Are you GDPR ready

Beyond GDPR compliance: Responding to the data proliferation challenge

The General Data Protection Regulation is here. What are the stumbling blocks to compliance and what are the opportunities for data innovation?
Published: Tue 13 Mar 2018

The countdown is on for Europe’s energy sector to align with the General Data Protection Regulation (GDPR), with compliance required from 25 May 2018.

The impact of what is intended as a common new standard for the protection of European Union consumers’ data across the region is significant.

In the decentralised, service-driven environment that the sector is becoming, with the potential to share common data across multiple parties this could even present barriers that hinder its development.

“It’s undoubtedly a burden on entities in the sector and adds complexity,” says Ferry Cserép, CEO of Dutch smart energy platform provider Netinium.

“It impacts across the enterprise – on business processes, technologies and systems. And when all data becomes real time and with the proliferation of distributed energy resources and electric vehicles, GDPR-compliance increases in complexity.”

GDPR readiness

Engerati’s polling of the sector indicates a mixed bag of readiness, from some companies that have the systems in place to others that are still in the early stages, despite the threat of substantial penalties - as much as 4% of annual global turnover for internationals or €20m for breaches.

Through the Dutch privacy overhaul, Cserép has experienced first-hand the challenges such requirements can bring in terms of programme delays – in this case, the smart metering rollout – and added costs to utilities. In the case of GDPR, he says there are many grey areas that still need to be resolved.

“Considerations involving smart meters are the communication means used and the way data is collected. For instance, unsolicited data collection is not in line with the GDPR, possibly preventing the use of PLC-based systems that rely on data concentrators to automatically collect billing data from all attached smart meters.”

Another pertinent point from the Dutch perspective is the polling or collection of data by the distribution system operator (DSO) for meter or network management in cases where consumers have effectively disallowed remote communication with their smart meter by withholding consent for data use for billing.

Another is the ‘exceptions’ such as the use of inherited data by a company taking the place of a provider that, for example, has gone bankrupt.

Such questions will inevitably require legal resolution and potentially test cases to establish the privacy sensitivity and data opt-in requirement. In the meantime, nevertheless there are opportunities to be gained from the GDPR.

Legacy data management systems

With legacy metering infrastructure and data systems still prevalent in the region, the GDPR should serve as a spur to comprehensively reviewing and upgrading these.

For companies that are installing smart meters, the 2020 deadline for an 80% rollout is fast approaching. With the ever-increasing volumes of data from smart meters and the move towards a prosumer-based energy system, data management systems need to be upgraded to keep pace and to maximise the value of that data.

“The GDPR requires careful consideration to all the different data streams in the IT stack all the way up to the end user, whoever that end user may be or the purpose for collecting that data.

“To be clear, this is not only about billing data or interval data but also power quality data collected by DSO’s for analytics and data related to managing the device,” comments Cserép.

The need to process different data at different times and at different intervals creates operational and capital expense, which is why Cserép is a strong advocate of a two-tier smart meter infrastructure to control costs and allow scalability.

GDPR and energy data security

Cybersecurity also needs to be constantly updated to keep abreast of emerging threats.

A recent survey across a range of industries and organisations including the energy sector by insurance broking and risk management company Marsh, found a strong correlation between GDPR readiness and cybersecurity management.

According to Marsh, “Preparation alone is focusing executive attention on broader data protection and privacy issues and prompting related investments.”

In the survey, and indicative of an opportunity the GDPR is offering, over three-quarters of the respondents with a higher level of GDPR readiness reported an increase in cybersecurity management spending, including on cyber insurance.

Post-GDPR - data innovation opportunities

Looking beyond compliance, Cserép is optimistic about what can be done with distribution data to build new business services.

Cserép will share his expertise on how to optimise data collection and analytics - from improving interoperability to lowering the latency of data to become truly data driven - in a webinar - How can distribution utilities innovate? It’s all about data.

By using a platform to process different data sets in different time frames to different endpoints, DSOs can enable automated services and generate fixed schedules with on-demand data sets, says Cserép.

But this relies on ensuring data is compliant and secure. And arguably the biggest opportunity offered for energy sector players by the GDPR, rooted as it is in trust, is for them to build stronger relationships with consumers.

A ‘holistic’ decentralised smart grid will require many players accessing common data streams for provision of connected services. For example, in the home this could include not only the DSO and the retailer but also smart home, PV, storage and/or charging providers.

“Ultimately, it’s all about trust,” says Cserép. “Consumers need to trust that the data that is collected is used for the purpose it is stated for.”