Utility Week

12 | 18TH - 24TH MAY 2018 | UTILITY WEEK Policy & Regulation Market view W e're almost there. This time next week, the General Data Protec- tion Regulation (GDPR) deadline, 25 May, will be upon us. What was once a peripheral irritant now seems all too press- ing. Decision-makers who ignore the immi- nent regulation are committing a dereliction of duty, particularly given the huge potential costs. Firms that do not comply risk an eye- watering fine of €20 million or 4 per cent of global annual turnover, whichever is greater. Aer years of piecemeal, reactionary measures prompted by high-profile data security breaches and staggered legislation, many businesses have been spurred into undertaking a comprehensive review of how they manage their data. Aer the regulation is enforced, consum- ers will be able to refuse businesses the right to collect sensitive data and have a say in how that data is used. Today, much of this data is collected, processed and shared with relative impunity. This change could have a remarkable impact on the way businesses in the energy and utilities industry operate. Many organi- sations depend heavily on smart analytics and big data to provide tailored products and services for their customers. Smart meters, for example, have breathed new life into the energy industry and have served as a key differentiator for most modern and technology-oriented gas and electricity pro- viders. New legislation threatens to rule out this competitive advantage. Other industry initiatives, such as the Pri- ority Services Register and customer switch- ing, are an intrinsic part of many utility companies' operations and also require care- ful consideration when navigating the path towards full compliance. Demanding regulation Despite all this, it seems that businesses have only just started to wake up to GDPR. A cursory glance at your inbox should reveal a steady stream of "opt in to continue to receive this newsletter"-type emails. These reveal a last minute, ill-thought-through strategy. I still meet too many businesses that remain unconvinced by the cost-benefit ratio and aren't considering the wider implica- tions of their panicked, last-minute, box-tick- ing measures towards full compliance. This is irresponsible and ignores GDPR's broad range of expectations. For a start, businesses must appreciate the sheer depth of data that they're likely to hold. GDPR means that companies should know what data they hold and why they do so, but this can be an exhaustive process, particularly for smaller utilities. Next, it's essential that employees truly understand the regulation and the new expectations on the way they handle their data. Getting your house in order is impor- tant, but this effort will be wasted if your employees then ignore best practice and continue to send unsolicited emails or col- lect personal information without consent. What's more, few businesses are aware of the increased emphasis on data security. The legislation expects data to be protected and it expects breaches to be reported, a task made easier if they are avoided altogether. Ask yourself whether you have taken steps to protect your data. Does your com- pany use encryption and, beyond this, then protect data when it's held? If the answer is no – and it is likely to be, considering a 2015 report which found the energy and utili- ties sector was the worst-prepared industry for cyberattacks – you should act. You need to incorporate a full review of your current cybersecurity defences into your GDPR-com- pliance strategy. Data danger Has your company considered exactly how it might be hacked? The stakes are higher for utilities than they are for most other sectors. It's not just consumers' personal information that's at risk from cybercriminals, but their livelihoods. On an everyday level, smart meters depend on identifying consumers' patterns of movement that, if accessed by those with malign intentions, could inspire house bur- glaries and worse. Yet there are even greater risks, demon- strated by the hack of a water treatment cen- tre in 2016. The hack, known only as Kemuri Water Company, altered the chemical make- up of the water at the centre. There are many points of entry for a cybercriminal, and once they're in, an even greater number of avenues for them to exploit. Kemuri Water Company, for exam- ple, was initially a breach of the firm's server that was connected not only to the internal IT network but also to the water treatment facility's operational technology. Printers, scanners and credit card machines can all be weak spots in a system and, without protec- tion, they leave your data vulnerable. GDPR may seem like a pain, but the leg- islation should wake companies up. Utility companies are acutely vulnerable and any- thing that helps strengthen their approach to data can only be a good thing. The threat of a €20 million fine is great but what's even worse and, to my amaze- ment, less obvious to many senior decision- makers is the risk of being le behind in an industry that rewards the most consumer- conscious businesses. Failure to take the necessary steps to protect your consumers' data, and a resultant breach, could result in mass customer switching. Is that a risk worth taking? The time to act is now. Randhir Shinde, chief executive, Galaxkey A chance to do the right thing Until recently, companies appear to have ignored the General Data Protection Regulation, but, as Randhir Shinde explains, the consequences of inaction could be serious. Key points Utilities depend heavily on smart analytics and big data. Companies should know what data they hold and why they do so. The legislation demands that data is protected and breaches are reported. Firms that do not comply with the regula- tion face a fine of €20 million or 4 per cent of turnover, whichever is greater.

• Cover