On April 14, 2016 the European Parliament voted to adopt a new data protection law for Europe, the General Data Protection Regulation (GDPR). The regulation will come into effect on May 25, 2018.
The purpose of the regulation is to further harmonise national data protection laws across the E.U., strengthen the obligations on those who use personal data and enhance the rights of individuals.
Why it matters
Why is it relevant to Energy and Natural Resources (ENR) companies? Well, by virtue of their global operations, large workforces and complex supply chains, ENR companies hold access to large quantities of E.U. citizens’ personal data. Furthermore, in addition to their workforce employed in the E.U., natural resources companies routinely deploy expatriate staff to fill capability gaps in non-EU.. operations. Many of these expatriates are citizens of E.U. countries.
Natural resources companies also make extensive use of consultant suppliers across the globe – individuals employed to carry out defined tasks in niche specialist areas, perform time-bound roles on large capital projects or fill temporary staff positions. And a large proportion of these consultant suppliers tend to be E.U. citizens.
What’s more, within their European operations, many natural resources firms will hold vast amounts of customer data. For instance, fuel retailers will have access to customer refuelling patterns and shopping behaviour through loyalty card programmes, while power suppliers will know customers’ energy usage and bank account details.
Possible next steps
What could natural resources companies do to strengthen their data protection and reduce the risk of GDPR noncompliance? With fines of up to 2% – 4% of turnover and reputational damage at stake, ENR companies could consider a series of steps to protect themselves from data breaches and the risk of falling short of GDPR requirements, including the appointment of a Data Protection Officer.
Access our full communication for more information.