GDPR in an Internet of Energy Business
As the GDPR compliance deadline rapidly approaches (after a two-year-long introductory period) on 25 May, 2018; its wide-ranging reforms to data legislation sees geo finalising changes and upgrades to the data services products that we offer accompanied by the changes to processes and working practices that will be needed to ensure that we continue our data processing activities uninterrupted; continuously collecting and analysing data that we get from energy measurement devices and home management systems for our consumer and energy industry customers.
Getting geo’s internetworked energy management systems ready for GDPR has been an interesting, challenging and educational journey. We decided early on that rather than treating the GDPR as yet another hurdle to our data management and products business, we would use it as a framework to guide the progressive restructuring and improvement of our data service systems and data collection products, supporting improvements to system efficiency, flexibility and security along the way.
geo was never a participant in the wild-west ‘collect and store everything – you might find a use for it one-day’ approach to data collection and control – recent revelations indicate that there were plenty of other participants. The GDPR framework helps prevent this happening. Data collection and processing requirements change – now all that is needed is an appropriate legal basis for processing (typically consents for geo products) to support the new requirement. geo has created a set of GDPR aligned data service products that facilitate easy management and confirmation of our various obligations when processing of data. As an example, we can add new data element collection and processing activities at any time and they will only operate once the necessary consent is obtained and registered. Conversely, this processing will be prevented if the data subject withdraws consent.
The GDPR framework supports clarity in the design of products at an early stage. By ensuring that data subject’s rights can be readily accommodated, that the basis for processing is always ‘clear, documented and demonstrable’ and enforcing a thorough and defensible ‘secure-by-design’ product philosophy (one that starts with data collection devices that carries all the way through to data storage, retrieval, display and management) has resulted in data products that efficiently do what is required of them right now and which can be readily enhanced to accommodate any new product requirements.
The world is expecting to have billions of IoT devices active in the future – does this make GDPR more relevant and necessary? Yes!