GDPR Series: Protecting Dynamics 365 Customer Sensitive Data and Personal Identifiable Data in the new GDPR world

In the new world of Europe’s General Data Protection Regulation (GDPR), businesses, organisations and delivery partners are now directly responsible for the protection of Customers Data and everything related to processing it including: Who, How, Where and Why. This is another article in my series on GDPR and Dynamics 365 Compliance for this data protection regulation. You can find all articles on this subject here.

Customer Data can be divided into two main categories:

  1. Personal Identifiable Data (PID for short): This any data that a customer can be identified with. This may include customers first and last name, email address, phone number, address, National Insurance number, GPS / Geographical & location data, etc.
  2. Sensitive Data: This is any data that is regarded as sensitive by Customers which businesses may need to capture for regulatory reporting purposes or for their own operational and diversity reporting needs. This includes: Sexuality (Sexual orientation), Religion, Ethnicity or Race, Disability, etc.

Many businesses need Personal Identifiable Data (Category 1) for their daily operations so this data is normally accessible by all its employees. However, some businesses do not need to know of or capture sensitive data unless for operational, reporting or regulatory compliance reasons as stated above. If a business doesn’t need sensitive data, they are encouraged not to capture it. However, it is obviously essential for all businesses to have some PID about their customers.

Now, how can Dynamics 365 security model help you ensure your business or solution GDPR compliant.

Dynamics 365 CRM security model have a number of features that allows a business to protect, hide and separate customers sensitive data from customers PID so that the former is only accessible by a subset of employees. However, the latter (PID) will need to be available to all employees who needs this information to perform their work activity with the added protection that prevents PID and any customer data loss.

Every business needs to rigorously protect their Customer Data from loss and should invest in all the necessary resources, controls and systems to prevent data loss with all its consequences of brand damage, compensation payments and hefty fines especially with the new Data loss fines. Robust data protections controls in Dynamics 365 solutions can be achieved in many ways and various flavours. The Dynamics 365 provide an array of capabilities to utilise including Security Roles, Access Teams, Field Level Security, Business units / teams / users ownership that can all be used to apply robust security measures on your data in Dynamics CRM solutions.

Protecting Customer PID and Sensitive data should include considerations of who can export data into excel to avoid data loss. This is a very important consideration and locking down this privilege in security roles allocated to users who don’t need this functionality should always be a high priority as part of your Solution Security Design.

Here is the “Export to Excel ” privilege in security roles:

 

Additionally, Sensitive data (category 2 above) should only be presented to organisation employees who require access to it. To achieve this in Dynamics 365 CRM, you can do the following:

  1. Setup two forms for your Dynamics CRM Contact (Customer) entity: One form is the Main Form that is accessible by the whole organisation and another form which additionally includes sensitive data. This form should then be only allocated to a special Security Role that allows access to this sensitive data. For example: Sensitive data security role.
  2. This first step only protects the display of the data but it does not protect sensitive data from being searched or reported on. To actually protect the sensitive data fields completely, you will need to create a Field Level Security Profile and allocate it to the Team / Security role you have allowed access to sensitive data.
  3. Once this is done, you can then allocate a selected number of users to this team / security role so they can access your sensitive data.

 

The above approach is obviously just one way of achieving this requirement of protecting customers sensitive data for GDPR compliance. However, there are many other ways of achieving this and you can always adjust your Dynamics 365 solution design to your exact business and solution requirements.

Hope this helps!

 

Disclaimer: I’m not a GDPR or Data Protection expert but a Dynamics 365 one. All posts on this blog including the GDPR series are provided as is with no warranty and are the product of my research and understanding. Please speak to a legal or regulatory advisor if you need an expert GDPR opinion. However, you can speak to me if you need an expert #MSDyn365 opinion! 🙂

Is Microsoft Dynamics 365 Ready for GDPR ? General Data Protection Regulation considerations for Dynamics 365 CRM Series

This is the second article in my series on GDPR considerations for Microsoft Dynamics 365. If you are not aware or not sure in details what GDPR is and how it impacts Microsoft Dynamics 365 Solutions and Projects, then please read my first article in this series.

In this article, I’m trying to cover Microsoft Dynamics 365 CRM readiness for GDPR which is due to be effective on the 25th May 2018. In summary, Microsoft is committed to bring all its products, services and processes to be compliant with GDPR by May 2018.

For Microsoft Dynamics 365, there are many ways where you can design your Dynamics 365 CRM Solution to manage and control access to your data. Some example approaches include the following capabilities in Microsoft Dynamics CRM platform:

  • Role-based security in Microsoft Dynamics 365 allows you to group together a set of privileges that limit the tasks that can be performed by a given user applied against a specific Dynamics CRM entity or specific task/action privilege. This is an important capability, especially when people change roles within an organization and directly impact data protection and security.
  • Record-based security in Dynamics 365 allows you to restrict access to specific records using capabilities such as Access Teams in Dynamics 365 CRM
  • Field-level security allows you to restrict access to specific high-impact fields, such as personally identifiable information and sensitive data such as sexuality, religion and ethnicity/race.

