The General Data Protection Regulation (GDPR) supersedes the UK Data Protection Act 1998 (DPA) and comes into action on the 25th May 2018. Significant and wide-reaching in scope, the new law brings a fresh approach to data protection. It expands the rights of individuals to control how their personal data is collected and processed, placing a range of new obligations on organisations to be more accountable for data protection – no matter where it is sent, processed or stored.
Microsoft has committed to being GDPR compliant across all their cloud services and on-premise Microsoft Dynamics 365 Business Central, which we cover below.
GDPR gives individuals rights of access to data you hold on them, these rights vary from just being informed to erase and object. So, for example, if an individual asks that you delete all data you hold on them you have to be able to find every record relating to the individual within Microsoft Dynamics and prove that you have deleted it. This is not as easy as it might sound as ERP software holds data in a wide variety of tables and fields – a task that will be made even more difficult if you have lots of customisations on your system.
Identify and classify personal data
Microsoft Dynamics 365 Business Central has a new “Data Classification” property feature, which when applied to your database will help you to categorise any personal data, such as: Customer, Vendor, Contact, Employee etc. Data can be classified into customer content, end user identifiable information, organisation identifiable data, or system metadata
Data subject right (DSR)
The GDPR allows data subjects to exercise various data subject rights (DSR) relative to their personal data. While Dynamics 365 Business Central has current tooling and will add other capabilities in upcoming cumulative updates to assist you with responding to those DSR requests, the decision to honour a DSR request and the implementation thereof is your responsibility. These capabilities are described in the Manage sections below.
Export data subject’s personal data
Under GDPR data subjects have the right to make a data portability request from the controller. As this is the case you must be able to export data subjects personal data in a machine readable format such as .CSV, .XLSX or .XML formats. The latest Dynamics 365 Business Central CU will help administrators identify personal data, thereby making it easier to locate personal data for responding to export requests from a data subject.
Delete data subject’s personal data
Improvements provided in the Dynamics 365 Business Central March 2018 cumulative updates and other updates will help administrators identify personal data, thereby making it easier to locate personal data for responding to delete requests from a data subject. While Dynamics 365 Business Central provides capabilities for deleting personal data, it is your responsibility to ensure that personal and sensitive data are located and classified appropriately for you to meet your obligations under the GDPR.
Modify data subject’s personal data
Under the GDPR, a data subject has the right to request rectification of inaccurate personal data concerning the data subject. Dynamics 365 Business Central gives you the following methods for correcting inaccurate or incomplete personal data.
In some cases, you can export data to Excel to quickly bulk-edit multiple Dynamics 365 Business Central records, then re-import the data to Dynamics 365 Business Central.
Amend stored personal data by manually editing the field containing the personal data, such as editing information about a customer in the Customer card.
Certain types of Dynamics 365 Business Central records, namely business transaction records (such as general, customer, tax ledger entries) are essential to the integrity of the enterprise resource planning system. Thus, the modification of personal data in such records is restricted. If you store personal data in business transaction records, Azzure IT could customize Dynamics 365 Business Central to honour a DSR to modify such personal data.
While Dynamics 365 Business Central provides capabilities for modifying personal data, it is your responsibility to ensure that personal and sensitive data are located and classified appropriately for you to meet your obligations under the GDPR. For more information, see the Discover – Identify and classify personal data section above.
Mark people, customers, and vendors as blocked due to privacy
A data subject has a right to restrict the processing of its personal data. When you receive such a request from a data subject, you can mark their record as blocked due to privacy. Dynamics 365 Business Central will then discontinue the processing of that data subject’s personal data. The latest cumulative updates add support for marking records, such as customers, vendors, or resources, as blocked due to privacy. When a record is marked as blocked, you cannot create new transactions that use that record. For example, you cannot create a new invoice for a customer, when either the customer or the salesperson is blocked.
Detect and respond to data breaches
When running Dynamics 365 Business Central on your own premises or hosted by Azzure IT, it will be your responsibility to monitor and detect data breaches so that you can then fulfil the applicable notification requirements for any incidents and within the time periods defined within the GDPR.
Facilitate regular testing of security measures
As an administrator, you can grant users permissions to data based on their role in Dynamics 365 Business Central. Administrators can also apply security filters so that users can, for example, see data about one customer but not other customers
Dynamics 365 Business Central also provides administrative users with audit functionality that can help identify opportunities and improve the security posture to protect personal data, in addition to detecting data breaches. Use the Change Log Entries window to audit data access
Maintain and report on audit trails to show GDPR compliance
An important aspect of the GDPR is to maintain audit trails and other evidence to demonstrate accountability and compliance with the GDPR requirements. In Dynamics 365 Business Central, you can track and record data changes in a Dynamics BC environment. The data and operations that can be audited in Dynamics 365 Business Central include:
The creation, modification, and deletion of records
Changes to the shared privileges of records
The addition and deletion of users
The assignment of security roles
You can use logging and auditing tools in Dynamics 365 Business Central to log and track events associated with amending, erasing, and creating data, roles, and privileges. This ability is based on the audit trail and role-based security in Dynamics 365 Business Central.
The General Data Protection Regulation (GDPR) is serious business, with serious consequences for non-compliance. Is your company prepared? Find out with three free assessments from Microsoft that will help you measure your readiness and learn how to improve it.
10 Europa View
Sheffield Business Park
t. +44 (0)345 467 9950