Adopted by the European Parliament and Council on 27 April 2016, and after a two-year transition period, the General Data and Protection Act (GDPR) is a regulatory framework which comes into effect on 25 May 2018, ensuring data protection and privacy for all individuals within the EU. The policy replaces the 1995 Data Protection Directive.
Our sister publication, Metering & Smart Energy International, in partnership with UK-based software company OpusVL, hosted a webinar discussing the GDPR and its implications on businesses operating within and outside of Europe.
The law aims to give control back to citizens over their personal data and to ensure standardised collection, storage, use and security of data across all segments including marketing, e-commerce, retail and wholesale industries across Europe.
The webinar highlighted the readiness of European companies in adopting the regulatory framework and the requirements for businesses to comply with the policy.
Presenting on the need to implement ways to manage GDPR compliance Stuart Mackintosh, CEO of OpusVL, said the new policy will enable the EU’s transition into digital economies.
"GDPR allows automation of business processes, will enable self-service, improve data security and advances the digital economy," explained Mackintosh.
Mackintosh believes standardisation of data processes by the GDPR will rebuild trust between data subjects and businesses and will ensure business reputations and people are not damaged. Listen to the webcast on GDPR - are you ready?
A study conducted by the International Communications Office (ICO) found that 80% of the general public don’t trust data due to misuse by businesses and lack of standards in data handling. This is highlighted by the fact that many users have two or more different email addresses, one of which is normally used for accessing sites or activities considered to be high risk.
Mackintosh said the GDPR compliments and builds upon the Privacy & Electronic Communications Regulation (PECR), which is outdated and does not accommodate the businesses processes of today.
The PECR covers sectors such as listings of people in directories whilst the GDPR will extend that cover to personally identifiable data, IP addresses and security of communications.
In regard to preparation for the GDPR, Mackintosh highlighted the failure by some governments within the EU (and the UK) to adequately inform consumers or residents about the policy.
He said there had been limited action when it came to educating the public about the GDPR and its implications and protections in the UK over the past two years.
Stakeholders across multiple sectors have stated that the UK Government has been slow in preparing support to inform and prepare organisations for this new policy.
"Even though we are still a few weeks before GDPR is enforceable, there is still a lot of confusion and issues not yet resolved. Some will be resolved through court cases and through people falling into the grey between what is and what is not clear."
We spoke to Mackintosh to find out more about how GDPR could affect utilities and supporting sectors.
What are the principles of GDPR?
The GDPR offers specific rights to data subjects. The rights include the right to be informed that a company has a subject’s information, how they accessed these details and what they will use it for, the right to restrict data processing and the right to ask for information to be erased.
Thus, businesses should view data as being on loan as it is not something that is owned by a business. Therefore, data subjects can request that their information be returned and it will have to be permanently erased from a database as a result of that request.
Additionally, businesses now have to tell data subjects when they have lost information, and if necessary, need to be able to tell a subject how and where they got the subject’s particulars and the purpose for its use.
Reaching out to people whose details are available on websites, how does the GDPR fit into this scenario?
If someone publishes their information online then it can be acquired and used. However, if for instance, a business goes on to LinkedIn to mine data for sales or promotional purposes, that is not allowed – because the information was not put there for that specific reason.
Companies who mine and add LinkedIn data to their database for use without specific permission, will put their businesses at risks because they are using these details for a purpose that was never intended.
To what extent is the GDPR recto-active to historic or existing data?
When purchasing data, companies need to be very careful of the information source. Businesses will be liable to errors in the information they will be using. It is now a liability to the companies selling these databases to know what its intended use is, as agreed by the owner.
Companies should explore and assess data captured prior to the GDPR because it may not be captured with the right level of control around it. This data should be revalidated, repaired or removed as needed. Listen to the webcast on GDPR - are you ready?
What about those utility companies that outsource meter reading processes?
They need to be sure that a consumer’s personal details, home addresses, meter data and related information, is stored securely, with minimum amount of information needed, and for as short a time as possible. Once this has been transmitted, the data should then be erased from the contractor’s files.
Third parties with consumer data during field meter readings need to make sure they properly manage the information they have. It is suggested that utilities centralise their data storage and have third parties collect and process information and send it back automatically.
How do data subjects escalate reports of their details being used without their concern?
The ICO offices in the various countries are responsible for such cases. Subjects have to first speak with organisations for them to prove how they got your information before reporting to the ICO.
If your business has not yet prepared for GDPR, do you still have time to begin preparation?
Yes, but, there is difference between meeting minimum compliance requirements, and also doing this in a way which allows a business to continue running smoothly and efficiently.
GDPR compliance is a process, you can implement this on paper. It does not need technology. Where technology and big investments come in is the effectiveness of that implementation.
Technology automates the administration activities to help with things such as subject access requests by needing less manual intervention from staff members. The most ideal and effective way of managing a subjects data would be to enable some form of self-service model.
Upcoming webcast | Whats next?
This discussion will continue on Thursday, 10 May 2018 at 15h00CET, where Stuart will focus on GDPR implementation and how effective compliance will give your business the competitive advantage. Register today for the free webcast.
Disclaimer: Although the information in this article is based on fact, the author is a technology expert and any legal or policy opinion should be understood from this perspective. This article does not represent an official policy position nor does it constitute legal advice.