There have been literally thousands of scaremongering articles published across the media and social media about how non-compliance can lead to fines amounting to thousands, if not millions, of pounds and countless research reports outlining how only a tiny fraction of organisations are prepared. Utilities have seemly scored particularly badly.
That’s the bad news. The good news is that the ICO (the office in charge of regulating the directive) has made it clear that it is not going to hand out massive fines willy-nilly. As is its current approach, it will reflect on each individual case and set the fine according to the circumstances. It has is not in the business of trying to bankrupt firms; which is something some of the articles have suggested. In terms of the plethora of research studies most report on the percentage of firms that aren’t ready for GDPR, but fail to shed insight on the number of organisations that are in the process of getting ready – after all there is still over a half a year to go until GDPR comes into force.
So having established that GDPR is perhaps not the insurmountable beast it is being made out to be, in simple terms what does it mean for utilities?
There are 5 key areas that need to be addressed:
1. Data portability
GDPR means that consumers will have the right to increased data portability which means that they can obtain and reuse their personal data for their own purposes across different services. In other words a customer can request all of the information that they have provided to an organisation and their transactional history. If this happens the utility company has two months to compile and send the information in a structured and easily readable format to that consumer.
The aim of this right is to support user choice, user control and consumer empowerment. It also aims to prevent ‘lock-in’. It is likely that as consumers become aware of their right to data portibility they will use it as a way to switch providers and find cheaper deals. There are already some solutions, such as the midata government initiative, which enable customers to have their transactional history analysed by comparison sites in order to provide recommendations on better deals. The implications of data portability are immense and once consumers get used to the concept likely to become a popular way to source new energy providers.
2. Consent and profiling
Utility providers will no longer be able to market to a consumer unless they have their explicit permission to do so. Failure to opt-out no longer counts as consent. The consumer must tick a permission box. This is where many utility providers will fall down as a significant amount of the customer data held by the industry is failure to opt-out. Additionally, consent must be granular with separate options being provided to customers e.g. permission to send communications via email, mail, SMS etc, and permission to process the data.
The lack of consent for data profiling has been a significant issue for the charities, many of whom have recently been fined by the ICO for the so called “unfair” processing of donor’s data including wealth screening and tracing donors after they have moved house. This means that if a utility company wants to carry out a segmentation exercise in order to find new customers they must have the consent of its customers to profile their data.
3. Well-maintained data
GDPR is all about making marketing more responsible and engendering stronger relationships between consumers and their suppliers. A large part of this is ensuring that data is well looked after; for instance ensuring that all data is adequate, up to date and relevant. The directive states that “every reasonable step must be taken to meet this requirement”. DMA guidelines recommend a monthly data hygiene regime which should include deceased suppression (removing the details of customers that have passed away), deduplication (removing any duplicate records) and general data cleansing.
4. Right to be forgotten
Consumers have the right to have their information deleted if they so require. If this is requested all data pertaining to that individual must be removed from the database as soon as possible and no more communication will be lawfully allowed. The same is true for deceased individuals. Under GDPR data should not be held for longer than is necessary and therefore the records of customers that have passed away need to be removed as soon after death as possible.
5. Security
All data breaches (whether a large scale data hack or a misplaced USB containing customer information) must be reported to the ICO within 48 hours.
GDPR compliance is not a walk in the park, but it also isn’t impossible. And in the long term by starting to address these 5 areas sooner rather than later, means that utilities can start establishing better and stronger relationships with their customers, built on a foundation of trust which will ultimately be a good thing for an industry which in the past has not been renowned for its customer centricity.