Your Data and GDPR: All You Need to Know
The Global Data Protection Regulation (GDPR) is the latest and most comprehensive regulation from the European Union to protect the privacy of EU citizens and residents to date. It kicks in on May 25th this year. Read this article for a quick overview: GDPR in a Nutshell.
We think this is a good opportunity to give you, our customers, an overview of what this means to you as a customer of Igloo Energy Supply Limited. This is an informal overview, provided to give you an open and honest understanding and peace of mind of how and why we use your personal data. This is written within the context of GDPR requirements, so you can also see how we are applying these new rules.
What is Data Processing?
This is the description given to the storage or use of data. If you’re simply storing it- you’re processing it. We store (process) your data, but we also use it to contact you, to create your statements or to take payments- the activities you would expect us to perform as your trusted energy supplier.
What personal data do we hold, and where?
The information we hold is only what is required to perform our role as an energy supplier. We also collect smart cookie data from your use of the Igloo app and the Igloo website. You are informed of this as a new user. If we ever capture information that extends beyond this specific remit, we will always request your permission beforehand.
Your personal contact details
The information you provided to us at registration forms the basis of the contact details we have for you. This includes your name, address, telephone and email details. This is held in our central customer database, and where necessary, it is also held within our Billing system, so we can generate your statements and our Customer Relationship Management system, so we can notify you of customer events and also validate you are who you say you are when you contact us (DPA Check). This information may occasionally be processed within our office tools, such as our email system.
We do not hold any data revealing your personal beliefs, political opinions, ethnic origin etc- this is not required for the operation of an energy company.
Your payment details
Your bank details (not card details) are also maintained in order for us to process your monthly Direct Debit. These are held in our central database, and by our payment provider. Where one-off unscheduled card payments are made, these additional payment details will be stored exclusively within our third party card payment tool. We will not have any record of these.
More information about you
We collect and process data relating to your energy consumption. This is used to help both us, as your supplier, and the industry (National Grid etc) to forecast your future energy consumption, so we can buy the right amount of gas and electricity, but also help the industry balance the Grid.
Specific uses of personal data
As the frequency of this consumption data increases with the roll-out of smart meters, we will use this for more accurate consumption forecasting and customer insight. This data will be stored both in our central database and monthly reads will be processed within our billing system.
In order to improve the services we offer that you can opt-into (for example offering more competitive tariffs through optimal forecasting of energy) we will ask you to provide us more information about you and your home.
The collection of smart cookie data within our app is an opt-in selection that captures information that can be used to monitor your device behaviour. This includes your OS version, installed apps, app usage and location data. This is held by Igloo or on behalf of Igloo by a contracted third party.
We won’t share your personal information
We will only share your data with contracted agents working on our behalf. For example, like most energy companies, we have not built our own billing platform, so we have contracted a third party’s software, and as a result your data will be loaded into this system in order to process your bills. These agents, or Data Processors are governed by the same GDPR rules we are, and have been assessed for their policies and procedural alignment with the Data Protection Act and GDPR.
We will never give your personal data to other third parties- so you know that any unsolicited phone calls or emails will not be a result of us having given your data to another organisation. If you have signed up to Igloo through a third party, it will be necessary to share information between them and us in order to register your supply and for us to pay for this service.
On occasion we are required by an industry regulator to provide information for reporting purposes.
Use of anonymised data in research
We work with academic institutions in a research and development capacity, advancing our technology and capability to improve services we offer you. Large parts of this research is driven by the analysis of energy consumption data. In order to use this data, it is anonymised so that it can’t be linked to a person or individual.
What countries personal data is stored or accessible from. Where is it hosted?
We have very robust security restrictions to ensure the data we hold is only accessible from specific systems and locations. The data itself is hosted on platforms based in the European Economic Area, all of which is governed under the same GDPR safeguards. Bug tracking in the mobile app is processed outside of the EEA. You are made aware of this and have the option to opt-in on a case by case basis.
How long do we store your data?
We will maintain your data whilst you are a customer of ours, and we will continue to hold your details for a period of 5 years thereafter, on the basis that you may return to us, and we can pick up from where we left off. We may hold data for longer than this where we are required to by law or other regulation, for example we will hold your details relating to financial transactions that may have been completed.
Are we collecting personal data about you from any other source other than you?
The industry regulators and participants hold data relating to household meter points. This extends to consumption history, estimated future consumption, meter details and address details. As your supplier, we need this information for the basic processing of our Ofgem obligations for energy supply. Furthermore we may access public domain information that provides contextual information about you, for example the EPC rating of your home.
Has data been disclosed inadvertently or as a result of a privacy breach?
What mitigating actions have been taken to reduce the risk of a data breach?
Our policy of ‘Privacy by Design’ means that:
- Data is only accessible through minimal, trusted and authenticated channels
- All contracted third parties are accountable to the same rules we are
- Energy consumption data shared for research purposes is anonymised and can’t be linked to an individual
- There is regular staff training to mitigate the danger of phishing attacks
- We apply the latest security software to protect our systems from cyber threats
What policies and standards do we follow to safeguard personal data?
We apply the rules dictated by the Data Protection Act of 1998. We follow the guidelines set out in ISO27001 and now apply GDPR best practices.
Is data backed up and where is it stored?
We perform a schedule of database backups and server backups. These are held by our contracted hosting provider and are held for a rolling two weeks. We apply the same security to these encrypted backups as we do to our live data.
What precautions do we have in place to ensure individuals within our organisation do not deliberately or inadvertently disclose personal data outside the company?
We operate ‘Privacy by Default’. This means that access to our databases is only granted for system maintenance and updates. Access is controlled through the Change Management process which requires senior management approval. This means only qualified engineers will have access within specific change windows in order to perform pre-defined activity. This activity is closely scrutinised. Engineers have full reference checks before their employment.
Have we had any circumstances in which employees or contractors have been dismissed, and/or charged under criminal laws for accessing my personal data inappropriately.
What training and awareness measures do we have in order to ensure that employees and contractors are accessing and processing personal data in conformity with GDPR?
We have an employee induction training programme that covers the content of our Information Security Policy, highlighting the key practical impact to our employees in their job role but also as a member of the company as a whole. This is also conducted if an employee changes role. We then have a number of controls in place that review adherence to company and department security processes and procedures.