ICR Privacy and Cybersecurity Policy

Purpose

The purpose of this policy is to outline ICR’s commitment to:

Protecting personal and sensitive information, including data entrusted to us by our stakeholders
Securing our digital infrastructure, systems, and services against cybersecurity threats
Complying with applicable privacy and cybersecurity laws and standards, both in Iceland and globally

This policy ensures the responsible management of data and promotes a culture of trust, integrity, and accountability.

Scope

This policy applies to:

All ICR employees, contractors, board members, and interns
Third parties who access or process ICR data or systems
All personal data, registry data, and digital systems owned or managed by ICR

It covers activities across our digital operations, including www.carbonregistry.com, cloud platforms, communications, and employee devices.

Privacy Principles

ICR handles personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable laws. We follow these key principles:

Lawfulness, Fairness, and Transparency

We collect personal data only for legitimate purposes and inform individuals about how their data is used.

Data Minimization

Only the minimum necessary data is collected for a defined purpose.

Accuracy and Retention

We strive to keep data accurate and up to date. Personal data is retained only as long as necessary and then securely deleted or anonymized.

Security and Confidentiality

Personal data is protected against unauthorized access, alteration, or loss using appropriate technical and organizational measures.

Risk Assessment

ICR conducts regular cybersecurity risk assessments to identify vulnerabilities and threats that could affect information systems and personal data.
Risk assessments are used to inform security controls and ensure that appropriate mitigating actions are in place.
All identified risks are documented, tracked, and managed through established procedures

Rights of Individuals

We respect the rights of individuals, including:

Access to their personal data
Correction or deletion of incorrect data
Objection to or restriction of processing
Data portability

Cybersecurity Standards

ICR is committed to maintaining a secure digital environment for our employees, stakeholders, and users.

Access Control

Access to systems is granted based on job role and the principle of least privilege.
Strong, unique passwords and multi-factor authentication (MFA) are required.

Data Protection

All sensitive and personal data is encrypted in transit and at rest.
Personal data may not be stored on unauthorized devices or platforms.
Secure backup systems are maintained.

Device and Endpoint Security

Company devices must be protected with antivirus software and regular updates.
Remote access must be via secure VPNs.
Employees must report lost or stolen devices immediately.

Email and Communication Security

Staff must stay alert to phishing, scams, and malicious attachments.
Sensitive data must only be transmitted through secure, approved channels.

Cloud Services and Third-Party Vendors

All third-party vendors must meet ICR’s privacy and security standards.
Data processing agreements are signed with any provider that handles personal or registry data.

ICR ensures that all data shared with third parties is protected through robust Data Sharing Agreements (DSAs). These agreements are designed to outline the expectations and responsibilities for handling sensitive data, ensuring compliance with privacy regulations, and mitigating potential risks associated with data sharing.

Breach Response and Notification

If a data breach or cybersecurity incident occurs:

Report immediately to the IT administrator or privacy officer
The incident response team will assess and mitigate the breach
If personal data is affected, data subjects and authorities will be notified as required by law
A post-incident review will be conducted to improve controls

Responsibilities

Role

Responsibilities

Employees & Contractors

Follow privacy and security policies, protect access credentials and sensitive data, report incidents or suspicious activity promptly, and complete required training.

IT & Security Leads

Maintain cybersecurity infrastructure, enforce technical controls (e.g., access management, encryption), monitor systems, manage security incidents, and support secure architecture decisions.

CTO

Oversee GDPR compliance, act as the contact point for supervisory authorities and data subjects, advise on data protection impact assessments (DPIAs), and monitor internal privacy controls.

Leadership

Ensure adequate resources and support for data protection and cybersecurity programs; promote a culture of compliance, ethics, and transparency.

Third-Party Vendors

Adhere to agreed privacy and security standards

Enforcement

Violation of this policy may result in disciplinary action, including termination of access, employment, or contracts. In some cases, legal consequences may follow.

Policy Review

This policy is reviewed annually or whenever significant legal, technological, or organizational changes occur. Employees and stakeholders are encouraged to provide feedback.

Questions or Concerns? Contact: privacy@carbonregistry.com or your local IT/security representative.

PreviousImpartiality policy NextDiversity, Equality, and Inclusion policy

Last updated 2 months ago

ICR Privacy and Cybersecurity Policy

Purpose

The purpose of this policy is to outline ICR’s commitment to:

Protecting personal and sensitive information, including data entrusted to us by our stakeholders
Securing our digital infrastructure, systems, and services against cybersecurity threats
Complying with applicable privacy and cybersecurity laws and standards, both in Iceland and globally

This policy ensures the responsible management of data and promotes a culture of trust, integrity, and accountability.

