The General Data Protection Regulation (GDPR) completed its 2nd anniversary on the 25th May! Sensitive to the subject of privacy and the accomplishment of its legal obligations, Galp marks this day by providing an overview of what has been done and some of the actions planned for the future:
GDPR Transformation Plan
The GDPR Transformation Plan includes a set of initiatives approved by the Executive Committee to ensure the alignment of Galp’s operation with the GDPR standards. About 60% of the planned initiatives were implemented. We are working on the implementation of the plan in Spain and the development of equivalent initiatives in Brazil is expected, motivated by the foreseen application of the LGPD (Lei Geral de Proteção de Dados) in that country.
Organizational and functional structure
Galp nominated a DPO (Data Protection Officer) and appointed GDPR Leaders in each Organizational Area. Also, a technological platform was implemented to manage the compliance of personal data processing activities.
Record of personal data processing activities
The record of personal data processing activities is one of the legal obligations introduced by the GDPR. At Galp, the record of these activities started in September 2017, with the Organizational Areas being responsible for updating and recording new activities. We are working to ensure that all personal data processing activities at Galp are recorded and updated on the personal data management platform and validated by the DPO for risk mitigation.
GDPR training
GDPR training is essential to ensure that Galp employees know the rules of personal data and are aware of their relevance. At the beginning of 2020, Galp launched a new e-learning GDPR – Maria’s booklet – and intends to continue the training of all of its employees through workshops dedicated to each area and webinars focused on different GDPR topics.
Proof of data subject consents
To ensure GDPR compliance, Galp must guarantee proof of all the consents collected for marketing purposes, profile analysis, opinion surveys, personal data sharing or other legitimate purposes. Focused on the centralized view of the client, Galp has been working on standardizing the purposes for the collection of consents by different Organizational Areas, oriented towards their centralized management, through the integration of all points of collection of consents.
Cookies consent management in Galp websites
Cookies are pieces of software that allow the retention of information regarding the use and preferences of users when browsing websites. From a GDPR´s perspective, the data subjects must consent to the use of cookies which, not being necessary for the functioning of the websites, collect data for analysis of profiles. After surveying all its websites and its corresponding cookies, we are working to include the provision of cookies’ policies and banners.
Vendor GDPR compliance evaluation
Galp must ensure that all suppliers that process personal data on its behalf implement technical and organizational measures appropriate to the risk arising from the services they provide. In this context, Galp must evaluate the suppliers it intends to contract and guarantee the execution of personal data agreements where it expresses its instructions regarding the processing of personal data. We have come and will continue to work to consolidate and strengthen the risk assessment process of suppliers in the scope of protection and security of personal data.
Personal data breaches
Personal data breaches can occur at any time and the notification periods for these data breaches are very limited. Galp has already implemented a procedure for recording, analyzing and documenting incidents. At the same time, people at Galp must be aware to identify the different types of personal data breaches, as well as the way to report them, so that they can be avoided as much as possible or solved in a robust and quick way without harm to the data subjects.
Exercise of the rights of the data subject
The GDPR gives data subjects a set of rights whose provision of information by Galp must take place within 30 days. Galp’s average provision of information time has been 12 days and we are working to maintain this commitment to provide information quickly to rights’ requests, with quality and transparency.
The application of the GDPR is a constant challenge that requires daily commitment, which depends on the collaboration of all. We are counting on you to continue this challenge….
For safe energy!
If you want to know more about GDPR at Galp click here