OCPP and GDPR
OCPP 2.0.1 has added functionality to enable implementers to comply with the General Data Protection Regulation (GDPR). However, the responsibility to comply with this regulation is not up to the protocol or the Open Charge Alliance (OCA), but to the implementers of the protocol. This requires that implementers of OCPP are aware of the regulation and take necessary action.
The impact of GDPR on OCPP consists of, but is not limited to:
- OCPP enables storing (“setting”), requesting and removing personal data from the Charging Station:
- to enable implementers to be transparent on the data that is stored
- to enable the CSMS to delete the data if the user requests this and
- to enable the CSMS to prove that the data has been removed.
- The GDPR implies that OCPP can only be used in a compliant way if TLS is used (profile 2 and 3 from the chapter Security).
- It is RECOMMENDED to use retention times for personal data that is stored.
- The DataTransfer functionality is vendor specific and could contain any functionality, so it was not possible for the OCA to take that into account. It is up to vendors of Charging Stations and CSMS’s to make sure that their specific functionality complies to the regulation.
As indicated, OCPP is merely a protocol which transports data and should be configurable enough / provide the means to comply. This data is used in the related processes on the Charging Station and CSMS side, where action is also necessary to make transaction data anonymous.