This is significantly essential for GDPR compliance and I have personally been involved in applying these considerations to some of our ongoing Dynamics 365 projects to ensure our Dynamics 365 solution is in compliance with GDPR in advance. Similarly, all current Dynamics 365 projects and live Dynamics 365 solutions must be updated and modified to ensure compliance with GDPR using these and similar capabilities.

  • Azure Active Directory (Azure AD) helps you protect Dynamics 365 from unauthorized access by simplifying the management of users and groups and allowing you to assign and revoke privileges easily. Azure AD includes tools such as Multi-Factor Authentication for highly-secure sign-in. Additionally, Azure AD Privileged Identity Management helps you reduce risks associated with administrative privileges through access control, management, and reporting.

Microsoft confirms they have mandatory processes and encryption restrictions within Dynamics 365 both Online / Cloud and on-premise to comply with GDPR. Some of these include:

  • Security Development Lifecycle: a mandatory Microsoft process that embeds security requirements into every phase of the development process. Dynamics 365 is built using the Security Development Lifecycle.
  • Encryption: in transit between your users’ devices and Microsoft data centers, as well as while at rest in a Microsoft database. This helps protect your Dynamics 365 data at all times according to Microsoft. This restriction particularly applies to Dynamics CRM Online / Azure Cloud.

Here is also a 20 minutes video outlining Microsoft’s commitment to GDPR:

You can read more about Microsoft’s commitment to GDPR on their dedicated GDPR section on Microsoft website here: https://www.microsoft.com/en-us/trustcenter/privacy/gdpr

You can also visit Dynamics 365 Trust Centre for full details https://www.microsoft.com/en-us/trustcenter/cloudservices/dynamics365

 

Disclaimer: I’m not a GDPR or Data Protection expert but a Dynamics 365 one. All posts on this blog including the GDPR series are provided as is with no warranty and are the product of my research and understanding. Please speak to a legal or regulatory advisor if you need an expert GDPR opinion. However, you can speak to me if you need an expert #MSDyn365 opinion! 🙂

Is your Microsoft Dynamics 365 solution / project ready for GDPR? :: Introducing Dynamics 365 GDPR considerations

If your solution / project is in Europe, built-on Microsoft Dynamics 365 and you are not aware / sure what GDPR is, then you better act fast! You need to get familiar with it very soon.

GDPR stands for General Data Protection Regulation effective from 18th May 2018.

According to Wikipedia, GDPR is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.

The primary objectives of the GDPR are to give citizens and residents back control of their personal data and to “simplify” the regulatory environment for international business by unifying the regulation within the EU.

As per the ICO, the UK’s independent body set up to uphold information rights, the GDPR applies to “controllers” and “processors”. The definitions of controllers and processes are broadly the same as those under the Data Protection Act. In short, the controller says how and why personal data is processed and the processor acts on the controller’s behalf.

If you are a processor, the GDPR places specific legal obligations on you.

For example, if you/ your organisation / your solution / your product maintains or stores records of personal data and includes processing activities, you will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR and were not as such in the Data Protection Act (DPA).

If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.

Applying this on Microsoft Dynamics 365 solutions, especially Dynamics CRM projects, this is a significant legal obligation. The Majority, if not All, Dynamics CRM projects include the storage, maintenance and processing of personal data and hence, they will most probably fall under GDPR rules.

If you are a Dynamics 365 consultant, developer or working for a Dynamics 365 client or partner implementing Dynamics 365, then you need to be aware and ready for GDPR as it directly affects you and your work.

In my next post on GDPR, I will be covering in more details what obligations you have and how GDPR obligations affect your Dynamics 365 solution/project. So watch this space.

Please comment below if you are interested in this subject and/or if you would like to be informed about the full whitepaper I will be releasing soon about GDPR and Dynamics 365.

Looking forward to read your comments and finding out if you are interested in the whitepaper

Sources:

 

Disclaimer: I’m not a GDPR or Data Protection expert but a Dynamics 365 one. All posts on this blog including the GDPR series are provided as is with no warranty and are the product of my research and understanding. Please speak to a legal or regulatory advisor if you need an expert GDPR opinion. However, you can speak to me if you need an expert #MSDyn365 opinion! 🙂

Microsoft Dynamics 365 #MSDyn365 – CRM Online versus #MSDynCRM On-premise comparison of features, capabilities & updates

The newly announced Microsoft Dynamics 365 is certainly a massive and exciting move by Microsoft to gain additional market share of CRM & ERP Business Solutions. Dynamics 365 with its CRM, Ax and Nav components and the ability to integrate them together via Common Data Services (previously known as Common Data Model) is certainly an interesting step forward for everyone in the Dynamics Community. Microsoft Flow, Power Apps and the new Power BI capabilities are all adding to the positive hype but also adds to the pressure on Microsoft Dynamics Implementation partners to keep up to speed with all these new technologies and features.

