The GDPR will be enforced on 25th May 2018. It seems like a long way away, but ensuring you have taken steps to compliance is something that should be well under way already.

Here at Active we are working towards ensuring we will be compliant well before the deadline.  Like many organisations, we are already compliant with the Data Protection Act, but GDPR requires a much higher level of detail and clarity.  Certainly, existing policies need reviewing and updating; data consent need to be clarified, existing data classified, and data breach and protection procedures documented.

For SMB’s this is no mean feat.  Without a dedicated compliance team, or Data Protection Specialist to help, the GDPR remains no less compulsory.  Organisations will need to allocate dedicated personnel to take responsibility for compliance; and to ensure that all staff members are aware of the changes and implications of the changes to your data processes.

Searching online for help with GDPR brings a minefield of mixed messages.  Often articles and webinars focus on only a small part of the GDPR (sometimes focusing on an area that suits their own agenda – pushing advisory services, or insurance policies…)  We’ve found the ICO website to be the best source of unbiased and comprehensive information about what’s required.

Your CRM can also aid you along the road to compliance.  Dynamics 365 can help you in 18 distinct areas of the GDPR and we’ve listed these below for your reference.

How Dynamics 365 can help you with GDPR compliance:

 

GDPR requirement Questions to consider How Dynamics 365 can help with compliance
Search for and identify personal data How much of the personal data about data subjects under your organisation’s control have you identified? Dynamics 365 provides multiple methods for you to search for personal data within records such as: Advanced Find, Quick Find, Relevance Search, and Filters, making data identification quick and easy.

 

Classify personal data

 

How confident are you in the tools your organisation currently has to classify personal data? Dynamics 365 offers flexibility to build out an application extension around data classification. Using the Entity and Field levels, customers can configure Forms and Views to look for personal information based on GDPR requests. At the Row level, data classification can be implemented using solution customization.

 

Data Governance

 

Would you say that your organisation has a data governance program in place that meets the demands of the GDPR? Dynamics 365 provides you with a set of features to manage the access of both users and groups to personal data. Role-based security allows you to group together a set of privileges that limits the tasks a user can perform. Record-based security lets you restrict access to specific records. Field-level security lets you restrict access to specific high-impact fields, such as those containing personally identifiable information.

 

Provide detailed notice of processing to data subjects Does your privacy notice contain: Identity and contact details of the data controller, Purpose of data processing and legal basis, State when and how information is shared with third parties, Any recipient or categories of recipients of the personal data, Retention period or criteria used to determine the retention period? Dynamics 365 Customer Engagement includes the ability to use Portals to display custom privacy notices with detailed information, either through a form or on a sign in screen on both internal and external Portals. While Dynamics 365 can provide a platform capable of hosting external-facing privacy notices, it is the responsibility of the customer to ensure that the specific language of the notice meets their obligations under the GDPR.

 

Obtain consent

 

In how many cases would your organisation be able to obtain needed consents right now? Dynamics 365 Customer Engagement offers Portals, which allows you to request and obtain consent prior to processing personal data. When collecting personal data through a form or login on an internal or external Portal, Dynamics 365 Customer Engagement allows you to create checkboxes or other elements that enable data subjects to indicate affirmative consent prior to submitting personal data. While Dynamics 365 can provide a platform capable of hosting external-facing privacy notices, it is the responsibility of the customer to ensure that the specific language of the notice meets their obligations under the GDPR.

 

Receive requests for the rectification, erasure, or transfer of personal data

 

In how many cases would your organisation be able to enable data subjects to submit these requests? Dynamics 365 provides users with several tools to erase and edit personal data associated with data subjects as well as employee user accounts. Users can also manually track requests for rectification, erasure or transfer of personal data by using the support cases function. Users can create support cases to track and manage data subject rights requests. Additionally, actions taken during the lifecycle of the request can be tracked in the case, and then marked as resolved upon completion of the request.

 

Rectify inaccurate or incomplete personal data regarding data subjects In how many cases would your organisation be able to do this right now? Dynamics 365 offers you several methods to rectify inaccurate or incomplete personal data. You can export data to Excel Online to quickly bulk edit multiple Dynamics 365 records, then reimport them to Dynamics 365. You can also amend personal data stored as Contacts by manually amending the data element containing the target personal data. You can also use the Dynamics 365 forms to edit a single row directly or modify multiple rows directly.

 

Erase personal data

 

In how many cases would your organisation be able to do this right now? Dynamics 365 gives you several methods for erasing data regarding a data subject. Once the data is identified using Advanced Find, Dynamics 365 lets you locate the data and directly delete records.

 

Provide data subjects with their personal data in a common, structured format In how many cases would your organisation be able to do this right now? Dynamics 365 data can be exported to a static Excel file to facilitate a data portability request. Using Excel, you can then edit the personal data to be included in the portability request and then save as a commonly used, machine-readable format such as .csv or .xml.

