When an anonymised utility known only under the pseudonym of Kemuri Water Company (KWC) was hacked in 2016, nearly 2.5m customer records were stolen.
Worse still was the control that the hackers gained over the chemical and flow levels in the water supply.
Had this disruption happened under GDPR, KWC could have been charged up to €20m or 4% of annual global turnover, depending on which is higher - a sizeable loss for any company.
According to Forrester in its ‘Predictions 2018: A Year of Reckoning’ as many as 80% of companies will not be GDPR compliant by launch day.Even more surprisingly, 50% of them will be noncompliant by choice.
So where might utilities miss the mark for complete GDPR compliance?
With insight from Malene Dich, Data Protection Officer at Kamstrup, Engerati explores the potential hurdles for GDPR compliance in utilities.
Countdown to GDPR - May 2018
1] Complex compliance demands
As with any new and unpracticed regulation, there are bound to be significant gaps in GDPR legislations.
Uncertainty around GDPR ruling has persisted even as recently as January 2018, when on behalf of the Danish Ministry of Energy, Utilities and Climate, the Danish Energy Agency queried GDPR legislation surrounding remote smart meter reading and consumer consent.
Malene Dich gives insight to this hurdle, saying “getting ready for GDPR is a highly complex task. One of the main barriers is that the local legislation is still underway. I know in Denmark the implementation of the law has not been finalised yet, and the same is the case for many other countries in the European Union (EU)”
Due to this, there may be some utilities that have drawn out their preparations for 2018’s GDPR deadline.
“I have not heard of utilities refusing to comply with GDPR. To outright refuse to comply would be bad for business, because the main thing they work with is personal data” says Dich.
This doesn’t mean however, that it has been an easy journey, in her experience. “Because we’re talking about new legislation, the translation into practice is quite complex. There are very few guidelines on how to interpret ‘sufficient security’, for example, which is mentioned in Article 32. When I talk to utilities and legal experts around Europe about the GDPR, this section causes the most concern - how can they transfer “sufficient security” into their business and processes. It’s not so much that there’s a gap but rather a challenge with the interpretation of the GDPR.”
Communication and discussion therefore becomes a crucial part of compliance and preparation, with Dich explaining Kamstrup’s approach as a collaboration with its partners and utilities.
Dich gives an example of this; “one of the specific questions regarding the GDPR in has to do with data collection and volume - can utilities keep collecting the same amount they’re used to? We’ve supported them in resolving this issue with the local authorities here in Denmark and in general we work with a lot of utilities on the implementation process, not only in Denmark but in wider Scandinavia and Europe, helping them interpret the law and explaining how we at Kamstrup interpret the law.”
2] More technologies necessitate more precautions
A utility could face significant changes to become fully compliant. This depends on the size of its operation, the breadth of data it handles and the current levels of sophistication it has in its data management.
With many companies transitioning from in-house databases to cloud-based communications, a variety of safeguards need to be employed for every stream of business to and from every consumer, partner and supplier.
The likelihood of finding a ‘one size fits all’ solution to cover every data platform is minimal, meaning utilities must consider tailoring safety measures around each of their various outputs.
“You have to find your own way of documenting your processes to comply with the GDPR,” says Dich, “that’s why it is so important to have a close cooperation with your suppliers. There is a shared responsibility between all stakeholders to ensure compliance and provide the necessary documentation.”
“You can’t look to another company and just adopt their solution - you really have to look closely at your processes ,” she continues. “You have to do an internal analysis to ensure you reach a sufficient level of security - that’s an extremely complex, case-by-case task.”
Dich sees this as a potential difficulty for smaller utilities, who may have less internal resources to handle their preparation.
One way of reducing the complexity is by outsourcing the hosting and operation of the smart metering system. Compliance does, however, remain a shared responsibility that requires close cooperation between utilities and their suppliers. ”A lot of utilities have already taken this step. One of the reasons we take this so very seriously is that we handle thousands of consumers’ personal data on behalf of our utility customers, so we are very much in the same boat.”
Ultimately, the risk does outweigh the cost.“GDPR compliance isn’t just about business risk. As suppliers we have a moral responsibility beyond our own part of the value chain and ultimately it’s about protecting the personal data of each and every one of us,” she says.
3] Raising awareness and transforming mindsets
Awareness seems to be one of, if not the, main hurdle for GDPR compliance in Europe.
In EY’s “The state of cybersecurity resilience”, data collected by the Global Information Security Survey suggests only 12% of respondents had a board member directly responsible for cyber security, and 35% felt a lack of executive awareness and support in their companies.
Even more worryingly was the finding that 84% considered careless employee behaviour to be the most likely source of vulnerability to cyberattacks.
Dich enforces this concern. “It’s not always external threats that cause a breach. You have to look at your internal processes too, and consider how throughout the business a process could lead to a breach.”
Kamstrup’s approach to this was to break down the company processes into different areas and look at how they themselves would need to be compliant.
“Just as different companies need to approach compliance differently, so too do different areas,” explains Dich. “For each of these different areas we went with different implementation plans.”
For a complex company such as Kamstrup in a business area where threats are very high, a lot of preparations had to happen in tandem.
“On a wider company scale, we have strengthened our IT infrastructure and run an internal security campaign. We will continue to address this in other ways, but creating a strong culture around IT security was our starting point,” says Dich.
Ultimately, this became a core approach for Kamstrup’s GDPR compliance, explains Dich. “One of the key learnings from our journey towards GDPR compliance is that if you don’t involve the whole organisation and make IT security a fundamental part of everyone’s mindset, you’re not going to succeed. You can work with state-of-the-art systems and set up rules and regulations but if there’s not a shared understanding of the importance of keeping personal data secure chances are you will fail.”
For more information and insight to Kamstrup’s road to GDPR compliance and how utilities can meet requirements before it’s too late, register for our Engerati webinar “Impact of GDPR - How to ensure internal processes support compliance” featuring Malene Dich.