The General Data Protection Regulation (GDPR) will come into force on 25th May 2018 in the UE. In short, this new regulation will define how businesses manage, protect and administer data in the future.
Being the biggest data protection reform undertaken in Europe over the past 30 years, GDPR will affect the energy trading sector in many ways.
Let’s have a look at 6 changes implied by this new regulation that will affect energy trading companies.
1. The Scope of the GDPR
Under GDPR, data protection applies to both organisations established in the EU or which process data within the EU, and to organisations who are not established in the EU but who process the personal data of EU residents.
For this reason, the scope of GDPR is much wider than any other data protection reform undertaken in the past, and global energy trading companies might be subject to those rules.
2. The definition of personal data
The definition of “personal data” will also be wider under GDPR.
This term will include identifiers such as location data (including IP addresses), online identifiers and genetic data, as well as any information permitting to guess a person’s identity.
“Data processed by devices such as smart meters and connected devices will be considered “personal data” and will therefore be subject to additional rights and obligations”
In the energy trading world for example, data processed by devices such as smart meters and connected devices will be considered “personal data” and will therefore be subject to additional rights and obligations.
3. Data Breach Notification: A 72 hours deadline
Under the GDPR, companies will only have 72 hours to report a data breach to the Data Protection Authority after becoming aware of it. This change might have important consequences for energy trading companies. Indeed, in this sector, customer data is often shared between multiple parties (from the energy generators to the energy services company and meter operators), making it more likely for companies to miss the deadline.
In addition, cloud services widely used in the energy sector could prevent a company to meet the 72 hours deadline, as data is often processed and stored outside of its control.
4. Consent – what has changed?
The definition of consent will be much stricter under GDPR. According to the article 4 of the EU GDPR, “consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
The term “unambiguous” and the importance for the consent to be given “by a statement or by a clear affirmative action” add another layer of complexity to the notion. Indeed, under such a definition, companies will not be able to rely on pre-ticked boxes or an opt-out box for consent, as subjects will have to clearly express their consent by “a statement or by a clear affirmative action”.
5. Additional rights for customers
The GDPR intends to give people more control over how their personal data is managed by companies. For this reason, the GDPR intends to introduce two new rights for customers: the right to be forgotten and the right of data portability.
The right to be forgotten allows customers to have their data deleted:
Where it is no longer needed for the original purposes;
Where consent has been withdrawn;
Where the customer has objected to the processing;
Where the data has been processed unlawfully; or
Where erasure is necessary to comply with the law.
The right of data portability implies that companies might be required to transfer the customer data to another provider when a client decides to switch provider.
6. Appointment of a Data Protection Officer
Companies will be required to appoint a Data Protection Officer (DPO) to take care of compliance with GDPR.
According to article 37 of the EU GDPR, “companies will have to appoint a DPO where:
The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.”
With fines expected to reach up to 4% of actual company turnover or €20 million, GDPR compliance has converted into one of 2018’s main focus for companies.
The 8th ETRC 2018 Summit provides the best platform for legal and compliance officers to communicate directly with regulators and get a clear update on how to avoid GDPR, REMIT & EMIR-related non-compliance fines.
Related sessions from ETRC 2018:
Upcoming General Data Protection Regulation – What you should watch out for:
The EU is adapting to the digitalisation of business, including through new private data protection measures. How is that impacting energy trading companies, and in particular utilities? What should we prepare for before May 2018? This session will answer these questions
Q&A with the Financial Regulators: Exclusive Q&A session between the Financial Regulators and audience to address issues and ask questions on around:
MiFID II: Position limit and position reporting challenges
Hedging policy: Definition and conditions
Enforcement of the regulations: Anti-abuse measures and investigation
Review of EMIR: Timeframe
The future of energy trading regulations – What should we expect in coming years?
Reviews of the different regulations: Are we heading towards more energy-trading-companies- friendly rules?
How will the Winter package measures affect energy trading?
What regulations can we likely expect from changes in the trading landscape?
Download the agenda
View speaker list
Get in touch