GDPR is the new General Data Protection Regulation from the European Union (EU) which comes into effect in May 2018.Its intention is to strengthen and unify data protection in an increasingly digitalized world for all individuals within the EU. Personal information is defined as an ‘identifiable natural person’, whether it relates to private of professional life. For example, as part of counterparty contact information, John Doe, Trader at Energy Corporation would be an identifiable person. Moreover, MiFID II reporting now includes natural person data as well. GDPR will require companies to adopt much stricter processes in dealing with customer data. How to comply with new data management practices: an integrated C/ETRM system!
Businesses have a little over 5 months left to prepare for the GDPR, which supersedes the data protection regulation from 1995. It requires many companies to adopt much stricter processes in dealing with customer data. Non-compliance is not an option given the significant punitive damages associated with this regulation.
Companies in the commodity/energy trading may collect personal data, from email addresses of business contacts and counterparties to information about their own employees. Every business transaction involves interaction with individuals working for corporate counterparties.
Whereas GDPR provides a single data protection framework, meeting the data protection obligations will require a single integrated system. Companies will need to understand what has been stored, who is in the front, middle and back office, and who need to access what, and will need to maintain a workflow that includes the set of data privileges and access permissions, as well as a strong audit trail to track any changes.
That means breaking up data silos, departing from Excel spreadsheets and deploying an integrated solution that allows to capture, access and report data accurately throughout the trade lifecycle. This can be achieved by implementing a front-to-back C/ETRM system solution, which provides a single ‘version of the truth’.
A modern C/ETRM system allows controlled access to the system by utilizing an action-based security model. Roles are defined to correspond to the business functions within the enterprise, appropriate access are assigned to these roles, and then each user is assigned one or more roles according to the jobs they perform for the organization. In addition, the system logs the user activity including system access and each data module keeps track of who changed the data. This includes the access by System Administrations, as each logon and activities are recorded.
Beyond the data protection and security, the C/ETRM system also helps you to have insight in what you have captured as it relates to personal data. For example, counterparty data management allows the capture of all the required details of the companies and contacts you are trading with, or have traded with, as well as counterparties and contacts can be active or inactive in the system. In the process, knowing what contracts, and products from what counterparties are active and have been approved by what buyers, becomes an easy task as well.
Since we are talking about compliance, GDPR meets MiFID II as particular parts of Markets in Financial Instruments Directive (MiFID II) relating to personal data as well. MiFID II requires companies to store information for 5 years. Under GDPR you should only store data for the necessary amount of time required and after the necessary period of retention, you must securely delete the data. To be compliant with both, companies can confidentially store data and only provide access permission to selected users. Their privileges can further be restricted so that they cannot change or delete this data. While this can be done in the C/ETRM system, in most cases, older data will have been archived outside of the C/ETRM system.
GDPR may offer companies an opportunity to improve their systems and operations, including counterparty data management. Successful market participants rely on a modern and integrated C/ETRM solution to manage the complex business processes efficiently and cost-effectively. Only this way can they closely manage their main challenges of increasing complexity and workload, contain operating cost and meet regulatory requirements.