Back in 2013, Central Hudson Gas & Electric detected an intrusion in its systems. It immediately took steps to alert its customers to the possibility that their auto-pay bank account information may have been accessed. Because of the urgency of the situation, the company decided to use an automated telephone system to call as many customers as possible. The company also offered all potentially-affected customers, around 110,000 people, a full year of complimentary credit monitoring as a precaution. The cost of these actions, although huge, in reality could pale into insignificance beside the potential reputational damage to the company, hence the speed at which it moved to limit the effect of the breach.
Personal data protection is a big issue in the energy sector. Companies hold a vast amount of data on their customers, including highly sensitive data such as payment information. This data is stored in multiple places, including operational systems, CRM systems, data warehouses, analytical datamarts, big data environments and documents. As Central Hudson’s experience shows, energy companies quite literally cannot afford to mess up personal data protection.
A changing situation: the effect of smart grids
Recent advances in energy management and deployment, such as smart grids, have only made the situation more complicated for the energy companies. This has not gone unnoticed by national and regional governments. The European Commission, for example, set up the Smart Grids Task Force in 2009 to advise on issues related to smart grid deployment and development.
Smart grids are seen as an essential way to manage energy supply in the future, enabling companies to respond to local changes in usage. But as the Smart Grids Task Force has recognised, customers need to accept the use of smart grids. This, in turn, requires them to be given control over their energy consumption data. It is also essential that the new technology does not jeopardise the privacy of personal data, and that consumers feel confident that their data will be kept secure and their privacy respected.
These issues, of course, only raise more questions. The task force went on to ask:
- What differentiates electricity data from other data?
- How can consumers and their data privacy be best protected?
- What mechanisms are available for the protection of vulnerable and low income consumers?
- Does this relate to data protection or adverse affects of flexible tariffs?
These are such major issues that the task force established an expert group to make regulatory recommendations on privacy, data protection and cyber-security in the smart grid environment. The group considered possible risks in the handling of data, security and data protection (including data exchange issues), identifying ownership of data and access rights and responsible parties for data protection, and examined European legislation on data protection and whether further protective measures should be put in place. As a result, the Commission published a full package of recommendations at the end of November 2016 to ensure privacy and cyber-security in smart-metering systems inline with the 10 minimum functional requirements set out in the Commission Recommendation and the General Data Protection Regulation.
Data protection legislation in other countries
Other countries outside the European Union have also taken similar action. Turkey, for example, also has a law on the protection of personal data. This protects the fundamental rights and freedoms of individuals, and particularly privacy of personal life, during the processing of personal data. It also sets out the obligations of anyone who processes personal data and procedures In the energy sector, the Republic of Turkey Energy Market Regulation (EPDK), published in May 2016, covers personal data protection. To comply with this law, Turkish energy providers need, in the first instance, to develop a framework setting out how they will manage and maintain personal data. This is particularly important in a sector where distribution and retail sale activities are often carried out by separate legal entities, and where information may be shared with banks, municipalities and other third party institutions.
Complying with data protection law
European companies, and any company handling data relating to customers in EU states, need to take steps to comply with the new data protection legislation. Although Turkey is not part of the EU, these steps would also help companies there to comply with Turkish law. As a starting point, the most important aspect of data protection is knowing what data you are holding and where. Companies could do worse than start to:
- Identify all personal data that they are holding, whatever the source;
- Create a data protection taxonomy; and
- Map the taxonomy to the personal data sources.
Visit our special site, if you want to know more about becoming compliant with the EU Personal Data Protection