If you’re anything like me, you’ve been inundated with emails over the last few weeks with privacy policy updates from what seems like every site you’ve ever visited. Of course, this isn’t a random occurrence – it is related to the GDPR becoming effective last week.
I recently received an email from a newsletter subscriber asking if I had any information about the GDPR and compliance by local governments. This newsletter is a more in-depth response to what I replied to her.
DISCLAIMER: I am not an attorney and the information here is not intended to serve as legal advice. If you have legal questions concerning compliance with the GDPR, please consult with your attorney. This also is targeted at utilities outside the European Union, specifically in the United States. If your utility is located within the European Union, this may not apply.
What is the GDPR?
GDPR is an acronym for General Data Protection Regulation. The GDPR was passed by the European Union (EU) on April 14, 2016 with an implementation date of May 25, 2018, after which organizations found to be out of compliance can be fined.
The GDPR deals with safeguarding personally identifiable information (PII) and applies to organizations inside and outside the EU. According to the official GDPR website, it applies to “a company established outside the EU offering goods/services (paid or for free) or monitoring the behavior of individuals in the EU.”
Do we need to worry about the GDPR?
The above cited website goes on to explain that the GDPR does not apply if “your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.” Clearly, utilities target their services at customers who live or own property within their service area, not based on where the customer resides.
This article from Government Technology clarifies the issue even better, explaining that, even if your utility has customers who reside in the EU, information you collect for online bill pay or applying for service, for example, would not be subject to the GDPR.
Still responsible for PII of your customers
Of course, this doesn’t mean you have no responsibility for safeguarding personal information of your customers, only that, if my interpretation is correct, you aren’t subject to fines for violating the GDPR.