GDPR: A Positive Change for Utility Companies?
UK utility companies face two unique data management issues: increasing volumes with smart meter roll-out, and data sharing with other suppliers, including customer switching and initiatives such as the Priority Services Register. Both will be impacted by the implementation of the General Data Protection Regulation (GDPR) in May 2018.
Enhanced Rights for Individuals
Under the GDPR, individuals will have better control over personal data (as customer or employee) through explicit consent and enhanced transparency of use that includes the purpose, timeframe, and recipients of their data. Data portability — data transfer to another organisation at an individual’s request — is not new to utility companies; however, the GDPR introduces an enhanced right of erasure. Utility companies must delete personal data where its collection purpose is no longer applicable and, if relying on consent as the basis for processing personal data, this data must be deleted when consent is withdrawn. Other areas of change introduced by the GDPR include mandatory breach notification.
Greater Restrictions on Profiling
Individuals will have the right not to be subjected to a legal or other similarly significant decision based solely on profiling. This may encompass the use of data collected via smart meters. Companies must undertake a Data Protection Impact Assessment (DPIA) –an integral part of the concept of privacy by design — before introducing technologies or processes that may result in a high risk to the rights and freedoms of individuals, taking into account privacy and data protection considerations throughout the lifecycle of the project. However, further guidance is currently pending from both the EU's Article 29 Working Party and the UK Information Commissioner’s Office on profiling and DPIAs is currently pending.
The cost of GDPR compliance may be significant. Investment to upgrade legacy data management systems must also balance future bandwidth and system capability requirements. The financial consequences of non-compliance — punitive and potential losses — are substantial, with fines of up to EUR20 million or 4% of total worldwide turnover, whichever is greater, for a data security breach or infringement in the processing, storage, or transfer of data.
Investing for the Future
For forward-thinking utility companies, the transposition of the GDPR next year could be a driver of positive change. Reviewing and investing in data management policies and procedures will improve companies’ cyber risk culture and may reduce the potential for operational disruption, physical damage, and reputational/brand damage when part of a more holistic cyber review.
Modelling the effectiveness of insurance programmes against more stringent breach notification obligations, supervisory investigation or action, or the potential increase in privacy litigation, is also prudent and should extend to consideration of standalone cyber policies created with the GDPR (and equivalent legislation) in mind. These may provide cover for a company’s third party liability and defence costs or investigation defence and incident response costs, including notification costs to supervisory authorities and affected individuals, in the event of a data breach or failure to comply with legislation. Nevertheless, the extent to which insurance can be used to indemnify GDPR fines remains a grey area and, when coupled with pending guidance on profiling and DPIAs, the impact of the GDPR on UK utility companies remains a watching brief.