General Protection Regulation Compliance Assistance in Energy and Utilities General Protection Regulation Compliance Assistance in Energy and Utilities

General Protection Regulation Compliance Assistance in Energy and Utilities

Over the past few decades, the energy and utility industries have developed and adopted many new technologies to become more efficient in the production and delivery of energy and in the provision of various utility services to customers. Technology and data are part of the DNA of energy and utility companies today, and these companies have taken steps to properly collect, store, manage and use the data. In our modern world, data privacy and security are real concerns and the EU has taken the most stringent steps thus far in protecting this data.

As you may be aware, the deadline for compliance with the EU General Data Protection Regulation (GDPR) is May 25, 2018. The GDPR is a regulation that requires businesses to protect the personal data they process about EU individuals, including both customers and employees. Failure to comply with the GDPR may trigger steep administrative fines of up to €20 million or 4% of the business’ global annual revenue, whichever is greater. Your business may be required to comply with the GDPR even if it does not have a physical presence in Europe. For example, if your business targets EU customers, then you will likely need to comply with the GDPR. Several key requirements under the GDPR are the following: (a) appointing a Data Protection Officer to oversee your GDPR compliance activities; (b) updating vendor contracts to incorporate GDPR data protection requirements; (c) maintaining a robust information security program; (d) obtaining appropriate consents from EU individuals before processing their data; (e) collecting and retaining the minimum amount of personal data that is necessary; (f) notifying EU regulators of certain data breaches within 72 hours of discovery; (f) allowing EU individuals to exercise their rights to access, modify, delete, transfer or object to the processing of their personal data; and (g) incorporating the GDPR’s principles of “privacy by design” and “privacy by default” into business operations. 
 
We are assisting our clients with their GDPR compliance efforts by doing the following:

  • Creating a Data Map for Personal Data. We work with our clients to track the location and processing flows of EU individuals’ personal data, which will allow us to determine which categories of information are within the GDPR’s scope. 
  • Assessing Scope of GDPR Obligations. Your compliance obligations may differ if you are a “data controller” or “data processor” under the GDPR. We assist clients with identifying their statuses and associated obligations.
  • Updating Breach Notification Plan. We help our clients update their breach response plans to include the strict 72-hour notification requirement under the GDPR.
  • Amending Vendor Contracts. We assist our clients in amending relevant vendor contracts to comply with GDPR requirements and negotiating these amendments.
  • Identifying Consent Issues. We work with our clients to identify whether they must meet the GDPR’s stringent requirements for obtaining individuals’ consent before processing certain categories of EU personal data, including sensitive data.
  • Evaluating Processes for Protecting Individuals’ Rights. We evaluate our client’s ability to comply with GDPR provisions granting EU individuals rights, with respect to their personal data and provide recommendations, for operationalizing the requirements.
  • Creating an Internal GDPR Policy Manual. We prepare an internal GDPR policy manual for our clients that they can use not only as a foundation for employee training, but also produce to EU regulators to demonstrate compliance. The manual contains policies and procedures that address topics that include consent mechanisms, individuals’ rights, data security, vendor management, receiving and investigating privacy complaints, handling sensitive data, the concepts of “privacy by design” and “privacy by default,” data retention and international transfers of personal data. 
  • Developing Other GDPR Compliance Documentation. We assemble templates for documentation that clients may be required to provide to EU regulators, such as records of processing activities, records of consents received, data protection impact assessments and a data breach log. 
If you would like to discuss how we can help, please contact Melissa Proffitt, chair of the Energy and Utilities Practice Group, at melissa.proffitt@icemiller.com or (317) 236-2470 or John Oberle at john.oberle@icemiller.com or (614) 462-2227. 

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
View Full Site View Mobile Optimized