While Facebook and Cambridge Analytica has brought a world of attention to the concern over personal data, companies across Europe have spent the past two years in a race to comply with new and stricter EU legislation on the protection and handling of such data.
There is no doubt that General Data Protection Regulation (GDPR) remains a tremendous challenge for utility companies across Europe.
A European-wide benchmark survey done prior to the deadline by the company Deloitte, found that only 15% of companies expected to be in compliance with the rules by deadline. The greatest challenges they stated were a lack of time, a lack of clarity in what was demanded, and the degree of difficulty in complying with the demands. However, as we move past the deadline towards continual integration, it is important not to overlook this process as a unique opportunity for valuable long-term business development.
How to approach this process to the greatest benefit for utility companies, will be the focus of this article.
That companies struggle with compliance is not surprising, the General Data Protection Regulation (GDPR), has been described as one of the most disruptive changes for EU businesses in recent history. It was approved by the EU Parliament in April, 2016, with an enforcement date of May 25, 2018, giving companies a two-year transitional period in which to become compliant.
The law aims to bring all EU member states under one umbrella by enforcing a single data protection law, with the purpose of strengthening the privacy rights of European citizens, and to reshape the way organizations across the region approach data privacy. It applies to all companies that handle personal data, dictating how they use, collect and store data, and requiring them to demonstrate compliance at any time.
To utility companies, the handling of personal data has always been an integral part of the daily operation and administration. In fact, data is of the most valuable assets to the company, as well as to their client, and in the current environment of heightened privacy concerns –increasingly so. Protecting and respecting data is key to any company’s continued and future success.
The challenge is in the increased complexity of the new GDPR rules, which mean that compliance often requires a comprehensive update or shift in existing processes, documentation, controls and the handling of data. This is not a one-time fix. It requires continual and dynamic attention to ongoing competencies and processes. Under this new legislation, the handling of personal data must be an integrated and agile process that is continually maintained and adjusted.
To most utility companies, this presents a massive challenge. While most have handled data lawfully and responsibly in the past, this demands an entirely different approach to documentation and processing of personal data – which in turn demands an entirely new level of competencies, management and resources that has not been necessary in the past.
According to the previously mentioned Deloitte study, companies reported that the most difficult elements of compliance were rules surrounding the right to erase, developing and maintaining a personal data register, the accountability principle, data portability, maintaining a record of processing, and rules of consent.
The fact is that for most companies within the utility sector, GDPR compliance requires a level of change that spans the entire organization, from policy to technology, procedure, process, management, and culture. It demands that the message reaches and settles within the entire organization, including in the daily awareness, habits, and routines of employees.
It is easy to see why the journey to become compliant is highly complex, and how it can be a difficult priority for a company whose core competencies lie elsewhere.
The good news is that the level of self-examination required to become compliant, is a highly valuable opportunity to optimize efficiency, productivity and data management across the organization.
Our experience with utility companies has made it clear that any time spent mapping, identifying and integrating the best path to compliance, can bring significant benefits across the wider organization.
The key is to map these changes from a perspective that brings the company’s long-term strategy, daily operation and goals into the equation.
This was also the finding of companies in the Deloitte survey, of which 61% said they expected to see benefits beyond compliance, and 21% expected to see significant benefits, such as competitive advantage, improved reputation and business enablement.
Based on the research the report stated:
“The key here is intelligent implementation, capitalising on the need for change and transformation to make a compliance requirement a real business enabler. Organisations should focus their efforts not just on what needs to be done, but on how it can best deliver real long-term benefit.”
We could not agree more. These changes have to happen, and done intelligently, with a focus on long-term business development and benefit, there is real value to be gained in the process.
The penalties associated with non-compliance are significant, reaching up to 20 million euro or 4% of a company’s worldwide annual revenue. While there has been concern expressed about this, it is still too soon to say how they will be enforced.
However, with many, if not most, companies unlikely to be fully compliant at this point, and considering the extensive changes required of each individual organisation, it is difficult to imagine harsh enforcements being enacted immediately. While companies should be ambitiously pursuing compliance at this point, it is far too valuable a process to do wrong, and far too expensive a process not to do right.
The path to implementing and integrating permanent compliance of GDPR the right way is simple, but not easy. One of the best ways to maintain an overview it is to treat it as a continual annual analysis tailored to the company and its future goals.
The integration must be continual, which means there must always be an eye on the prize, in this case compliance. This requires tailored processes, built in education and integration, awareness and system checks. A dynamic approach will ensure that compliance continues and processes adapt, even if the rules change, the company changes, new hires come in, new products launch, or new software is implemented.
GDPR demands an ability to document your compliance at any moment. A good way to ensure this is to set up compliance in a way that lives up to annual analysis. An annual analysis has key questions that must be answered, which means they must be identified, measured and documented throughout the year. When they are not, the gaps in compliance are clear.
Tailored to the company
The path to integration must be tailored to the company’s existing processes and goals. This will help make the transition as smooth and cost-efficient as possible, ensure that it works with existing resources, and that it reaches all necessary areas of the company.
And its future goals
Finally, the company’s strategy and future goals must be taken into account when working out a path to compliance. There is gold to be found in this process. Not doing so is a lost opportunity.
In conclusion, the most cost efficient, sustainable and beneficial solution is an evolution tailored to the existing processes and the future goals of the current business. This exercise will not just have a positive impact on general IT capabilities, but also on operational productivity and cost.
For utility companies not already in the habit of analyzing and documenting to this extent, getting the right support to identify and establish the best past to compliance is often necessary. Regardless how utility companies move forward, the key to turning challenge into opportunity is to view GDPR as a window to improve not only a company’s data governance but the efficiency of the entire organization.
Christian Almskou, GDPR Consultant at Pernexus Systems
Per Samuelsen, GDPR Consultant at Pernexus Systems
Serena Isolan, Business Development Manager at Pernexus Systems