The right to privacy is a fundamental right, a right that gives people control over their personal information. Many companies and organisations process personal data as part of their operations. Society must then be able to trust that these entities will handle their personal data with care. Alliander, too, processes personal data. If adequate measures to protect privacy are not in place, this can adversely affect the privacy of our customers, and could damage our image as well. The General Data Protection Regulation (GDPR), which was implemented in 2018, requires companies and organisations to take appropriate measures to protect personal data, such as taking technical security measures to ensure that unauthorised persons cannot gain access to personal data held in IT systems. Furthermore, organisational measures need to be taken as well, like drawing up guidelines for accessing and processing personal data.
In 2018 we appointed a Data Protection Officer (DPO) for data held by Liander; in 2019 the DPO was appointed to oversee the protection of all Alliander data. Together with other network operators, we are also working on updating the code of conduct for handling energy data from smart meters. We are also working together on the responsible use of the energy data of our customers. Customers can go to our websites to exercise their data subject rights, such as the right of access, right to erasure, and right to restriction of processing.
In 2019 we received and investigated 37 complaints from customers about breaches of their privacy; we received an additional 3 complaints from the Dutch Data Protection Authority (DPA). On investigation and further action, it was determined in four cases that this concerned data breaches subject to the obligation to notify the DPA pursuant to the GDPR and the Dutch law implementing the GDPR. Of these breaches, network operator Liander also reported one breach to the customers concerned. In three of the four data breaches reported to the Dutch Data Protection Authority, these were situations where the network operators had joint responsibility, given that the breaches concerned centralised processing.
If vital infrastructure, such as power grids, were to fail, this could result in serious, widespread disruption in society. We therefore do all we can to prevent this from happening. Cybersecurity includes all measures (on the fronts of technology, people, and the organisation) to prevent, detect, and limit losses and damage caused by cybercrime. We use professional, modern security systems for example. In addition, our employees play a key role in ensuring our IT systems are safe at all times, for example by constantly monitoring and analysing cyberrisks to determine how these could impact Alliander. They determine how we may be affected by a cyberattack, and the action we need to take. We have modern defences, which means that, besides setting up firewalls to avoid being hacked, we are also able to detect hackers who have penetrated our office and process infrastructure and take appropriate action. In addition to this, in recent years we have paid attention to ensuring our office automation is sufficiently separate from our process automation. Alliander has hundreds of employees who use IT systems and data not directly related to the transmission of electricity and gas. The information security management system implemented by our IT department gives us even better insight into the security risks at the various business units.
A trend we noticed last year was the increase in incidents of ‘CEO phishing’, a form of fraud where employees receive an email that appears to have been sent by the CEO of the company, asking for money to be transferred for example. All employees must be aware of this threat and stay alert at all times; the company intensified its efforts to raise awareness in this regard.