Revealed: Mining, Energy & Water industries are the worst for GDPR compliance

Mining, Energy and Water industries are the most at risk of failing GDPR compliance over any other sector, according to research from business intelligence consultancy Catalyst BI.

This means that these industries are more likely to be fined £17.5 million for serious breaches of GDPR principles. 

The study was inspired by recent figures from Statista which revealed that 55% of businesses in the UK found it challenging to adapt to new GDPR requirements.

Catalyst BI analysed UK Business Data Survey results to determine the percentage of industries with the poorest understanding of GDPR compliance:

1. Mining, Energy, Water: 46.3%
2. Professional, Scientific, Technical: 42.8%
3. Administrative and Support Service: 42.5%
4. Information and Communication: 42.4%
5. Human, Health and Social Work: 39.2%

Becky Stables, data management expert at Catalyst BI has shared why the mining, energy and water companies are struggling with compliance, and has provided essential stops for following GDPR:

“The mining, energy, and water industries face unique challenges in complying with GDPR due to the nature of their operations and the data they handle. These industries generate vast amounts of data, often from sensors, meters, and operational systems. Processing and organising this data to comply with GDPR’s data minimisation and storage limitation principles is complex.

“Under GDPR, organisations must report data breaches within 72 hours of awareness, necessitating efficient detection, management, and reporting systems. This is particularly challenging for the mining, energy, and water industries due to their large and complex operations. Additionally, GDPR mandates detailed documentation to demonstrate compliance, requiring significant process changes and extensive documentation efforts, especially for large organisations with over 250 employees in the mining, water and energy sectors.

“However, there are key ubiquitous steps these industries can take to comply with GDPR.”

1. Involve stakeholders: “GDPR is intensive and requires a task force made up of stakeholders including marketing, finance, sales, operations and other departments that handle customers’ personal information. With a diverse team, relevant information can be shared effectively and efficiently, making it easier for your organisation to implement any necessary technical and procedural changes to ensure you are following GDPR.”
2. Hire a DPO: “Data protection officers (DPO) are responsible for defining how personal data is processed and ensuring that external contractors comply with GDPR. Depending on how large your organisation is, this role may not need to be full-time. For example, a virtual DPO might suffice for a business with less than 250 employees.”
3. Conduct regular risk assessments: “A Data Protection Impact Assessment (DPIA) is a risk assessment to identify and mitigate data protection risks associated with a new project. It is mandatory to conduct a DPIA for personal data processing that could pose a significant risk to individuals, including certain specified types of processing.”
4. Implement measures to mitigate risks: “Once a risk to GDPR has been identified, you must implement measures to mitigate it. For many companies, this will involve revising existing risk mitigation strategies. Completing the RoPA allows your GDPR team to identify and investigate data risks and determine the necessary security levels to protect this data.”
5. Document GDPR compliance: “Article 30 of GDPR requires that organisations with more than 250 members must demonstrate progress in completing the Record of Processing Activities. Establishing the RoPA is essential, as it identifies  This includes the types of data being processed, the groups of individuals whose data is involved, the reasons for processing the data, and the recipients of the data. This helps mitigate any risks of not complying with GDPR that could lead to fines.”
6. Restrict non-GDPR apps from work phones: “An increasing number of employees are accessing customer, partner and co-workers’ data using mobile phones. As many employees can install personal apps on their work phones, these apps can access and store your personal data. This introduces unique risks for GDPR non-compliance. Social media apps like Facebook must access your personal information in a GDPR-compliant manner, which can be challenging to control, especially for apps that aren’t authorised to be used on your work phone.”
7. Focus on how GDPR can help your business: “Meeting GDPR standards is a great competitive advantage for your organisation as this will improve customer trust and mean you are less likely to lose revenue to pay a non-compliance fee. Additionally, the technical and procedural upgrades required for GDPR compliance will likely lead to more efficient data management and security within organisations.”