How we did it and what we learned on the way
In our blog post May 25, 2018 we described the main areas of Runbox’ GDPR implementation.
On this Data Privacy Day we’d like to update you on our GDPR implementation, how we did it, and what we learned on the way.
There is an enormous amount of information out there describing GDPR content, simple copies of the regulation, some templates of varying quality – and a lot of warnings.
So first of all, let’s recap what the GDPR is.
What is the GDPR, and why did it come about?
In 2012, the European Union (EU) first proposed a set of rules for protection of data inside and outside the EU. An important reason for this decision was a desire to improve the ability for individuals to control data registered about themselves.
In 2016, the GDPR (General Data Protection Regulation) was formally adopted by the European Parliament and the Council of the European Union to take effect for all individuals within the EU and the European Economic Area (EEA).
Runbox’ approach to the GDPR
At Runbox, which is located in the privacy bastion Norway and within the EEA, we started the GDPR planning and implementation process as early as 2014.
At that point in time, we had followed the process in the EU about a comprehensive reform of the EU’s 1995 data protection rules. In the spring of 2014, the European Parliament demonstrated strong support for the GDPR proposal set forward by the Article 29 Working Party. (You can find more information about the history of the GDPR in the article The History of the General Data Protection Regulation.) Shortly thereafter, in September 2014, our GDPR Compliancy Project was launched.
We didn’t know at that time when the GDPR would take effect, but we knew the direction – that is: The GDPR was indicated to move in the direction of existing Norwegian privacy regulations, based on Article 29 Working Party documents.
Our GDPR project plan
We structured our implementation project in 14 partly parallel sub-projects, and after the decision by the European Parliament and of the Council by April 27, 2016, we updated our project plan towards the target date May 25, 2018.
We started out mapping exactly our position compared to Article 29 proposal, which in 2015 was replaced by The European Data Protection Board, and then we went ahead to work out our main planning document, Rules and Regulations for Information Security Management.
The groundwork was done, and we proceeded the project towards fulfillment of our obligations regarding privacy under the new legislation, implemented in Norwegian law by July 20, 2018.
We will share more information in forthcoming blog posts, so stay tuned!