Data is one of the most valuable assets in companies. It is also critical to protect them and respect the citizens’ privacy. Therefore, the EU has adopted a new legislation, namely General Data Protection Regulation (GDPR), and all companies that collect, process and store personal data need to comply.
At Pernexus Systems, we are helping three utility companies in Denmark go through the complex journey to compliance. Our consultants have extensive pragmatic expertise on GDPR and are applying their experience in project management and adapting it to the companies’ processes to align it with the new standards.
During an interview with my colleagues, who are consulting our clients, I asked them what the focus areas are and some of the challenges faced by the clients, namely companies delivering heat, water and electricity to large group of citizens.
Companies in the utility industry handle personal information about the citizens to whom they deliver services. Hence, they also need to engage in this effort and assign resources to reach compliance by the 28th of May 2018, when the legislation will go into effect.
The GDPR is similar to the Danish Data Protection Act, but with some substantial modifications. And it also has strong interdependencies with the Bekendtgørelse om it-beredskab (BEK 515), that went into effect in July 2017, which aimed at introducing better IT-security for the electricity and natural gas sector in Denmark. However, this new European regulation is more specific and should not be confused with earlier Danish laws.
The preparation to compliance is a four phases process that involves not only technical, but also organizational changes because there are policies, technologies and culture that need to adapt and change.
The challenge is to make this change a priority. In fact, it is natural that the main focus for utility companies is to deliver a service, and to ensure that each citizen is provided with water, energy, heat and so on. From their point of view, it might not be considered a first priority to implement a regulation about data security, but it needs to be taken care of.
GDPR should be seen as an opportunity to improve a company’s data governance, which also implies a better organizational efficiency. The first phase of the process is a methodical assessment of current data security, repository systems and identification of risks and gaps while processing personal data.
This exercise is continuous and will have a positive impact on, not only on the general IT capabilities, but it will also improve operational productivity and cost reduction. However, some utility companies are struggling, for instance, in documenting their processes because for them it is a new requirement, and they possibly do not have the right skills or a clear governance structure when referring to data. In this phase, it is crucial to have the right support to enable a thorough assessment and proceed with the next steps.
In most cases, what causes a big headache is the requirement for explicit consent to handle citizens’ data. So far, most companies have obtained consent without a genuine choice from the user (with an automatic opt-in). Now this process needs to reflect the regulation, so that consent is freely given, specific, informed and unambiguous.
In Denmark, until a few years ago, utility companies were public and linked to the municipality, so they had access to citizen’s data via the CPR register. Since the privatization of the sector, this is no longer the case, and now the requirement is to have a documented business need for each person to access any type of data.
Time is running out and the day when the new regulation will be enforced is approaching fast. Setting up a change project and executing it is not an easy task or something that can be done over a couple of weeks. The suggestion is to lay out a detailed project and go through the steps as promptly as possible to avoid last minute stress and complications.
The General Data Protection Regulation (GDPR) is a legislation that will go into effect on May 25th, 2018. It aims at strengthening the privacy rights of European citizens. It is also described as one of the most disruptive changes for EU businesses.
Each company collecting and storing any type of personal data will need to go through a complex journey to become compliant which involves a program of multiple projects, depending on each individual company case. The legislation dictates how businesses use, collect and store any type of personal data.
Pernexus Systems consultants are competent and experienced with advising companies in the utility sector on the compliance process.
If you are interested, you can contact us at +45 33 25 16 66.
Christian Almskou, GDPR Consultant at Pernexus Systems
Per Samuelsen, GDPR Consultant at Pernexus Systems
Interviewer and article author
Serena Isolan, Business Development Manager at Pernexus Systems