In the new technological age, the amount of personal information stored by businesses is staggering.
Because of this, there are incredibly strict rules on how to ensure this precious information remains protected.
But when these rules get broken, what happens – and what does it mean for you, as a customer?
There have been several high-profile cases in recent memory in the energy industry, thrusting the industry as a whole into the spotlight (and not for the right reasons).
In this article, we will explore what happened in these cases, and the energy suppliers that are breaking the mould when it comes to data protection standards.
SSE Data Breaches – The Small
Data protection takes into account all data security breaches, from little to large.
On June 12 2017, SSE Energy Supply Ltd sent an email to one of their customers containing another customers’ personal information. The original sender of the email noticed he had used the wrong email address, and reported the breach that day.
SSE has full policies and procedures in place for this sort of data breach. The accepted procedure is to report the breach to the data protection assurance team and subsequently the commissioner within 24 hours of the event. In this case, this did not happen.
It was not reported to the commissioner until two days following, on the 14th of June.
Following this, SSE began to take remedial action to prevent a reoccurrence of the breach. For those responsible for the breach, this meant feedback and training, together with the use of daily calendar reminders by those responsible for breach reporting. SSE also began to double their resources in this activity and began to implement an electronic case management system that has functionality for ‘prompts’ to improve the efficiency of breach reporting.
The commissioner decided that there had been a personal data breach within the definition set out by regulation 2 of PECR. Further to this, she also decided SSE had contravened regulation 5a of PECR by failing to notify the commissioner of the personal data breach.
The commissioner served SSE with a notice of intent dated the 9th of November 2017. This then developed into consideration of enforcing a monetary penalty.
The underlying objective of enforcing a monetary penalty in this scenario is to promote compliance with PECR. The whole point of notifying the commissioner is to provide an opportunity for assessing whether a service provider is complying with its obligations under PECR. This includes an assessment on whether they are taking the appropriate technical and organisational measures to safeguard the security of their service and the duty to notify customers of any breaches that adversely affect their privacy.
The commissioner decided in this case, a monetary penalty would act as general encouragement towards compliance with the requirements, or at least as a deterrent against non-compliance – to the entire industry.
As such, a monetary fine of £1000 was imposed against SSE to be paid before the 20th of February 2018.
Npower Data Breaches – The Serious
The previous example was used to show how seriously this issue is taken – with strict penalties for any small indiscretions.
But data security breaches occur at a much greater scale than one solitary email at a time. As we will learn, customers can have their personal information leaked in the thousands.
Npower was left embarrassed after discovering 5,000 customers personal details were published and shared in postal letters. This information included full names, addresses, and payment information.
This event occurred in 2018, but still serves as a stark reminder of how badly things can go wrong.
The letters were sent out in their thousands, meant to be quarterly statements for customers with solar panels on their roof and detailed how much money they could receive as part of the ‘feed-in tariff’ scheme.
One customer involved in the data breach described it as the following
‘When I opened it the front page was addressed to me but overleaf were personal details of another customer. And there were another two sheets of A4 with the details of three others… They should have gone to people living in Gloucestershire, Sheffield, Oxford and Bedford.’ – Dr Tom Harris
The scale of the mistake was soon realised after he contacted Npower, saying that they didn’t seem ‘unduly surprised’ and that they were already aware of other customers in the same position.
There is always a huge worry with leaks of this nature that it can make those effected more vulnerable to identity fraud.
The ICO got involved and reminded Npower of some new amendments:
‘Under new laws, organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms.’
As we saw in the previous example, there is no messing about when it comes to the handing out of fines. Npower could potentially have been fined up to 4% of their global annual revenue under the EU’s General Data Protection Regulation (GDPR).
6 Things to Consider – Suppliers
For energy suppliers – it may seem a little unclear where sources of data leaks can originate from. This is why we have included this handy list of some of the sources of consumer data that should be protected accordingly.
- Smart Grid: Smart meters provide supplier insight into customers’ personal routines. This will lead to an increase in the amount of available energy data to be managed under GDPR from traditional post-consumption metering.
- Metering and Billing: Customer information can be shared across a range of actors; Distribution System Operators, Energy Generators, Energy Market Suppliers, Metering Operators, Energy Service Company. Even if one has a breach, all will be liable under GDPR.
- Prosumer Micro Generation: Consumers must provide consent as to whether responsible parties should have access to their data. It may be necessary for both the kind and amount shared with those parties to be controlled by the prosumer.
- Electric Vehicles: It may be possible to derive the location of an EV over time. This could become personal data as it may reveal the location of the paired driver.
- Energy Research: Energy research activities involving consumer personal data has been subject to GDPR since 2018. Access to data sets may need to be restricted and the right to be forgotten may be invoked by customers.
- Energy Grant Schemes: All actors involved with personal consumer data will need to demonstrate compliance with GDPR requirements in relation to the use of shared customer information.
The Supplier Who Takes GDPR Seriously
Unlike some suppliers, Niccolo Gas is committed to the absolute highest standards of customer data protection.
Niccolo Gas does not share any of your information with marketing companies, nor does it sell it to them. We only share information with companies that we have to provide gas contracts (which will include metering companies). When this happens, we make sure that it is conducted safely with the highest attention to detail.
We are fully transparent with all of our customers, believing in a better, fairer UK energy industry. Your safety and privacy is our priority.
If you would like to get in contact with us, we can be reached during all UK office hours on 0131 610 8868. Alternatively, you can enquire via webform or send an email to info@niccolo.co.uk.
We look forward to hearing from you!