DeiC Compliance

Information security and data protection requirements are increasing throughout society. This is evident in the many new legislative and regulatory initiatives at both national and EU level, and there is an expectation from all stakeholders for systematic and documented data protection management.

For many research and educational institutions, keeping abreast of new initiatives is a major challenge in itself.

In addition, there is a risk that individual institutions will build separate and perhaps even conflicting sets of rules for the many considerations that are regulated separately. This applies, for example, to the protection of company data according to the company itself (ISO27001), the protection of personal data according to the data subjects (GDPR) and the protection of socially important data according to the entire society (NIS2).

An important foundation for DeiC Security / DKCERT's services is to follow and influence the regulatory initiatives that research and educational institutions are subject to in this area.

When GDPR was implemented in Denmark a few years ago through the Data Protection Act, we created a specific service: The DPO service. This service specifically helps several research network institutions to implement and comply with GDPR in a systematic and resource-efficient way.

This work is being expanded and systematized through DeiC Compliance, which, according to similar principles, helps educational and research institutions to handle the increasing demands for documented compliance with various national and regional compliance requirements.

Who are the customers?

The service is aimed at institutions that want help to integrate their handling of data protection in relation to the various governance systems that they must comply with. These include ISO27001, GDPR, National Technical Requirements and NIS2.

There are more similarities than differences between these regulatory regimes, so alignment is key.

If you want to make use of the service, it will typically consist of an initial mapping of the current status of the institution in relation to relevant stakeholders and legislation. In a joint process, a GAP analysis and an action plan are then drawn up, which is continuously evaluated and phased into an annual cycle.

Depending on the needs, the ongoing service will consist of a subscription scheme at a fixed minimum price, including short quarterly meetings for follow-up and adjustments to the action plan and an annual report to the institution's management. The ongoing service can be supplemented with advice on current topics or facilitation of internal processes - e.g. internal organization or management involvement.

The service can be scaled according to the size of the institution, and the specific content will be adapted to the current situation. In some periods, the focus may be on personal data protection, while in other periods the focus may be on monitoring or reporting. The service can involve experts from all of DeiC Security's professional areas as needed.