We’re almost there. This time next month the General Data Protection Regulation (GDPR) deadline, 25 May, will have passed. What was once a peripheral irritant now seems all too pressing. Decision makers who ignore the imminent regulation are committing a dereliction of duty, particularly given the huge potential costs. Non-compliant firms risk an eyewatering fine of €20 million or 4 per cent of global annual turnover, whichever figure is greater.
After years of piece-meal, reactionary measures prompted by high-profile breaches and staggered legislation, many businesses have been spurred into undertaking a comprehensive review of how they manage data. Following enforcement, consumers will be able to refuse businesses the right to collect sensitive data and how it’s used. Much of this is currently collected, processed and shared with relative impunity.
This could have a remarkable impact on how businesses operate in the energy and utilities industry. Many organisations are highly dependent on smart analytics and big data to provide tailored products and services for their customers. Smart metres, for example, have breathed new life into the energy industry and have served as a key differentiator for the most modern and technology-oriented gas and electricity providers. New legislation threatens to rule out this competitive advantage.
Other industry initiatives, such as the Priority Services Register and customer switching, are an intrinsic part of many utility companies’ operations and also require careful consideration when navigating the path towards full compliance.
GDPR – demanding regulation
Despite all of this, it seems that businesses have only just started to wake up to GDPR.
A cursory glance at your inbox should reveal a steady stream of “opt-in to continue to receive this newsletter”-type emails. These reveal a last minute, ill-thought strategy.
I still meet too many businesses who remain unconvinced by the cost benefit and aren’t considering the wider implications of their panicked, last-minute box-ticking measures towards full compliance. This is irresponsible and ignores GDPR’s broad range of expectations.
For a start, businesses must appreciate the sheer depth of data that they’re likely to hold. GDPR means that companies need to know what data they hold and why they do so, but this can be an exhaustive process particularly, for smaller utilities who lack the internal resources.
Next, it’s essential that employees truly understand the regulation and the new expectations placed on their data handling. Getting your house in order is important, but this effort will be wasted if your employees then ignore best practice and continue to send unsolicited emails or collect personal information without consent.
What’s more, few businesses are aware of the increased emphasis on data security. The legislation expects data to be protected and it expects breaches to be reported, a task made easier if they are avoided altogether.
Ask yourself, have you taken steps to protect your data? Does your company use encryption and, beyond this, then protect data when it’s held? If the answer is no – and it is likely to be, considering a 2015 report found that the energy and utilities sector was the worst prepared industry for cyber-attacks – you should act. You need to incorporate a full review of your current cyber security defences into your GDPR-compliance strategy.
Data danger
Have you considered exactly how you might be hacked? The stakes are higher for the utility industry than they are for most other sectors. It’s not just consumers’ personal information that’s at risk from cyber criminals, but their livelihoods.
At an everyday level, smart metres depend on identifying consumers’ patterns of movement which, if accessed by those with ill intentions, could inspire house burglaries and worse.
Yet there are even greater risks. These were aptly demonstrated by the hack of a water treatment centre in 2016, known only under the pseudonym of Kemuri Water Company, which had the chemical make-up of its water manipulated.
There are many points of entry for a cyber criminal and, once they’re in, an even greater number of avenues for them to exploit. ‘Kemuri Water Company’, for example, was initially a breach of the firm’s server which was not just connected to the internal IT network but also the water treatment facility’s operational technology. Printers, scanners and credit card machines can all be serious weak spots in a system and, without protection, they leave both your data and GDPR-compliance vulnerable.
GDPR may seem like a pain, but the legislation will hopefully wake companies up. Utility companies are acutely vulnerable and anything that helps strengthen their approach to data can only be a good thing.
The threat of a €20 million fine is great but what’s even worse and, to my amazement, less obvious to many senior decision makers is the risk of being left behind in an industry which rewards the most consumer-conscious businesses. Failure to take the necessary steps to protect your consumers’ data, and a resultant breach, could result in mass customer-switching.
Is that a risk worth taking? The time to act is now.