Utility Week

12 | 19TH - 25TH JANUARY 2018 | UTILITY WEEK Policy & Regulation Market view U tility companies are gearing up to comply with the General Data Protec- tion Regulation (GDPR), the European Union's new data protection framework, which comes into effect on 25 May 2018. As data-heavy organisations, they face consid- erable challenges and the threat of a data breach, malicious or otherwise, remains omnipresent. Nevertheless, the pathways to GDPR compliance may drive positive change within the industry, creating opportunities for forward-looking companies to review, test, and if necessary, redesign data manage- ment processes and behaviours. This might enable some companies to unlock greater value from the data they col- lect. For all, however, it is an opportunity to build greater data and digital resilience into their operations. The challenges around customer data The utilities industry faces two unique data management issues: data volumes have increased considerably and will continue to do so with the rollout of smart meters; and data-sharing is intrinsic to its competitive and social obligations, be that customer switching or industry initiatives such as the priority services register. Utility companies should first consider how the data they hold will be affected by the new requirements – how it is captured, stored, and analysed – because central to the GDPR are enhanced rights for individuals. Customers (and employees) will gain greater control over personal data through a vari- ety of changes, including stringent consent requirements and transparency (compre- hensive notice) of how personal data is used by companies (the purpose, retention, and recipients of data). A new right of data portability – allow- ing individuals to move, copy or transfer personal data easily from one service pro- vider to another – is introduced by the GDPR together with an enhanced right of erasure. Utility companies must delete personal data where its collection purpose is no longer applicable and, if relying on consent as the basis for processing personal data, this data must be deleted when consent is withdrawn. Individuals will also have the right not to be subjected to a legal or other similarly significant decision based solely on profil- ing. This is of particular importance to utility companies because it may include the collec- tion and use of data from smart meters. To meet the GDPR principle of privacy by design and by default, companies are required to include privacy and data protection consid- erations in the early stages of any project and throughout the life cycle of such a project, which includes undertaking a data protec- tion impact assessment before introducing technologies or processes that may result in a high risk to the rights and freedoms of individuals. GDPR, an opportunity driver? While GDPR compliance may be a costly and disruptive undertaking, the financial consequences of non-compliance are sub- stantial. Fines of up to €20 million or 4 per cent of total worldwide turnover, whichever is greater, for the most serious breaches of the GDPR. However, as well as the compli- ance burden, consider also the financial and operational benefits that might result from improved data management. Legacy data management systems are oen fragmented, even obsolete in places, borne of piecemeal or reactive design as a company and its industry evolves. Investing in infrastructure to deliver GDPR compliance is therefore an opportunity to undertake a systematic review of data management sys- tems and protocols to ensure balance with future bandwidth and system capability requirements – in essence future proofing. We need to talk about cyber There may also be value to be derived from improving relationships with customers through enhanced data transparency and safeguarding. We are all acutely aware of the reputational impact that loss of data – that ubiquitous cyber breach – can result in. A recent survey by Marsh, GDPR Prepar- edness: an Indicator of Cyber Risk Manage- ment, revealed a strong correlation between GDPR readiness and cyber risk manage- ment. Those developing a plan, or who were already fully compliant with the new rules, were more than three times as likely to adopt some cyber security measures – and more than four times as likely to adopt some cyber resiliency measures – than those who had not started. Reviewing and investing in data manage- ment policies and procedures may therefore improve a company's cyber risk culture, moving beyond big data to reduce the poten- tial for operational disruption, physical dam- age, and reputational damage when part of a more holistic cyber review. The survey also found a higher level of GDPR readiness correlated with an increased likelihood of purchasing or strengthening cyber risk insurance. Standalone cyber policies have been created with the GDPR (and equivalent legislation) in mind, and may provide cover for a company's third party liability and defence costs or investigation defence and incident response costs, in the event of a data breach or failure to comply with legislation. The extent to which insurance can be used to indemnify GDPR fines, however, remains a grey area. Modelling the effectiveness of insurance programmes against more stringent breach notification obligations, supervisory investigation or action, or a potential increase in privacy litigation, may be prudent and help ensure they are fit for purpose through 2018 and beyond. The impact of the GDPR on UK utility companies remains a watching brief and most companies, regardless of industry, still have a long way to go to full GDPR compli- ance – just 8 per cent of those surveyed by Marsh believe their organisation is fully com- pliant, while nearly a third of organisations surveyed have yet to develop a plan (or did not know if it had one). Transposition of the GDPR may be a mere six months away, but for many companies it is still a long journey to compliance. Darren Shelford, UK waste and utilities practice leader, Marsh The GDPR opportunity Tighter EU data protection rules should not be seen as a burden of compliance but as an opportunity for utilities to overhaul often outdated legacy data systems, says Darren Shelford.

• Cover