Utility companies are gearing up to comply with the General Data Protection Regulation (GDPR), the European Union’s new data protection framework that comes into effect on 25 May 2018. But as data heavy organisations they face considerable challenges and the threat of a data breach, malicious or otherwise, remains omnipresent.
Nevertheless, the pathways to GDPR compliance may drive positive change within the industry, creating opportunities for forward-looking companies to review, test, and if necessary, re-design data management processes and behaviours. This might enable some companies to unlock greater value from the data they collect; for all however, it is an opportunity to build greater data and digital resilience into their operations.
The challenges around customer data
The industry faces two unique data management issues: data volumes have increased considerably and will continue to do so with the roll out of smart meters, while data sharing is intrinsic to its competitive and social obligations, be that customer switching or industry initiatives such as the Priority Services Register.
Utility companies should first consider how the data they hold will be affected by the new requirements – how it is captured, stored, and analysed – as central to the GDPR are enhanced rights for individuals. Customers (and employees) will gain greater control over personal data through a variety of changes including stringent consent requirements and transparency (comprehensive notice) of how their personal data is used by companies (the purpose, retention, and recipients of their data).
A new right of data portability – allowing individuals to move, copy or transfer personal data easily from one service provide to another – is introduced by the GDPR together with an enhanced right of erasure: utility companies must delete personal data where its collection purpose is no longer applicable and, if relying on consent as the basis for processing personal data, this data must be deleted when consent is withdrawn.
Individuals will also have the right not to be subjected to a legal or other similarly significant decision based solely on profiling. This is of particular importance to utility companies as it may include the collection and use of data from smart meters. To meet the GDPR principle of privacy by design and by default, companies are required to include privacy and data protection considerations in the early stages of any project and throughout the lifecycle of such project, which includes undertaking a Data Protection Impact Assessment (DPIA) before introducing technologies or processes that may result in a high risk to the rights and freedoms of individuals.
GDPR, an opportunity driver?
While GDPR compliance may be a costly and disruptive undertaking, the financial consequences of non-compliance are substantial: fines of up to €20 million or 4 per cent of total worldwide turnover, whichever is greater, for the most serious breaches of the GDPR. However, as well as the compliance burden, consider also the financial and operational benefits that might result from improved data management.
Legacy data management systems are often fragmented, even obsolete in places, borne of piece-meal or reactive design as a company and its industry evolves. Investing in infrastructure to deliver GDPR compliance is therefore an opportunity to undertake a systematic review of data management systems and protocols to ensure balance with future bandwidth and system capability requirements – in essence future-proofing.
We need to talk about cyber
There may also be value to be derived from improving relationships with customers through enhanced data transparency and safeguarding. We are all acutely aware of the reputational impact that loss of data – that ubiquitous cyber breach – can result in.
A recent survey by Marsh, GDPR Preparedness: An Indicator of Cyber Risk Management, revealed a strong correlation between GDPR readiness and cyber risk management. Those developing a plan or who were already fully compliant with the new rules were more than three times as likely to adopt some cybersecurity measures – and more than four times as likely to adopt some cyber resiliency measures – than those who had not started. Reviewing and investing in data management policies and procedures may therefore improve a company’s cyber risk culture, moving beyond ‘big data’ to reduce the potential for operational disruption, physical damage, and reputational/brand damage when part of a more holistic cyber review.
The survey also found a higher level of GDPR readiness correlated with an increased likelihood of purchasing or strengthening cyber risk insurance. Standalone cyber policies have been created with the GDPR (and equivalent legislation) in mind, and may provide cover for a company’s third party liability and defence costs or investigation defence and incident response costs, in the event of a data breach or failure to comply with legislation. The extent to which insurance can be used to indemnify GDPR fines however remains a grey area. Modelling the effectiveness of insurance programmes against more stringent breach notification obligations, supervisory investigation or action, or a potential increase in privacy litigation, may be prudent and help ensure they are fit-for-purpose through 2018 and beyond.
The impact of the GDPR on UK utility companies remains a watching brief and most companies, regardless of industry, still have a long way to go to full GDPR compliance – just 8 per cent of those surveyed by Marsh believe their organisation is fully compliant, while nearly a third of organisations surveyed have yet to develop a plan (or did not know if it had one).
Transposition of the GDPR may be a mere six months away, but for many companies it is still a long journey to compliance.