GDPR Series: Protecting Dynamics 365 Customer Sensitive Data and Personal Identifiable Data in the new GDPR world

In the new world of Europe’s General Data Protection Regulation (GDPR), businesses, organisations and delivery partners are now directly responsible for the protection of Customers Data and everything related to processing it including: Who, How, Where and Why. This is another article in my series on GDPR and Dynamics 365 Compliance for this data protection regulation. You can find all articles on this subject here.

Customer Data can be divided into two main categories:

  1. Personal Identifiable Data (PID for short): This any data that a customer can be identified with. This may include customers first and last name, email address, phone number, address, National Insurance number, GPS / Geographical & location data, etc.
  2. Sensitive Data: This is any data that is regarded as sensitive by Customers which businesses may need to capture for regulatory reporting purposes or for their own operational and diversity reporting needs. This includes: Sexuality (Sexual orientation), Religion, Ethnicity or Race, Disability, etc.

Many businesses need Personal Identifiable Data (Category 1) for their daily operations so this data is normally accessible by all its employees. However, some businesses do not need to know of or capture sensitive data unless for operational, reporting or regulatory compliance reasons as stated above. If a business doesn’t need sensitive data, they are encouraged not to capture it. However, it is obviously essential for all businesses to have some PID about their customers.

Now, how can Dynamics 365 security model help you ensure your business or solution GDPR compliant.

Dynamics 365 CRM security model have a number of features that allows a business to protect, hide and separate customers sensitive data from customers PID so that the former is only accessible by a subset of employees. However, the latter (PID) will need to be available to all employees who needs this information to perform their work activity with the added protection that prevents PID and any customer data loss.

Every business needs to rigorously protect their Customer Data from loss and should invest in all the necessary resources, controls and systems to prevent data loss with all its consequences of brand damage, compensation payments and hefty fines especially with the new Data loss fines. Robust data protections controls in Dynamics 365 solutions can be achieved in many ways and various flavours. The Dynamics 365 provide an array of capabilities to utilise including Security Roles, Access Teams, Field Level Security, Business units / teams / users ownership that can all be used to apply robust security measures on your data in Dynamics CRM solutions.

Protecting Customer PID and Sensitive data should include considerations of who can export data into excel to avoid data loss. This is a very important consideration and locking down this privilege in security roles allocated to users who don’t need this functionality should always be a high priority as part of your Solution Security Design.

Here is the “Export to Excel ” privilege in security roles:


Additionally, Sensitive data (category 2 above) should only be presented to organisation employees who require access to it. To achieve this in Dynamics 365 CRM, you can do the following:

  1. Setup two forms for your Dynamics CRM Contact (Customer) entity: One form is the Main Form that is accessible by the whole organisation and another form which additionally includes sensitive data. This form should then be only allocated to a special Security Role that allows access to this sensitive data. For example: Sensitive data security role.
  2. This first step only protects the display of the data but it does not protect sensitive data from being searched or reported on. To actually protect the sensitive data fields completely, you will need to create a Field Level Security Profile and allocate it to the Team / Security role you have allowed access to sensitive data.
  3. Once this is done, you can then allocate a selected number of users to this team / security role so they can access your sensitive data.


The above approach is obviously just one way of achieving this requirement of protecting customers sensitive data for GDPR compliance. However, there are many other ways of achieving this and you can always adjust your Dynamics 365 solution design to your exact business and solution requirements.

Hope this helps!


Disclaimer: I’m not a GDPR or Data Protection expert but a Dynamics 365 one. All posts on this blog including the GDPR series are provided as is with no warranty and are the product of my research and understanding. Please speak to a legal or regulatory advisor if you need an expert GDPR opinion. However, you can speak to me if you need an expert #MSDyn365 opinion! 🙂

Please comment or leave feedback