Utility Week

12 | 10TH - 16TH NOVEMBER 2017 | UTILITY WEEK Policy & Regulation Market view T he General Data Protection Regulation (GDPR) is now just six months away. Many firms have already made huge efforts to ensure compliance but there are still concerns that others, including some in the utility sector, have not fully recog- nised the scale of the cultural challenges – and opportunities – that the rules could bring. Disruption could be at least as sig- nificant as the "Uswitch" effect – the effect that price-comparison websites have had on the sector. The GDPR, which comes into force on 25 May next year, gives individuals enhanced data rights and fundamentally alters the way businesses approach the col- lection, storage and use of data. It requires them to demonstrate compliance and to embed data protection throughout their pro- cesses and systems. As consumer groups launch campaigns that will alert consumers to their new rights under GDPR, control over the future of brands and marketing strategies could trig- ger yet another shi away from businesses and towards consumers and employees – echoing the effects that campaigns and busi- nesses that encourage supplier switching have had. Like other sectors, utility firms will face heavy resource burdens as a growing number of consumers demand to see and withdraw data held on them. The removal of "implied consent" and "opt out" mod- els will place a further strain on data departments. The Information Commissioner's Office (ICO), in particular, is expected to launch a PR offensive in 2018 alerting consum- ers to their new rights as "data subjects". This, combined with the ability for consum- ers to bring collective "class action" type claims where they feel their rights have been breached, means there is also a clear risk of litigation. With fines of up to 4 per cent of annual global turnover or €20 million, whichever is greater, there is great urgency for businesses to get their houses in order. But although the threats are clear to see, the GDPR should not be seen as a threat but rather as an opportunity. Utility firms that prepare now for the new data protection regulation have a chance to gain a competitive advantage. Utility pro- viders can build a healthier, more effective relationship of trust with customers and employees around their data. So what are the best ways to get your business ready for the General Data Protec- tion Regulation? Raise awareness The focus on fines may have brought GDPR to you and your marketing department's attention, but everyone within the business needs to know how they should be handling information and data access requests when they come into the business. Find the gaps For businesses unsure about how they should prepare for GDPR, a gap and risk- analysis service is a great first initiative. An analysis can evaluate current data-protection procedures and compliance, and assess them against the requirements under GDPR in order to identify gaps. Audits of this kind can be crucial in help- ing an organisation identify the biggest threat it faces in terms of financial and repu- tational risk. Be ready for a backlash It is not only business awareness that needs to be dealt with. Consumer rights groups are likely to be campaigning to let the public know about the new rights and inform customers about businesses' respon- sibilities. As previously mentioned, the ICO is likely to turn its attention to individu- als and inform them of their rights under the GDPR. There could be an increase in the num- ber of data subject requests from early 2018 as the deadline approaches, be it access requests from current or former employees, or requests from customers wanting to see the information that is held about them or to have it removed. To minimise any result- ing disruption, you need to know where data is held and to have processes in place to quickly access, amend and remove it as necessary. You need to be ready to respond to enquiries and formal requests in a way that builds trust. And, conversely, to ensure that distrust doesn't lead to a haemorrhaging of usable data from your business. Improve data transparency Businesses will have to be more prescrip- tive and detailed in the way they they pro- cess personal data, and why, and also in the kinds of personal data they capture. The reg- ulation requires businesses to offer evidence of this. At media giant Sky, for instance, report- ing and recording has already become more focused in readiness for GDPR. The company is tagging data with time and date stamps as well as attaching what are called "trackers and gatekeepers" to certain activities so the company can cap- ture evidence of a change in the way it is using data. Expect another 'Uswitch effect' Some businesses are making a comparison between GDPR and the disruptive effect that price-comparison sites have had on the energy sector, or that review sites such as Trip Advisor and Amazon have had on the travel and retail industries. These innovations forced a shi in the balance of power between marketing depart- ments and customers when it came to the way the brand was seen, defined and able to market and price its products. GDPR will force yet another shi in power from busi- nesses to consumers, handing back control of personal data to consumers. Trying to stand in the way of this disrup- tive juggernaut is futile. Instead – as they have with price com- parison sites and the like – businesses must look for ways to adapt and take advantage of the new world of marketing, data and con- sumer control. Sarah Williamson, partner, Boyes Turner Whose data is it anyway? In six months, the General Data Protection Regulation will give customers more rights to see and withdraw the data utilities hold on them, but Sarah Williamson sees an opportunity, not a threat.

• Cover