The GDPR: An opportunity, not just a tick in a box
The EU’s new data protection legal framework, the General Data Protection Regulation (GDPR) starts in May 2018. Dan Mosca, GDPR and energy cyber security expert at PA Consulting Group, discusses how oil and gas companies affected by GDPR can get ahead of the curve in Inside Oil & Gas magazine.
Managing, processing and storing data securely and effectively is becoming an increasingly challenging task for the oil and gas sector. Advances in technology mean there is simply more data available and it’s more critical than ever to the running of the business. The need for greater connectivity across complex business supply chains creates further risks to manage, and this is made more difficult by frequent data breaches and cyber-attacks.
Now, added to this mix is the General Data Protection Regulation (GDPR) that comes into force in May 2018. It will bring with it a range of new requirements on those who control and process personal and sensitive data. There has tended to be an assumption that this is a more pressing issue for businesses with large numbers of individual customers, but the reality is that all companies will have data that will be covered by the GDPR. From personnel records to supplier databases, oil and gas companies will hold data that is subject to the new requirements.
Another change brought about by the GDPR is that liability is now being extended not only to the data controller but also the data processor, which means companies need to understand the full extent of their responsibilities. This is clearly going to be a high profile focus for government, which confirmed earlier in the year that it will largely follow the GDPR when the UK leaves the EU. The UK Government has confirmed that it will put in place legislation that will mean UK organisations will face a fine of £17 million (or a fine of 4% of global turnover, if greater) if they fail to protect against personal data breaches.
Scientific research: clarification needed
One area where the UK will derogate, that may have an impact on the oil and gas sector, will be the exemption for scientific research, gathering statistics or performing archiving functions in the public interest. This still requires further clarification and may still mean that where this cannot be satisfied, companies will need to protect personal data with activities such as pseudonymisation and encryption. They will also need to set out and enforce clear policies on privacy protection in their HR systems and ensure that data is accessed only by those who need it.
While this can appear daunting, there is help available in the tools and guidance recommended by the Information Commissioners Office (ICO). One of the most important of these is the advice on carrying out data protection impact assessments. These evaluate the privacy risk of the personal data a company holds by looking at how the information is obtained, stored and used. The company can then develop safeguards and mechanisms to mitigate those identified risks.
Any approach needs to recognise that the demands made on companies are going to be more stringent, with a new 72 hour time limit on notifying the regulator of a data breach. That means they will need the right people, processes and technology to detect, respond, investigate and report a breach quickly.
To help them do this, companies should start a data mapping exercise now to assess the types of data they hold and use (and across their supply chain for which they will be equally liable under the GDPR). This will help them prioritise the activities needed before the GDPR implementation. Companies should recognise this can be time consuming and challenging especially for larger operators and it will not be enough to reply on current data management and cyber security practices. It will also be important to make key stakeholders and staff aware of and appreciate how the change in law will directly impact their day to day activities, especially those in customer facing roles.
However, the GDPR should not just be seen as a burden to manage, but as an opportunity to review and reinforce companies’ cyber resilience. With 46% of British businesses experiencing at least one data breach or cyber-attack in the past year, a figure that rises to two-thirds among medium and large companies, this is a pressing issue. Getting data protection and cyber security right will not only bring real business benefits but reduce the risks of a breach.
The stakes are high. Companies that are found to be in breach of the regulations could see not only fines and litigation, but a serious impact on their reputation and ability to trade within and outside of the UK. The ICO has made it clear that they will expect companies to have started work well ahead of the 25th May 2018 deadline and those that have put the necessary safeguards in place will be looked upon favourably if they do experience a data breach. The oil and gas sector needs to start preparing for the GDPR now.