ICR Privacy and Cybersecurity Policy
Last updated
Last updated
The purpose of this policy is to outline ICR’s commitment to:
Protecting personal and sensitive information, including data entrusted to us by our stakeholders
Securing our digital infrastructure, systems, and services against cybersecurity threats
Complying with applicable privacy and cybersecurity laws and standards, both in Iceland and globally
This policy ensures the responsible management of data and promotes a culture of trust, integrity, and accountability.
This policy applies to:
All ICR employees, contractors, board members, and interns
Third parties who access or process ICR data or systems
All personal data, registry data, and digital systems owned or managed by ICR
It covers activities across our digital operations, including , cloud platforms, communications, and employee devices.
ICR handles personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable laws. We follow these key principles:
We collect personal data only for legitimate purposes and inform individuals about how their data is used.
Only the minimum necessary data is collected for a defined purpose.
We strive to keep data accurate and up to date. Personal data is retained only as long as necessary and then securely deleted or anonymized.
Personal data is protected against unauthorized access, alteration, or loss using appropriate technical and organizational measures.
ICR conducts regular cybersecurity risk assessments to identify vulnerabilities and threats that could affect information systems and personal data.
Risk assessments are used to inform security controls and ensure that appropriate mitigating actions are in place.
All identified risks are documented, tracked, and managed through established procedures
We respect the rights of individuals, including:
Access to their personal data
Correction or deletion of incorrect data
Objection to or restriction of processing
Data portability
ICR is committed to maintaining a secure digital environment for our employees, stakeholders, and users.
Access to systems is granted based on job role and the principle of least privilege.
Strong, unique passwords and multi-factor authentication (MFA) are required.
All sensitive and personal data is encrypted in transit and at rest.
Personal data may not be stored on unauthorized devices or platforms.
Secure backup systems are maintained.
Company devices must be protected with antivirus software and regular updates.
Remote access must be via secure VPNs.
Employees must report lost or stolen devices immediately.
Staff must stay alert to phishing, scams, and malicious attachments.
Sensitive data must only be transmitted through secure, approved channels.
All third-party vendors must meet ICR’s privacy and security standards.
Data processing agreements are signed with any provider that handles personal or registry data.
ICR ensures that all data shared with third parties is protected through robust Data Sharing Agreements (DSAs). These agreements are designed to outline the expectations and responsibilities for handling sensitive data, ensuring compliance with privacy regulations, and mitigating potential risks associated with data sharing.
If a data breach or cybersecurity incident occurs:
Report immediately to the IT administrator or privacy officer
The incident response team will assess and mitigate the breach
If personal data is affected, data subjects and authorities will be notified as required by law
A post-incident review will be conducted to improve controls
Role
Responsibilities
Employees & Contractors
Follow privacy and security policies, protect access credentials and sensitive data, report incidents or suspicious activity promptly, and complete required training.
IT & Security Leads
Maintain cybersecurity infrastructure, enforce technical controls (e.g., access management, encryption), monitor systems, manage security incidents, and support secure architecture decisions.
CTO
Oversee GDPR compliance, act as the contact point for supervisory authorities and data subjects, advise on data protection impact assessments (DPIAs), and monitor internal privacy controls.
Leadership
Ensure adequate resources and support for data protection and cybersecurity programs; promote a culture of compliance, ethics, and transparency.
Third-Party Vendors
Adhere to agreed privacy and security standards
Violation of this policy may result in disciplinary action, including termination of access, employment, or contracts. In some cases, legal consequences may follow.
This policy is reviewed annually or whenever significant legal, technological, or organizational changes occur. Employees and stakeholders are encouraged to provide feedback.
Questions or Concerns? Contact: privacy@carbonregistry.com or your local IT/security representative.