Runbox has been focusing on privacy and information security from day one, and have paid attention to the strict Norwegian legislation concerning the processing of personal data ever since.
Norway is a member of European Economic Area (EEA) and as such has to implement certain EU regulations, even if Norway is not a member of the European Union (EU). When the European Parliament and the Council decided new legislation for the protection of personal data, that legislation also applied in Norway and has to be implemented by May 25, 2018.
The legislation, titled General Data Protection Regulation (GDPR), contains rules for how personal data should be processed. Using the terms of GDPR, this includes how, when, and under which conditions, personal data
- can be collected, processed and stored, which demands explicit consent, and explicit stated purpose;
- shall be rectified;
- shall be deleted (right to be forgotten);
- shall be released to the person that owns the data (right to portability);
- could be transferred to third parties for processing, where a Data Processing Agreement (DPA) is mandatory;
- could be transferred to processors outside EEA.
At Runbox we have followed the development of this new EU legislation from the very beginning, and as early as 2014 we initiated a project in order to become GDPR compliant.
As a first step we started developing a planning document which includes detailed plans for making our information security management complete and consistent. The document laid out a number of activities which are now outlined in 15 sub-projects, of which some are completed, and others are in process of being completed.
However, information security is a continuous effort and the sub-projects will give rise to additional activities far beyond the GDPR framework.
We will keep you updated.