How will GDPR affect the energy sector?

Published on 22nd March, 2018

“Ipsa scientia potential est – Knowledge itself is power”

Sir Francis Bacon, 1597

The renowned English philosopher and statesman quoted above might well have been talking about the General Data Protection Regulation (GDPR) which will come into effect on the 25th May this year. Ownership of information about personal consumer habits and trends has become a valuable business commodity and something of a battleground on which the forces of commerce are pitched against the interests of the common man.

On behalf of the common man, the legal instrument known as GDPR is about to come into force offering protection against the widespread misuse of private data by mass marketing companies – a problem that is growing rapidly due to the proliferation of social media. GDPR will bite on all businesses, including energy companies, and failure to comply with its provisions could entail fines of up to 4% of turnover or 20 million Euros.

GDPR is widely seen as a huge wake-up call for any company which controls or processes large amounts of personal data. This is because, unless they have a statutory or contractual basis for holding personal data, companies are now obliged to ask explicitly for consent to hold it from the person whose data is being held. In addition, everybody will have the right to be “forgotten” by asking companies to remove their data.

Any breach of the regulation will have to be reported to the authorities within 72 hours but, unhelpfully, the definition of what constitutes “personal” data is a grey area – however the direction of travel is towards a definition which is very broad indeed.

Reaction in the corporate sector to the provisions of GDPR seem to vary between those organisations who are only belatedly waking up to its full implications and those who have been taking it very seriously for some time. As May 25th moves closer, the degree of attention is intensifying. Understandably, the requirements of GDPR are raising all sorts of issues concerning the fitness of companies’ current data holding systems and are causing questions to be asked about what data actually needs to be held by companies and under what conditions. For any business engaged in marketing using customer relationship management systems (CRM) the need to adjust to GDPR is a significant challenge, particularly for large organisations who face replacing legacy systems.

Those energy companies such as the “Big 6” that are involved in mass retail activities are particularly hard hit by this challenge, and are in this sense no different from service providers in sectors like telecommunications, insurance and other financial services etc. However, GDPR is not only an issue for large companies – smaller companies like EnDCo are not exempt from the new law and we, like others, have had to review our data protection policies, CRM systems etc to ensure they meet the new requirements.

For the energy sector an area of concern in relation to GDPR that is often mentioned is the development of smart metering and smart grids. The GB market is engaged in a national roll-out of smart meters to retail customers and there is a parallel development of so-called smart grids to deal with the growth of decentralised renewable/small-scale generation. Use of digital technology to extract the potential benefits of smart meters and grids by tapping into individual customers’ energy consumption patterns is an area of exciting potential but one which is fraught with difficulties as to how this personal data can be protected in a post-GDPR environment.

There are other ways electricity suppliers specifically will be affected by GDPR and these are linked to the nature of the electricity system and how it is designed.

Liberalisation of electricity systems in the 1980s and 1990s led to the creation of wholesale markets for power which are cleared, settled and billed in discreet time units each day – in the GB system, the market operates in half hourly intervals yielding 48 wholesale prices each day. Every company buying and selling electricity is linked to this this system for clearing and settlement purposes. Vast amounts of data are held by every player and exchanged between parties and the central system many times each day. In GDPR parlance, some companies are defined as being “data controllers” while others are “data processors”. One question to be considered is how the relationship between these various parties and the central systems is structured in terms of who controls and who processes the data. While a lot of settlement data is not obviously “personal” for GDPR purposes (i.e. it cannot be linked to a specific party or customer) the definition of what constitutes personal data is still very broad and as yet to be finalised.

Adjacent to the centralised, data-intensive electricity settlements system is the network of electricity trades – including bilateral over-the-counter deals and exchange-based contracts – all of which require the passing of large volumes of data between counterparties, much of it of a “personal” nature in the sense that it can be tagged to individual commercial parties.

Another feature of how the electricity system works is the so-called “supplier hub”. This is the arrangement whereby the lead supplier at each meter point takes overall responsibility for the operations of other agents such as meter operators, data collectors, data aggregators. At the meter level, it is easier for data to be tagged as “personal” and it is yet to be understood how the liability of suppliers for the potential misuse of data by processors like meter operators reads across to the GDPR environment.

The extent to which aspects of the electricity system as highlighted above could be vulnerable to the kind of abuse targeted by GDPR may be overblown as much of the data is aggregated and encrypted. Nevertheless, the scope of GDPR is so wide ranging and as yet untested, that these concerns cannot easily be dismissed.

As a provider of independent and transparent electricity market access services to consumers and independent producers, EnDCo is committed to the highest standards of data protection and will be fully GDPR-compliant when it comes onto the UK statute books.

For further information, please email me at:

Les Abbie, CEO, EnDCo