One big question, my clients are currently asking is whether or not they should consider CRM Online and Ax Online (Dynamics 365), a hybrid of the two or even a hybrid model (CRM Online and CRM on-premise hybrid setup).

I found this article on Microsoft Dynamics 365 Help and Training (Customer portal) to be really good high level comparison that can help businesses make the decision.

In my view, the important observation from the comparison table below is that Microsoft increasing focus on Artificial Intelligent is concentrated on the Cloud with most of these capabilities and features Online only. Other significantly important and rising features such as Microsoft Dynamics Field Services and Microsoft Project Services Automation are all Dynamics 365 Online only. Some excellent new features such as App designer and Sitemap designers are also Dynamics 365 CRM online only.

For any organisation considering or planning to use any of these features, they will certainly need to consider Dynamics 365 cloud (previously known as CRM Online).

Here is the full comparison list as per the Dynamics Help and Training article referenced above – more comparisons can be found on the actual article:

Feature Dynamics 365 (online)/Dynamics 365 (on-premises)
3rd party S2S Inbound Authentication Microsoft Dynamics 365 (online) only
Advanced Service Analytics Microsoft Dynamics 365 (online) only
Analyze with Power BI (requires Power BI) Both
App Source Both
App designer and sitemap designers Microsoft Dynamics 365 (online) only
Business process analytics (requires Power BI) Both
Connected Field Service Microsoft Dynamics 365 (online) only
Customer backup and restore Microsoft Dynamics 365 (online) only
Customer Insights service Microsoft Dynamics 365 (online) only
Data Export service Microsoft Dynamics 365 (online) only
Document suggestions Microsoft Dynamics 365 (online) only
Dynamics 365 administration Microsoft Dynamics 365 (online) only
Dynamics 365 Admin Role in Office 365 Microsoft Dynamics 365 (online) only
Dynamics 365 App for Outlook enhancements Both
Dynamics 365 Connector Updates for Power App and Flow Both
Editable grids Both
Exchange booking integration Both
Field Service enhancements Microsoft Dynamics 365 (online) only
Gamification Microsoft Dynamics 365 (online) only
Mobile authenticated mashups Microsoft Dynamics 365 (online) only
Mobile homepage with Relationship Insights Microsoft Dynamics 365 (online) only
Mobile management enhancements Microsoft Dynamics 365 (online) only
Mobile Offline Data API Both
Mobile UI productivity Both
Modular business apps Both
Office 365 Groups enhancements Microsoft Dynamics 365 (online) only
Online customer backup and restore Microsoft Dynamics 365 (online) only
Partner Portal enhancements Microsoft Dynamics 365 (online) only
Portal service enhancements Microsoft Dynamics 365 (online) only
Project Service Automation enhancements Microsoft Dynamics 365 (online) only
Relationship Insights Microsoft Dynamics 365 (online) only
Relevance Search Microsoft Dynamics 365 (online) only
Resource scheduling optimization Microsoft Dynamics 365 (online) only
Scheduling unification Both
Sovereign cloud Germany Microsoft Dynamics 365 (online) only
Task-based experiences Microsoft Dynamics 365 (online) only
Threat management with SIEM Microsoft Dynamics 365 (online) only
Visual process designer Both

Hope this helps.

Mohamed Mostafa

 

Managing the Impact of Business Change in your #MSDynCRM Project

Yesterday I was invited to do a talk at the UK Microsoft Dynamics CRM User Group (CRMUG) in Microsoft offices in Reading, United Kingdom. It was a great opportunity to talk about a subject that is close to my heart which is managing the impact of business change in CRM projects and specifically the #MSDynCRM ones.

I had great interactive audience which meant we all worked together in the session to explore the few points I wanted to discuss. One of these important points in my mind was, how to define a success Dynamics CRM project? Is it No Priority 1 (P1), P2 issues? Is it the fact it is within budget and on time? No scope creep? how about ensuring you are hitting your margin / profit / revenue forecast?

In my view, it’s none of the above. You can deliver a great technological solution with minimal bugs (or even no issues at all!), but the question really is: Has it delivered the expected business benefits? Has it achieved the overall business objective? how is marked against the programme benefit case? Or does the project actually has a benefits case that you are working against aiming to deliver?

In this CRM User group, and with the help with a lively audience, we managed to explore how we can actually define the success of the project by debating all of the above questions. I appreciate there is no right or wrong answer but I guess we reached a consensus on what would make a programme of change a success.

Following that, we started to discuss managing the business transformation and change in your project… but that, is the subject of another blog post.

In the mean time, if you would like a copy of my slides, please feel free to ask via a comment below and I’ll email it to you.

Thanks!

Mohamed