the Information Commissioners Office (ICO).
ICO Tips on how to complain about misuse of your personal data
Summary
So there’s the Situation Analysis – customers, courts and regulatory bodies are tired of personal-data mis-use, or even sloppy personal-data management. So, manage your data very very carefully as neither customers nor courts will forgive you for any breaches of GDPR. Part 2 addresses setting your Objectives (where do you want to go with GDPR) and Strategies (how you are going to get there) i.e. to help you to plan to embrace GDPR in your business. Part 3 will look at the Tactics (the details of strategy), Actions (required to ensure excellent execution of GDPR) and finally, Control (how do you know you are always fully compliant with GDPR).
References
Armstrong, Jonathan (2017) Cordery: ‘All you need to know about GDPR but were too afraid to ask’, GDPR Conference Europe, 27 Apr
Cameron, Gareth (2017) ICO: ‘The pathway to implementation’, GDPR Conference Europe, 27 Apr
Kolah, Ardi (2017) Henley Business School: Sizing the risk – carrying out a data protection impact assessment Lite
Miller, Nigel (2017) Fox Williams: Individuals’ Rights Under The GDPR, GDPR Conference Europe, 27 Apr
McLannahan, B. & & Cornish, C. (2017) Equifax hackers access details of 143m US consumers, FT 8 Sep
Smith, PR (2017) SOSTAC® Guide to your perfect digital marketing plan
SOSTAC® Portal for SOSTAC® Certified Planners
Thanks to
Ardi Kolah, Executive Fellow & Programme Co-Director, GDPR Transition Programme, Henley Business school, University of Reading.
Nick James, CEO of Amplified Business Content, hosts of GDPR Europe Conference
If you enjoyed this, you might also like:
How Trump Won by analysing data to deliver extremely relevant and highly targeted messages that worked.
How To Write The Perfect Plan in 4 minutes using the SOSTAC ® Planning Framework (4 min. video)
A very informative article and quite worrying!
My only comment is that the regulations are onerous for UK based organisations and completely ignored by those overseas who, in my experience, make up 90% of the nuisance calls and EMail I receive. It is a shame that nothing can be done about these.
Yes overseas is a problem. It becomes an even bigger problem when customer databases are hacked into and the databases then sold to criminals and scammers around the world. So GDPR will, indirectly, reduce the number of overseas callers with reduced hacks as a result of ensuring we (EU & UK) adopt the regs’ advice. Plus, I believe several non EU countries may, well adopt GDPR as bets practice.
Let’s be honest without being judgemental or racist. A lot of these calls are coming from Indian subcontinent and Malaysia because it is cheap labour. That is why British Airways farmed out their IT department to Mumbai probably resulting in the total meltdown last weekend. Maybe it is the ‘phone companies who allow cheap calls from these places to the UK, the USA and Europe who need to be regulated. Not the Companies placing the calls. Or possibly those who buy information from those cheap “research” companies for their own benefit who are all UK/European based.
I feel very sorry for the nuisance callers sometimes. They are obviously viciously time and production regulated, speak insufficient English to really get the message across even if I wanted to hear it and are probably being paid about £5 a day if they are lucky. It is the big money-makers we need to get at!
Very detailed contractual arrangements are now required between DC (Data Controller) and DP (Data Processor). I believe this will include any party that has commissioned the use of data from any other party must ensure that their data supplier adhere’s to GDPR principles. I will double check.
I do not think that GDPR should be concerned only for EU region, this regulation is something should be drive as campaign to spread it globally, because reasons mentioned in this post more or less remains valid for customers across the globe.
Absolutely, I agree Shailendra. It is best practice for your data and ensures your database is a really well maintained, genuine database of genuinely interested people. This may reduce the size of your database but increase the quality of it. GDPR also applies to any company anywhere in the world if they have EU citizens on the database (as the EU seeks to protect its citizens).
I still have query like how jurisdiction will be applicable while stakeholders like domain registrar, hosting company, customer and company itself are geographically apart.
Is there any primer which makes sense about GDPR and its legalities neutrally across the globe?
Reply:
I guess it’s like any crime – even if you are an American citizen (or a company, with HQ in USA) you have to adhere to local laws if you operate in a local country. ‘Operating in a local country’, I guess can be remote – ie sending emails from USA to a citizens in a EU country.
Can anyone else throw some light on this?
I am told that American companies are taking GDPR very seriously and many will adopt it as their own standard – as it really is customer centric.
GDPR is so long overdue. Hopefully it will make companies more accountable for what they do with personal information and make consumers safer. Hopefully it will also make those time-wasting nuisance calls and messages a thing of the past (I can wish!)
Well it should stop a number of those calls and other forms of privacy invasion. It also protects customers from data abuse of their DNA, photos, records, voicemails etc.