How we did it and what we learned on the way
In our blog post May 25, 2018 we described the main areas of Runbox’ GDPR implementation.
On this Data Privacy Day we’d like to update you on our GDPR implementation, how we did it, and what we learned on the way.
There is an enormous amount of information out there describing GDPR content, simple copies of the regulation, some templates of varying quality – and a lot of warnings.
So first of all, let’s recap what the GDPR is.
What is the GDPR, and why did it come about?
In 2012, the European Union (EU) first proposed a set of rules for protection of data inside and outside the EU. An important reason for this decision was a desire to improve the ability for individuals to control data registered about themselves.
In 2016, the GDPR (General Data Protection Regulation) was formally adopted by the European Parliament and the Council of the European Union to take effect for all individuals within the EU and the European Economic Area (EEA).
Runbox’ approach to the GDPR
At Runbox, which is located in the privacy bastion Norway and within the EEA, we started the GDPR planning and implementation process as early as 2014.
At that point in time, we had followed the process in the EU about a comprehensive reform of the EU’s 1995 data protection rules. In the spring of 2014, the European Parliament demonstrated strong support for the GDPR proposal set forward by the Article 29 Working Party. (You can find more information about the history of the GDPR in the article The History of the General Data Protection Regulation.) Shortly thereafter, in September 2014, our GDPR Compliancy Project was launched.
We didn’t know at that time when the GDPR would take effect, but we knew the direction – that is: The GDPR was indicated to move in the direction of existing Norwegian privacy regulations, based on Article 29 Working Party documents.
Our GDPR project plan
We structured our implementation project in 14 partly parallel sub-projects, and after the decision by the European Parliament and of the Council by April 27, 2016, we updated our project plan towards the target date May 25, 2018.
We started out mapping exactly our position compared to Article 29 proposal, which in 2015 was replaced by The European Data Protection Board, and then we went ahead to work out our main planning document, Rules and Regulations for Information Security Management.
The groundwork was done, and we proceeded the project towards fulfillment of our obligations regarding privacy under the new legislation, implemented in Norwegian law by July 20, 2018.
We will share more information in forthcoming blog posts, so stay tuned!
2 thoughts on “Runbox’ road to GDPR compliance”
any news on how this will effect the security of our email using a Norwegian server:
It seems the proposal is getting thrown in the trash bin and that the Ministry of Defence will have to come up with something that is a better compromise between their needs and the needs to protect privacy.
This is a example of the reaction the proposal got: https://www.dagbladet.no/nyheter/riksadvokatens-slakt-vekker-oppsikt/70763492
The proposal got a harsh reaction by The Director of Public Prosecutions, Police Security Service and even the Parliament Oversight Comittee for the Intelligence Services: https://eos-utvalget.no/english_1/
The current law is very restrictive for Etteretningstjenesten. They say they are the most restricted Intelligence Agency in Europe. This is the second attempt to change the law that started in 2018. The previous attempt was in 2016.