Scope

This policy applies to:

All ICR employees, contractors, board members, and interns
Third parties who access or process ICR data or systems
All personal data, registry data, and digital systems owned or managed by ICR

It covers activities across our digital operations, including www.carbonregistry.com, cloud platforms, communications, and employee devices.

Privacy Principles

ICR handles personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable laws. We follow these key principles:

Lawfulness, Fairness, and Transparency

We collect personal data only for legitimate purposes and inform individuals about how their data is used.

Data Minimization

Only the minimum necessary data is collected for a defined purpose.

Accuracy and Retention

We strive to keep data accurate and up to date. Personal data is retained only as long as necessary and then securely deleted or anonymized.

Security and Confidentiality

Personal data is protected against unauthorized access, alteration, or loss using appropriate technical and organizational measures.

Risk Assessment

ICR conducts regular cybersecurity risk assessments to identify vulnerabilities and threats that could affect information systems and personal data.
Risk assessments are used to inform security controls and ensure that appropriate mitigating actions are in place.
All identified risks are documented, tracked, and managed through established procedures

Rights of Individuals

We respect the rights of individuals, including:

Access to their personal data
Correction or deletion of incorrect data
Objection to or restriction of processing
Data portability

Cybersecurity Standards

ICR is committed to maintaining a secure digital environment for our employees, stakeholders, and users.

Access Control

Access to systems is granted based on job role and the principle of least privilege.
Strong, unique passwords and multi-factor authentication (MFA) are required.

Data Protection

All sensitive and personal data is encrypted in transit and at rest.
Personal data may not be stored on unauthorized devices or platforms.
Secure backup systems are maintained.

Device and Endpoint Security

Company devices must be protected with antivirus software and regular updates.
Remote access must be via secure VPNs.
Employees must report lost or stolen devices immediately.

Email and Communication Security

Staff must stay alert to phishing, scams, and malicious attachments.
Sensitive data must only be transmitted through secure, approved channels.

Cloud Services and Third-Party Vendors

All third-party vendors must meet ICR’s privacy and security standards.
Data processing agreements are signed with any provider that handles personal or registry data.

Breach Response and Notification

If a data breach or cybersecurity incident occurs:

Report immediately to the IT administrator or privacy officer
The incident response team will assess and mitigate the breach
If personal data is affected, data subjects and authorities will be notified as required by law
A post-incident review will be conducted to improve controls

Responsibilities

Role

Responsibilities

Employees & Contractors

Follow privacy and security policies, protect access credentials and sensitive data, report incidents or suspicious activity promptly, and complete required training.

IT & Security Leads

Maintain cybersecurity infrastructure, enforce technical controls (e.g., access management, encryption), monitor systems, manage security incidents, and support secure architecture decisions.

CTO

Oversee GDPR compliance, act as the contact point for supervisory authorities and data subjects, advise on data protection impact assessments (DPIAs), and monitor internal privacy controls.

Leadership

Ensure adequate resources and support for data protection and cybersecurity programs; promote a culture of compliance, ethics, and transparency.

Third-Party Vendors

Adhere to agreed privacy and security standards

Enforcement

Violation of this policy may result in disciplinary action, including termination of access, employment, or contracts. In some cases, legal consequences may follow.

Policy Review

This policy is reviewed annually or whenever significant legal, technological, or organizational changes occur. Employees and stakeholders are encouraged to provide feedback.

Questions or Concerns? Contact: privacy@carbonregistry.com or your local IT/security representative.

229KB

ICR PCS policy v2.0.pdf

pdf

PreviousImpartiality policy NextDiversity, Equality, and Inclusion policy

Last updated 2 months ago

Purpose

Scope

Privacy Principles

Lawfulness, Fairness, and Transparency

Data Minimization

Accuracy and Retention

Security and Confidentiality

Risk Assessment

Rights of Individuals

Cybersecurity Standards

Access Control

Data Protection

Device and Endpoint Security

Email and Communication Security

Cloud Services and Third-Party Vendors

Data Sharing and Agreements

Breach Response and Notification

Responsibilities

Enforcement

Policy Review

Purpose

Scope

Privacy Principles

Lawfulness, Fairness, and Transparency

Data Minimization

Accuracy and Retention

Security and Confidentiality

Risk Assessment

Rights of Individuals

Cybersecurity Standards

Access Control

Data Protection

Device and Endpoint Security

Email and Communication Security

Cloud Services and Third-Party Vendors

Data Sharing and Agreements

Breach Response and Notification

Responsibilities

Enforcement

Policy Review