January 27, 2021

Data Protection in 2021: Three Things Utilities Need to Do Now

For many Chief Security Officers (CSOs) at utilities and energy companies, 2021 heralds a slew of new data protection regulations – especially in the US with the California Privacy Rights and Enforcement Act (CPRA) coming into effect. This makes the stipulations of the California Consumer Privacy Act (CCPA) enacted in early 2020 even more stringent. Several other US states are following suit. 

Maine, Nevada, and Nebraska have already implemented similar regulations, while the New York Privacy Act is waiting in the wings – and it is potentially even stricter than the CPRA. Legislation for other states, including Pennsylvania and New Jersey, is under development as they too can see which way the data protection wind is blowing. Many of these new rules use the European Union’s strict General Data Protection Regulation (GDPR) as their model, potentially raising the specter of heavy fines, litigation and reputational damage if there’s a breach or violation.

Yet naturally, updating privacy policies is not the only item on utilities’ to-do lists. For example, many are now beginning to prioritize their plans to migrate their legacy SAP systems to SAP S/4HANA. While SAP has extended the cut-off date for legacy support from 2025 to 2027, utilities understand that S/4HANA migration is more than an upgrade, and planning for success needs to start sooner rather than later.

Here’s a happy surprise: the planning phase of an S/4HANA migration project is actually a golden opportunity to review the data protection policies and measures utilities have in place while ensuring from the outset that the data to be migrated complies with the relevant regulations. So, what should utilities and energy companies focus on now?

1. Automate: Find the “personal data” needle(s) in the SAP haystack

A key trend among utilities is process automation, which is particularly valuable in the context of data protection. Many utility firms find the first step the hardest: pinpointing personal data (about employees and contractors as well as customers, prospects and suppliers) that may go back several years—or even decades—in their SAP ECC/IS-U systems. That’s why step one is knowing what personal data you have in your systems and where it is located. This is not only what you immediately consider, such as social security numbers, but also other items containing personal information, such as customer service messages. The good news: this step can be automated. One such tool is the Natuvion solution SOPHIA, which drastically reduces manual effort in data protection projects by analyzing and automatically identifying personal data. It is compatible with a utility’s typical systems, including SAP Business Suite, IS-U, Business Warehouse, and Human Capital Management.

2. Simplify: Information lifecycle management

The adoption of an overarching information lifecycle management (ILM) strategy is a key trend among today’s utility firms. SAP ILM is an optional but integral part of the data privacy architecture of an SAP S/4HANA implementation. Those that have already implemented SAP ILM will need to review its data blocking and deletion rules before the migration to SAP S/4HANA. Conversely, companies without it would be well-advised to launch an ILM initiative to simplify the process of data deletion, data volume reduction and privacy compliance prior to migration.

3. Anonymize development and quality systems: Key to compliance with privacy regulations

Blocking personally identifiable information (PII) using anonymization can be accelerated using the Natuvion SOPHIA tool mentioned above, along with complementary tools or services depending on what your utility firm wants or needs to achieve. Anonymization and/or depersonalization should always be implemented in test and quality systems as well as for support, analytics or outsourcing purposes. The original data can still be analyzed using analytics tools but any PII will be invisible to the user as it is replaced with random numbers or figures. For additional access protection – another key part of privacy regulations – utility enterprises can also implement data masking on top of existing authorization concepts. To facilitate your anonymization initiative, Natuvion provides its Test Data Anonymization (TDA) product and service module that can automate these processes for your utility company.

Data privacy is clearly a hot topic against the backdrop of new US and international legislation as well as in the context of SAP S/4HANA migration plans. Utilities are growing and changing – often due to mergers and acquisitions – and are therefore faced with the challenge of ensuring that their heterogeneous historical and current data is compliant with a plethora of new rules. However, this is entirely achievable with the right tools and expertise.

Utegration teams with Natuvion to provide both. Learn how Utegration and Natuvion can help utilities migrating to SAP S/4HANA achieve value faster.