 

Restrict the processing of personal data

 

In how many cases would your organisation be able to do this right now? Dynamics 365 helps to protect sensitive information and service availability as required by the GDPR by incorporating security measures at the platform and service levels. With Dynamics 365, administrative users grant and restrict user access to personal data through security roles, which are composed of record-level and task-based privileges. Access to personal data can also be managed through Field and Hierarchy level security models that are enabled by Dynamics 365.

 

Data protection and privacy by design and default

 

Would you say your organisation’s IT resources meet this standard today? Dynamics 365 services are developed utilizing the Microsoft Security Development Lifecycle, which incorporates privacy-by-design and privacy-by-default methodologies, and in accordance with Microsoft privacy policies. To demonstrate Microsoft’s commitment to the privacy and security of customer data, core Dynamics 365 services are audited at least annually against several global data privacy and network security standards, including ISO/IEC 27018.

 

Secure personal data, such as through encryption

 

How much of the personal data controlled by your organisation is currently encrypted? Dynamics 365 uses technology such as Transparent Data Encryption (TDE) to encrypt data at rest, and Transport Layer Security (TLS) to secure communication between services. For Dynamics 365, Microsoft SQL Server cell level encryption is available for a set of default entity attributes that contain sensitive information.

 

Establish security controls that ensure the confidentiality, integrity, and availability of personal data Would you say that your organisation’s approach to securing personal data under its control meets this standard today? Dynamics 365 offers multiple tools to help safeguard data according to an organisation’s specific security and compliance needs, including: Security concepts for Dynamics 365, which helps protect data integrity and privacy in a Dynamics 365 organisation; Role-based security, which allows you to group together a set of privileges that limits the tasks a user can perform; Record-based security, which allows you to restrict access to specific records; Field-level security, that allows you to restrict access to specific high-impact fields; and encryption options.

 

Detect and respond to data breaches

 

For personal data breach notifications, would you say that your organisation currently has a process in place to:  Notify data subjects, Provide information to regulators, and notify regulators within 72 hours? Dynamics 365 deploys security measures intended to prevent and detect data breaches, including software to provide intrusion detection and distributed denial-of-service (DDoS) attack prevention. Dynamics 365 responds to incidents involving data stored in Microsoft datacenters by following a Security Incident Response Management process. Microsoft will also notify affected Microsoft customers with enough details to conduct their own investigations, and to meet any commitments they have made while not unduly delaying the notification process.

 

Facilitate regular testing of security measures

 

Do you regularly test, assess, and evaluate the effectiveness of the technical and organisational measures used to secure your data? Dynamics 365 provides administrative users with audit functionality that can help identify opportunities to improve security posture and help protect personal data, in addition to detecting data breaches. Microsoft also conducts ongoing monitoring and testing of Dynamics 365 security measures. These include ongoing threat modelling, code review, security testing, live site penetration testing, and centralised security logging and monitoring.

 

Maintain audit trails to show GDPR compliance

 

Would you say that your organisation can demonstrate compliance with these GDPR requirements today? Dynamics 365 allows you to track and record data changes in a Dynamics 365 environment. The data and operations that can be audited in Dynamics 365 include: the creation, modification, and deletion of records; changes to the shared privileges of records; the addition and deletion of users; the assignment of security roles; and the association of users with teams and business units. You can use these logging and auditing tools to record the resolution of rights requests by a data subject, and to log events associated with amending, erasing, or transferring personal data.
Only transfer personal data to third countries with required safeguards in place

 

Do you have mechanisms in place for the transfer of personal data outside the EU such as Binding Corporate Rules or Standard Contractual Clauses? Dynamics 365 lets you reduce the need for transfer of personal data outside of the EU by enabling you to select a region or a national cloud during the initial setup of services, and to store your data in any of more than 30 regions around the globe. These choices include multiple regional choices within Europe as well as the German sovereign data storage region. Additionally, Microsoft has made several contractual commitments related to Dynamics 365 that enable the appropriate flow of personal data within the Microsoft ecosystem. Microsoft has implemented EU Model Clauses and is certified to the EU-US Privacy Shield framework
Facilitate Data Protection Impact Assessments (DPIAs) when processing might pose a high risk to the rights and freedoms of individuals

 

Do you evaluate the impact of the proposed processing activity on the protection of personal data and to consider appropriate mitigations Dynamics 365 enables you to use the Dynamics 365 audit log, so you can track and record processing activities across the Dynamics 365 ecosystem to inform a Data Protection Impact Assessment (DPIA).

 

 

This is by no means an exhaustive list of what constitutes GDPR compliance.  Please do visit the ICO website for comprehensive and objective guidance.

How GDPR compliant are you?

If you just want to check how close you are to compliance compared with other organisations – take this five-minute survey by Microsoft.

Your MS Dynamics specialist

We are a MS Dynamics partner with a long history of providing business management software that transforms businesses.  If you’d like to know more about how Dynamics can help your GDPR efforts, please do get in touch.

Good luck on your GDPR journey!