What’s different in GDPR from existing Data Protection Act & how it impacts Dynamics 365

This is the third article in my series covering GDPR considerations for Dynamics 365. If you haven’t read the previous two articles, then you can read the first post here and the second article here.

In this post, I’m covering some of the highlights of GDPR and how they affect Dynamics 365. The main changes and their impact on Dynamics 365 can be summarised in the following points:

  1. GDPR applies to EU citizens personal data even if the data is processed outside the EU. This was not the case before. This has massive impact on outsourcing development work to teams outside of the EU as it may mean a change to implementation processes or lack of access to data to comply.
  2. With GDPR, you are required to have an explicit and informed consent by your data subjects (e.g. customers). This consent must be given to all entities that will process or analyse personal data. The consent should also be easy to withdraw. This is particularly important for Dynamics 365 Portals and websites to allow customers to easily withdraw their consent for you to access, process or analyse their data. This means your Dynamics 365 system and its portals must have the processes and the capability to allow for such easy withdrawal of consent.
  3. GDPR will give customers the right to compensation for monetary damages in the event that unlawful data processing occurs. Fines could go as high as 1 million Euros or up to 2 % of a company’s total worldwide annual turnover for non-compliance!
  4. Mandatory risk assessments and in-house data protection offices means you have to include rigorous Dynamics 365 data protection policies to your system and to your implementation project including everyone who may process any data in your Dynamics CRM system to be GDPR compliant.
  5. GDPR brings reporting requirements for every person or entity that is part of the Cloud supply chain. So every supplier and every contractor (not just employee) with access to Dynamics 365 cloud will have direct accountability and the vendor, Microsoft in this case, as well as the clients and Dynamics partners will have to satisfy reporting requirements on who can access this data.


In this post, we covered 5 main changes that GDPR will impact Dynamics 365, projects and live systems. These are really important considerations and changes that require amendments and adjustments to Dynamics 365 solutions and implementation projects.

In my next article, I’ll be covering in detail 7 areas of interest that directly impact Dynamics 365 programmes and solutions once GDPR is effective in May 2018:

  • Personal Identifiable Data (PII)
  • Customer Sensitive data versus Personal Identifiable Data & how to handle in Dynamics 365
  • Children data
  • Consent
  • The Right to Data Portability
  • Governance and Accountability
  • Incident and Breach Management


Disclaimer: I’m not a GDPR or Data Protection expert but a Dynamics 365 one. All posts on this blog including the GDPR series are provided as is and are the product of my research and understanding. Please speak to a legal or regulatory advisor if you need an expert GDPR opinion. However, you can speak to me if you need an expert #MSDyn365 opinion! 🙂

Please comment or leave feedback