Obtaining GDPR Compliance with Dynamics 365

On May 25, 2018, the General Data Protection Regulation (GDPR) privacy law for Europe will go into effect and set a new global standard regarding privacy rights, security, and compliance. The law protects and enables the privacy rights of individuals by establishing strict privacy requirements governing how businesses manage and protect personal data while respecting individual choices. With these requirements, it does not matter where the data is sent, processed, or stored. While privacy is something we all should certainly strive for and strongly protect, this law will require significant changes across the board for all organizations.

Microsoft recently posted their own commitment to GDPR compliance and how they plan to support their customers. Using Dynamics 365 will certainly help with compliance, but do not think using certain features will ensure your business complies with a specific requirement of GDPR.

Key Changes Under the GDPR Law

The law is a heavy read, but there are four sets of key changes organizations must adhere to under GDPR: personal privacy, controls and notifications, transparent policies, and IT and training.

For personal privacy, the law states that all individuals have the right to:

  • access their personal data;
  • correct errors in their personal data;
  • erase their personal data;
  • object to processing of their personal data; and
  • export personal data.

Therefore, organizations will need to:

  • protect personal data using appropriate security;
  • notify authorities of personal data breaches;
  • obtain appropriate consents for processing data; and
  • keep records detailing data processing.

Organizations must also be absolutely transparent when it comes to gathering and collecting personal data. As of May 25th, all organizations must:

  • provide clear notice of data collection;
  • outline processing purposes and use cases; and
  • define data retention and deletion policies.

All organizations must provide all of the above to each and every individual using their services. As a result, they will need to implement extensive training regarding privacy for their employees and IT personnel. The GDPR demands that organizations must:

  • train privacy personnel and employees;
  • audit and update data policies;
  • employ a Data Protection Officer (if necessary); and
  • create and manage compliant vendor contracts.

GDPR Compliance with Dynamics 365

Fortunately, Dynamics 365 makes it relatively easy to perform all of the tasks the GDPR requires. Of course, it’s up to you, as the controller of the data, to utilize Dynamics 365’s capabilities to keep compliant. Dynamics 365 is amazing, but simply using it and ticking off a few checkboxes in the software won’t guarantee any compliance. Here’s everything you must do to become compliant with Dynamics 365.

Discovering Personal Data in Dynamics 365

The GDPR defines you, the organization, as a “controller” for this data, and in some cases, Microsoft with Dynamics 365 is the “processor.” The following is a list of data you control with Dynamics 365 that falls under GDPR:

  • customer data
  • content (subset of data that includes emails, email attachments, any Power BI reports, IM conversations, Sharepoint content, and any other data regarding interactions with customers)
  • administrator data submitted for Microsoft Cloud Services
  • payment data
  • support data

First step, of course, is to use Dynamics 365 to discover and identify all personal data contained within. You can do so with standard filters and sorting in data lists. Using Advanced Filtering functions with Advanced Query Syntax allows you to search through fields not even shown on the form. With these functions, you should have little trouble identifying all customer personal data. Remember that GDPR places you as the controller of this information, and thus you are responsible for identifying all personal data and responding to data subject requests. It’s possible you will need to customize Dynamics 365 to assist in constantly locating personal data.

Once you have identified all personal data, the next step is to obtain consent from customers. With Dynamics 365, you can obtain explicit consent from customers to process their data and then create notifications to inform these customers about how their data will be used. Be aware that under GDPR, customers can revoke their consent at any time.

Managing Personal Data with Dynamics 365

This software provides numerous ways to manage the personal data within GDPR compliance. Using the inherent security architecture allows you to restrict data access as broadly and as strictly as needed based upon role permissions. Doing so adds an extra layer of protection when it comes to restricting the processing of the personal data.

It’s also your responsibility to correct all inaccurate or incomplete personal data within Dynamics 365. In addition, if a customer requests personal data be deleted, you must comply. You also must comply with any customer requests for copies of all their personal data on file. The latter is simple to perform using the the Data Import and Export functionality. It’s also possible to export the data to an Excel spreadsheet to provide the customer.

Protecting Personal Data

Protection under GDPR doesn’t simply mean layers of security. Of course it means you should use Dynamics 365’s encryption offerings as well as the role-based security architecture outlined above.

But it also means that you are required to perform regular security tests. On the server end, Microsoft will continue to conduct monitoring and tests for you. In addition, you must use the software’s security measures to detect data breaches. Should you detect a data breach, it is your responsibility to inform the customer of the breach as well as your intended steps to fix the breach and increase security.

Reporting GDPR Compliance

Under GDPR, it is now your responsibility to track and record personal data flows to third-party services AND in and out of the EU. Dynamics 365 has data flow documentation to assist with monitoring all data movement. To help reduce data leaving the country unintentionally, make sure you select a specific region while setting up the Dynamics 365 services. You need to also specifically select where to store your data in Microsoft’s 22 public Azure datacenters.

It’s also your new responsibility to maintain an audit trail to prove your GDPR compliance. Dynamics 365 can perform personal data audit trails detailing the creation, modification, and deletion of records.

Microsoft Compliance Manager

This is a lot to take in and sort through, even with an ERP that makes it as easy as Dynamics 365 does. To provide further assistance, Microsoft launched an application to help analyze your business for GDPR compliance.  Compliance Manager is a cross–Microsoft Cloud Services solution designed to help organizations meet complex compliance obligations, such as our new friend GDPR. The application’s tools can help detect, classify, and secure personal data across Microsoft Cloud locations as well as help you quickly find and export content for data requests. Its analysis also includes insights into your business’s overall compliance and assistance in improving your data protection capabilities.

If you have any questions or concerns about your own GDPR compliance as a Dynamics 365 user, contact us today and we’ll help you reach that May 25th deadline!

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author