Ofwat signs off GDPR Codes changes

Ofwat has agreed to, and will implement on 30 March, two Code change proposals concerned with aligning the non household retail market with data protection legislation, including the General Data Protection Regulation (GDPR) coming into effect on 25 May 2018.

The GDPR introduces a new standard of data protection applying to both data controllers and data processors. It requires a company to demonstrate how it complies with: lawful processing; consent; enhanced privacy notices; accountability and governance; and breach notifications.

CPW029 recommends:

  • A simplified part K of the Wholesale Retail Code removing duplicated references to data protection and requiring that parties to the WRC comply with the provisions for data protection set out in the MAC

  • A new form to give effect to processes related to data subject rights

  • Clarification of the data items in the Data Catalogue (Code Subsidiary Document 0301), and also the bilateral forms in the Operational Terms that may contain market personal data.

CPM007 recommends:

  • Additional definitions in the MAC to reflect drafting changes

  • A re-drafted Section 15 of the MAC setting out key data protection obligations

  • including general compliance, roles and responsibilities, data processor

  • obligations and provisions relating to use of market data.

  • A new Schedule 13 for the MAC containing detailed provisions for data

  • protection, including processes for trading parties and the market operator to address any data subject requests.

Ofwat said its decision has been made “on the basis that approving the proposed changes will assist MOSL and trading parties to fulfil their data protection obligations. However, the provisions of the MAC and the WRC in and of themselves do not guarantee compliance with data protection legislation. Ultimately, each company retains responsibility for ensuring its compliance with the relevant legislation by the relevant implementation date”.

The decision follows extensive work by and consultation with trading parties and MOSL, in particular through its GDPR Committee.