IBP committees meet to discuss General Data Protection Regulation application at O&G industry
The IBP Information Technology Committee, in association with Human Resources and Compliance committees, assembled its members and professional specialists, on April 25th, to discuss the impact of General Data Protection Regulation (GDPR) application (Nº 13.709) at Brazilian oil and gas companies. The law, endorsed August last year, represents the strengthening of rules for use of personal data in Brazil, in the public and private sectors, creating specific laws, mechanisms of control and punishment.
Melissa Fernandez, IBP technology manager, explains this claim comes after an IT committee meeting, where it was verified the GDPR will transform O&G company’s operations. Those companies produce a huge number of data and, according to this legislation, they must rethink and restructure its current policies and proceedings. At O&G industry, the number of produced data grows continually, some personal and privacy, there are stored, processed, and used for a variety of reasons.
Fernando Marinho, PCN specialist consultant, pointed out the law application within companies is a joint effort of business, information security and legal (compliance) areas and the focus of work should be the organization of information for data protection. “Those concerns should be considered and provided by legal and compliance areas, verifying the application of legal requirements throughout new proceeding application process, and business area is in charge of definition of collected data”.
The impact of GDPR law on labor relations was displayed by Daniel Vanni, IBP HR committee coordinator and Chevron Labor Relations. Daniel mentioned E-Social, a system which employers communicate the government, in a unified form, information related to workers, such as bonds, social security contributions, payroll, work accident communications, prior notice and tax deeds information.
“We share a lot of information about employees and their dependents with the government. But what is the purpose of this collect? Can we optimize the principles of GDPR law and try to modify what has been demanded by the e-social?” questioned. The coordinator believes the law could be used as a support for discussions with government on the need and purpose of this data collection.
The risk management was the starting point for GDPR law implementation process at BR Distribuidora, according to Marco Lopes, company’s information security manager. “We create a multidisciplinary group and gather the company to think altogether, focusing on to decrease our exposure risk. We establish the compromise to identify the limit of where we can go and then we develop a project that ensured an acceptable level of risk, considering the stakeholders involved”, explained.
Edilbert Silva, IBP Information Technology Committee coordinator, affirmed the common sense leads to believe GDPR law has implications only on IT area. “This workshop was planned in association with HR and legal areas, to show GDPR law has impacts in almost every company area, since departments are responsible for business processes execution that require capture and maintenance of this data”, concluded.