GDPR and Energy and Natural Resources – what will this mean for the sector?
The General Data Protection Regulation will come into force throughout the EU, including the UK (despite Brexit) on 25th May 2018. The UK Government is busily preparing for its implementation. GDPR will bring about the greatest change to data protection law in thirty years. Below we have highlighted some of the main considerations for energy and natural resource companies and provided some guidance to aid GDPR compliance. There are only eight months until the GDPR takes effect and organisations should be acting now!
What are some of the key changes under GDPR?
Energy and natural resource companies are most likely to be affected by the following changes:
- the increased territorial scope of the GDPR;
- changes to what is meant by “personal data;”
- new data breach notification requirements;
- changes to consent as a legal basis for processing;
- enhanced data subject rights; and
- the requirement to appoint a Data Protection Officer (DPO).
Fines of up to €20,000,000 or 4% of worldwide turnover (whichever is greater) will be payable for the most serious breaches of data protection law (not to mention the huge reputational damage if consumers lose trust in their provider). Therefore GDPR compliance should be a priority for organisations in the sector.
- Scope of the GDPRThe GDPR, unlike previous data protection legislation in the EU, applies not only to organisations established in the EU or which process data within the EU (physically), but also to organisations who are not established in the EU but who process the personal data of EU residents when offering goods or services or who monitor the behaviour of EU residents. Therefore, global energy and natural resource organisations could now be subject to EU data protection rules, if they process data of EU residents or monitor the behaviour of EU residents.
- What is “personal data”?
Under the GDPR, “personal data” now includes identifiers such as location data (encompassing IP addresses), online identifiers and genetic data. Therefore, if a person’s identity could be found up from the data an energy company holds, this would be considered as personal data under the GDPR.The recent roll-out of smart meters and connected devices (such as those which allow customers to control their heating/appliances from a distance) is significant. Data processed by these devices will, under GDPR, be considered “personal data” as the data being transmitted from the smart meter/connected device to the energy company has the potential to identify customers individually. Therefore this data will be subject to additional rights and obligations.
- Data Breach Notification – 72 hour deadline!
In the energy sector, customer information is often shared between multiple parties (from the energy generators to the energy services company and meter operators). This has the potential to increase the risk of a data breach occurring – and of a company failing to meet the new 72 hour deadline for data breach notifications.There is further risk from the operation of cloud services, which are often used in the energy sector to exploit the Internet of Things (IoT) and big data. This means that data is often stored outside the physical control of the company and sometimes in a different country/jurisdiction to the operations. In 2015, utility companies were ranked as the worst prepared industry for cyber-attacks, evidenced more recently by high-profile data breach cases that have hit the headlines.Under GDPR, organisations will only have 72 hours to report a data breach to the Data Protection Authority after becoming aware of it. Where there is a risk to individuals, the GDPR may also require organisations to inform data subjects of such a breach without undue delay. Such a notification must include a description of the breach, the DPO contact details, the likely consequences of the breach and any steps the organisation has taken to remedy the breach.Therefore, organisations should be preparing now, to implement policies, protocols and systems that will manage data breaches and notify the relevant people within the organisation. The policies and procedures should be tested to ensure that the organisation can identify, mitigate and report upon a breach within the 72 hour deadline.
- Consent – what has changed?
If an organisation is going to rely on consent as a basis for processing personal information then caution is required. What is meant by consent under the GDPR is much stricter than what has gone before. Consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”The key elements of consent remain the same as the previous Data Protection Directive: consent must be freely given, specific, informed and there must be an indication signifying agreement by the data subject. However the GDPR adds an additional layer of complexity by adding that the indication must be “unambiguous” and the consent given “by a statement or by a clear affirmative action.” This means that businesses will no longer be able to rely on pre-ticked boxes or an opt-out box for consent, as the data subject must confirm their consent by clear affirmative action.Some additional points to note are as follows:
- Consent to data processing must be separate from other terms and conditions. This way the consent will stand out and be obvious to the individual;
- Consent must be capable of being withdrawn at any time with the same level of ease as giving consent (therefore organisations will need to create a way for customers to do this, if not already able to); and
- As consent must be freely given, individuals must have a genuine choice as to which data is processed and how this is processed (i.e. if you would process the data anyway on a different legal basis, consent is not appropriate).
- Enhanced rights
The GDPR introduces two new rights for customers – the right to be forgotten (also known as the right of erasure) and the right of data portability, as well as bringing in changes to subject access rights. GDPR puts individuals in greater control of what data organisations can do with their personal information.
- Subject access rights
- Organisations will only have one month (as opposed to the previous 40 days) to respond to a subject access request and must also generally do this free of charge (as opposed to previously being able to charge a fee of up to £10 for this).
- The right to be forgotten
- There are a few circumstances in which customers can request that their data be deleted:
- where it is no longer needed for the original purposes;
- where consent has been withdrawn;
- where the customer has objected to the processing;
- where the data has been processed unlawfully; or
- where erasure is necessary to comply with the law.
- The right of data portabilityTherefore, when a customer switches to a different energy company, organisations could be required to transfer the customer data to another provider. To comply with this obligation, organisations will need to be able to store and identify relevant data and be able to share this with other providers when requested.
- This new right has the potential to impact greatly on energy companies. Customers will have the right to request their personal data in a commonly used, machine-readable format. They will also have the right to request the direct transfer of their data from one provider to another.
- Appointment of a Data Protection Officer
The GDPR introduces the requirement to appoint a Data Protection Officer (DPO). A DPO is a designated person within an organisation who is responsible for ensuring compliance with GDPR. The person appointed will be the primary contact within the organisation for data protection compliance. Organisations must appoint a DPO where:
- the processing is carried out by a public authority or body, with the exception of courts; or
- the core activities of the controller or processor require regular and systematic monitoring of data subjects on a large scale – this would apply where the key operations necessary to achieve the controller/processor’s goals involve regular and systematic monitoring of customers; or
- the core activities of the controller or processor consist of processing special categories of personal data (i.e. race, ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health data, sex life or sexual orientation) or data relating to criminal convictions and offences on a large scale.
Since energy companies process large volumes of data which monitors data subjects (through smart meters etc. companies can determine customer routine), it is likely that most will need to appoint a DPO.
This note is by no means intended to be exhaustive. For example, organisations should also be aware of new requirements when appointing processors to handle customer personal information on their behalf, the need to embed “privacy by design and by default” and undertake privacy impact requirements in certain circumstances.
To the extent not already done, you should:
- Find out what data your organisation holds, where this came from, how and why it is being used;
- Ensure your organisation has policies and procedures in place to comply with the new 72 hour data breach notification deadline;
- Review consent mechanisms and refresh consents, if necessary;
- Ensure you have policies and procedures in place to comply with enhanced customer rights;
- Appoint a DPO, if necessary;
- Read our blogs and attend our seminars; and
- Contact us if you require any assistance.