View Source

COMPLIANCE MODULE in More Service

To activate the Compliance module logg into More Service.
Go to the desired profile that should have access
Go to settings->User accounts and roles->Access management
Mark the profile you want to have access to the module
Add compliance module

The Compliance module will then be available on the menu bar in More Service.

To add applications, make the system map clear, select the object type that has applications, e.g. "System"
Go to Settings inventory->object type

Open "For example, "Application" select compliance (GDPR)
Automatically you will get Use Nis2/Dora which is for finance and insurance d. This can be removed if you wish.

In the System Map (CMDB) the object for the application will now have a button "COMPLIANCE" which is red. When all information has been filled in the compliance module, the button will become Green.

This option gives you the opportunity to import applications (systems) from the system map (CMDB) into the compliance module, so that you can establish and follow up on compliance and GDPR requirements directly in the module.
When you select the function, the application is automatically transferred to the compliance module.
For each application, relevant criteria for compliance must be filled in, according to applicable regulatory requirements and compliance.
When all Criteria have been filled in, the button turns Green

The nice thing is that you can import from a template if this is possible.

From the Import button, you can retrieve a template with corresponding criteria from an existing application. This makes it easier to reuse definitions and streamline the filling in for new applications.
Only Admin in More Service can perform exports.
Filling in the fields for the application:
NSI2/Dora
Value - The attractiveness/uniqueness of the information

What value does the application have for the company?
Is it critical if the applications do not work.
Double-click in the box or use the drop-down menu
Select entered attributes, none, small, Medium, High, etc.

NSI2/Dora
Criticality

How critical is the application to your company?
Double-click in the box or use the drop-down menu
Select entered attributes, none, small, etc.

NSI2/Dora
Sensitivity

NSI2/Dora
Legal requirements

The points below are subject to GDPR
Processing basis

Start with: Does the application process personal data?
First, you need to clarify whether GDPR applies at all.
Examples:
• ✅ Yes: name, email, user ID, logs, IP addresses
• ✅ Yes: customer data, employee data, access logs
• ❌ No: only technical metadata without a link to a person
👉 If yes → you must have a processing basis
________________________________________
2. Identify the purpose of the processing
This is the most important step.
Ask:
• What is the application used for?
• Why is the data processed?
• Who benefits from the processing?
Examples:
• HR system → payroll and personnel follow-up
• CRM → customer management
• ITSM (such as More Service) → operations, support, incident management
👉 Processing basis is always linked to purpose – not the system itself
________________________________________
3. Choose the right processing basis (art. 6 GDPR)
This is the core point.
The most relevant for businesses:
a) Agreement (art. 6(1)(b))
• When processing is necessary to fulfill a contract
• Typically:
o customer systems
o deliveries
b) Legal obligation (art. 6(1)(c))
• When processing is required by law
• Example:
o accounting
o auditing
o security logging (may also be here in some cases)
c) Legitimate interest (art. 6(1)(f))
• Most used for IT systems
• Example:
o operation, support, logging
o security monitoring
But requires: ✅ Weighing of interests (balancing test)
✅ Documentation
d) Consent (art. 6(1)(a))
• To be used restrictively in businesses
• Not suitable for internal IT systems
👉 My clear recommendation: For applications such as More Service / ITSM systems, the basis for processing will normally be:
Legitimate interest + possible legal obligation

Compliance with laws and requirements

Purpose:
• Why is the processing necessary?
b) Necessity
• Can we achieve the same purpose with less data?
c) Balancing of interests
• Do the needs of the business outweigh the privacy of the data subject

Role:
What roles do you have in relation to the use of the applications (Controller or Data Processor)
Answer: Memo
• Controller = decides.
• Data Processor = carries out the processing on behalf of the data subject.
For public institutions, schools or businesses, the organization will usually be the controller, while IT providers, cloud storage services and payroll systems are often data processors.

Data processing agreement:
Is the agreement signed or have you accepted the Terms and conditions

Name of system owner
System owner: Enter the name and it will be looked up in More Service

Super user
Name of super user
: Enter the name and it will be looked up in More Service

Type of information
Does the applications contain Personal data or no personal data

How many people have access to the information?

Data location
Where is the data stored?

Is personal data shared with others? Yes or no

Is there a written procedure