GDPR and Energy Brokers — What Business Owners Need to Know
UK GDPR and the Data Protection Act 2018 still govern how brokers, suppliers, and tech vendors handle personal data during quotes, switches, and account care. Energy touches sensitive operational detail: director names, consumption patterns, even site access notes. Layer Ofgem conduct expectations on top and you get a compliance story that is part ICO, part licence conditions, part plain contract law.
Next step: If you use under about 50,000 kWh a year, you can get a quote in under 90 seconds online — fast, no obligation. Larger supply, half-hourly metering, or prefer chat? Use the contact page.
Key takeaways
- Identify lawful bases (often contract or legitimate interests) before sharing director IDs or HH files.
- Processors must sign Article 28-style terms; list subprocessors who touch half-hourly data or CRM exports.
- Data minimisation beats “upload everything” onboarding—ask why each field is needed.
- International transfers need safeguards if US-hosted pricing tools sit in the chain.
- Document retention: stale LOAs and dead quotes should age off drives on a schedule.
Controller vs processor in a typical brokered sale
Your business is usually controller for employee and director personal data you volunteer. The broker may be joint controller for marketing segments or independent controller for its own credit checks. The supplier becomes controller for account management once you sign. Map the handover moment in your ROPA (record of processing activities) so DSAR routes do not ping-pong.
When brokers pull metering data from industry systems, they still process personal data if files tie usage to named customers. Elexon’s administrative role in market codes does not erase GDPR duties—treat code-compliant sharing as necessary but still proportionate.
Legitimate interests vs consent in B2B energy
Consent is not a free pass for endless marketing. Legitimate interests can cover follow-up on an expressed quote request if you balance test it and offer opt-outs aligned with PECR for electronic channels. Document the balancing test briefly—what interest, what alternatives, why minimal data.
Microbusiness protections from Ofgem interact with fairness expectations; misleading opt-ins can breach both consumer energy rules and data law.
Security measures that matter for energy files
Half-hourly exports can reveal production schedules—protect them like commercial secrets. Use workspace MFA, scoped drives, and expiring links. When brokers email unencrypted spreadsheets, push back and request secure portals. Incident playbooks should include supplier and National Grid ESO contacts if a cyber event touches operational data used for balancing discussions.
Subject access requests and portability
DSARs often bundle broker emails, supplier tickets, and LOA versions. Respond within a calendar month unless complexity allows extension—tell the requester. Portability rarely maps neatly to bespoke pricing models, but structured usage CSVs should be available when processing is automated.
Climate reporting overlap
When you disclose carbon metrics informed by CCC guidance or SECR-style reporting, ensure public numbers do not leak personally identifiable usage of tenants or franchisees. Aggregate where possible.
Broker GDPR control checklist
| Control | Evidence to collect | Owner |
|---|---|---|
| Article 28 terms | Signed DPA + SOC2 summary | Legal |
| Transfer safeguards | SCCs/IDTA copies | DPO advisor |
| Retention | Policy + automated deletes | IT |
| Training | Annual completion logs | HR |
| Incident drills | Tabletop notes | Security |
Records brokers should—and should not—hold
Reasonable records include contract offers, LOAs, consumption summaries needed for pricing, and complaint correspondence. Avoid storing passport images after KYC completes unless a supplier mandates retention—purge according to policy. For half-hourly files, keep only the intervals required for active tenders plus statutory periods; massive historical dumps increase breach impact.
When brokers use US-hosted CRMs, complete transfer impact assessments and maintain registers of international recipients. ICO guidance expects proportionate security; MFA alone does not excuse excessive data fields on web forms.
Incident response specific to energy data
If spreadsheets with MPAN-labelled consumption leak, notify your DPO, isolate shares, and inform affected customers within statutory windows if personal data was included. Parallel conversations with suppliers may be needed if credentials to portals were exposed. Document lessons in the ROPA—regulators prefer honest post-mortems over polished silence.
Market code compliance does not pause during incidents; settlement-quality data may still need resubmission through proper channels administered alongside Elexon processes, independent of your GDPR remediation.
Quick answers for busy owners
Do brokers need consent to get a quote? Often no—contractual necessity or legitimate interests can cover proportionate sharing—but marketing follow-ups are different and need clear rules. Can suppliers share my data with group companies? Only if contracts and privacy notices say so; challenge vague “group purposes” wording.
What if a broker refuses deletion? Ask for the lawful basis retention log; escalate to your DPO and consider ICO guidance if personal data is clearly stale. Energy market codes do not override proportionality.
Related guides
Read letters of authority and TPI brokers explained, or return to the energy library.
What do you want to do next?
Browse more independent guides on the SwitcherMate Business energy hub. If you would rather speak with us about procurement or a complex site, use the contact page. For fast online comparison under typical small-use thresholds, you can also use our business quote tool where it fits your situation.