9 maart 2015 Johan Rambi, Corporate Privacy & Security Advisor

Reliable, committed and connected

Alliander experience DPIA template test phase

Agenda

Introduction 1

Real case example 2

Observations 3

Next steps 4

Agenda

Introduction 1

Real case example 2

Observations 3

Next steps 4

Alliander is a Distribution System Operator

Electricity distribution

• Customers: 3,4 million

• Grid: 94.700 km

• Stations (sub, distribution): 48.000

Gas distribution

• Customers: 2,6 million

• Grid: 36.900 km

• Stations (sub, distribution): 1.500

Company

€ 12 Billion asset value

€ 1.7 Billion revenues

€ 288 Million profit after tax

€ 570 Million Investment / Annum

6.850 FTE

KPI, Performance

19 SVBM (outage time in minutes per end user)

Development of “the intelligent grid”

Agenda

Introduction 1

Real case example 2

Observations 3

Next steps 4

Real case example

• Use case selected from M/441 Smart Meter

Coordination Group (SMCG)

• BI.01 Obtain meter reading on demand

• Workshop with Smart Meter department

• Steps from DPIA template

• Step 1 - Pre-assessment and criteria determining

the need to conduct a DPIA

• Step 2 - Initiation

• Step 3 - Identification, characterisation and description of Smart

Grid systems/applications processing personal data, including

data flows

• Step 4 - Identification of relevant risks

• Step 5 - Data protection risk assessment

• Step 6 - Identification and Recommendation of controls and

residual risks

• Step 7 - Documentation and drafting of the DPIA Report

• Step 8 - Reviewing and maintenance

Real case example

• Design of a DPIA tool according to the current DPIA template

Agenda

Introduction 1

Real case example 2

Observations 3

Next steps 4

Step 3. Assets, organisations and individuals are considered as the same actors

The list of questions in heading 3.3.6 is unclear to use in the template or table

Screen

Table in 3.3.5 is unclear. What input should be given in what perspective?

Step 4 - Identification of relevant risks Who will judge the answers and determine if these threats are relevant?

Agenda

Introduction 1

Real case example 2

Observations 3

Next steps 4

Direction of Automation and Telecontrol 15

DPIA test phase – Initial Input

Alliander and EDP Distribuição proposal for initial input

o To have a joint effort for the first assessment:

• Gather specialized team of DPIA Beta Testers (DPIAβT) to facilitate the DPIA template application at Alliander and EDP Distribuição;

• The DPIAβT shall consist of DPIA knowledgeable people, preferably from different stakeholders DSOs, Data Protection Authority, Consumer organisations, European Commission, other.

o Organization of a 2 day working session per company (Lisbon and Arnhem) in April/May where:

• Each company should gather experienced personnel, that should provide all their knowledge and understanding about the selected use case into the DPIA template application.

• The DPIAβT will have a neutral role in the process and shall only participate as a facilitator in the DPIA template application. Additionally, it should collect as much feedback as possible about the DPIA template and its applicability.

• DPIA application on 1 or 2 of the 10 minimum functional requirements (per company);

- UC1: Provide readings directly to the customer and any third party designated by the consumer - UC9: Fraud prevention and detection - …

o Output: Publication of experiences and possible recommendation for improvements

• The DPIAβT report will provide a consensual and coherent assessment about the application of the DPIA template both at Alliander and EDP Distribuição.

Why do we need a good & applicable DPIA?

“The only way to prevent these kinds of disasters is to

implement privacy and cybersecurity measures alongside

our efforts to improve and interconnect the smart energy

grid.

Steep learning curves and adoption rates will be necessary,

but this can only be achieved by international collaboration

among trusted parties. We must work together.”

Peter Molengraaf, CEO Alliander

Johan Rambi : Corporate Privacy & Security advisor

Department : Governance Risk and Compliance

Telephone : +316 11879945

E-mail : johan.rambi@alliander.com

International collaboration is crucial!!

Many thanks for your attention!!