On April 14, 2016 the European Parliament voted to adopt a new data protection law for Europe, the General Data Protection Regulation (GDPR). The regulation will come into effect on May 25, 2018.
The purpose of the regulation is to further harmonise national data protection laws across the E.U., strengthen the obligations on those who use personal data and enhance the rights of individuals.
It should be noted that the GDPR does not apply to the personal data of E.U. citizens; it applies to the personal data of individuals who are in the E.U. when their personal data is collected from them. Those protections then follow that data if it is transferred outside of the E.U.
Why it matters
Why is it relevant to Energy and Natural Resources (ENR) companies? Well, by virtue of their global operations, large workforces and complex supply chains, ENR companies hold access to large quantities of personal data collected from those within the E.U. Furthermore, in addition to their workforce employed in the E.U., natural resources companies routinely deploy expatriate staff to fill capability gaps in non-E.U. operations. Many of these expatriates are coming from countries in the E.U.
Natural resources companies also make extensive use of consultant suppliers across the globe – individuals employed to carry out defined tasks in niche specialist areas, perform time-bound roles on large capital projects or fill temporary staff positions. And a large proportion of these consultant suppliers tend to be in the E.U.
What’s more, within their European operations, many natural resources firms will hold vast amounts of customer data. For instance, fuel retailers will have access to customer refuelling patterns and shopping behaviour through loyalty card programmes, while power suppliers will know customers’ energy usage and bank account details.
Possible next steps
What could natural resources companies do to strengthen their data protection and reduce the risk of GDPR noncompliance? With fines of up to 4% of turnover and reputational damage at stake, ENR companies could consider a series of steps to protect themselves from data breaches and the risk of falling short of GDPR requirements. These might include evaluating their position in relation to the GDPR and what operational changes might be prudent for them to pursue.