Is Microsoft Dynamics 365 Ready for GDPR ? General Data Protection Regulation considerations for Dynamics 365 CRM Series

This is the second article in my series on GDPR considerations for Microsoft Dynamics 365. If you are not aware or not sure in details what GDPR is and how it impacts Microsoft Dynamics 365 Solutions and Projects, then please read my first article in this series.

In this article, I’m trying to cover Microsoft Dynamics 365 CRM readiness for GDPR which is due to be effective on the 25th May 2018. In summary, Microsoft is committed to bring all its products, services and processes to be compliant with GDPR by May 2018.

For Microsoft Dynamics 365, there are many ways where you can design your Dynamics 365 CRM Solution to manage and control access to your data. Some example approaches include the following capabilities in Microsoft Dynamics CRM platform:

  • Role-based security in Microsoft Dynamics 365 allows you to group together a set of privileges that limit the tasks that can be performed by a given user applied against a specific Dynamics CRM entity or specific task/action privilege. This is an important capability, especially when people change roles within an organization and directly impact data protection and security.
  • Record-based security in Dynamics 365 allows you to restrict access to specific records using capabilities such as Access Teams in Dynamics 365 CRM
  • Field-level security allows you to restrict access to specific high-impact fields, such as personally identifiable information and sensitive data such as sexuality, religion and ethnicity/race.

This is significantly essential for GDPR compliance and I have personally been involved in applying these considerations to some of our ongoing Dynamics 365 projects to ensure our Dynamics 365 solution is in compliance with GDPR in advance. Similarly, all current Dynamics 365 projects and live Dynamics 365 solutions must be updated and modified to ensure compliance with GDPR using these and similar capabilities.

  • Azure Active Directory (Azure AD) helps you protect Dynamics 365 from unauthorized access by simplifying the management of users and groups and allowing you to assign and revoke privileges easily. Azure AD includes tools such as Multi-Factor Authentication for highly-secure sign-in. Additionally, Azure AD Privileged Identity Management helps you reduce risks associated with administrative privileges through access control, management, and reporting.

Microsoft confirms they have mandatory processes and encryption restrictions within Dynamics 365 both Online / Cloud and on-premise to comply with GDPR. Some of these include:

  • Security Development Lifecycle: a mandatory Microsoft process that embeds security requirements into every phase of the development process. Dynamics 365 is built using the Security Development Lifecycle.
  • Encryption: in transit between your users’ devices and Microsoft data centers, as well as while at rest in a Microsoft database. This helps protect your Dynamics 365 data at all times according to Microsoft. This restriction particularly applies to Dynamics CRM Online / Azure Cloud.

Here is also a 20 minutes video outlining Microsoft’s commitment to GDPR:

You can read more about Microsoft’s commitment to GDPR on their dedicated GDPR section on Microsoft website here: https://www.microsoft.com/en-us/trustcenter/privacy/gdpr

You can also visit Dynamics 365 Trust Centre for full details https://www.microsoft.com/en-us/trustcenter/cloudservices/dynamics365

 

Disclaimer: I’m not a GDPR or Data Protection expert but a Dynamics 365 one. All posts on this blog including the GDPR series are provided as is with no warranty and are the product of my research and understanding. Please speak to a legal or regulatory advisor if you need an expert GDPR opinion. However, you can speak to me if you need an expert #MSDyn365 opinion! 🙂

Is your Microsoft Dynamics 365 solution / project ready for GDPR? :: Introducing Dynamics 365 GDPR considerations

If your solution / project is in Europe, built-on Microsoft Dynamics 365 and you are not aware / sure what GDPR is, then you better act fast! You need to get familiar with it very soon.

GDPR stands for General Data Protection Regulation effective from 18th May 2018.

According to Wikipedia, GDPR is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.

The primary objectives of the GDPR are to give citizens and residents back control of their personal data and to “simplify” the regulatory environment for international business by unifying the regulation within the EU.

As per the ICO, the UK’s independent body set up to uphold information rights, the GDPR applies to “controllers” and “processors”. The definitions of controllers and processes are broadly the same as those under the Data Protection Act. In short, the controller says how and why personal data is processed and the processor acts on the controller’s behalf.

If you are a processor, the GDPR places specific legal obligations on you.

For example, if you/ your organisation / your solution / your product maintains or stores records of personal data and includes processing activities, you will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR and were not as such in the Data Protection Act (DPA).

If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.

Applying this on Microsoft Dynamics 365 solutions, especially Dynamics CRM projects, this is a significant legal obligation. The Majority, if not All, Dynamics CRM projects include the storage, maintenance and processing of personal data and hence, they will most probably fall under GDPR rules.

If you are a Dynamics 365 consultant, developer or working for a Dynamics 365 client or partner implementing Dynamics 365, then you need to be aware and ready for GDPR as it directly affects you and your work.

In my next post on GDPR, I will be covering in more details what obligations you have and how GDPR obligations affect your Dynamics 365 solution/project. So watch this space.

Please comment below if you are interested in this subject and/or if you would like to be informed about the full whitepaper I will be releasing soon about GDPR and Dynamics 365.

Looking forward to read your comments and finding out if you are interested in the whitepaper

Sources:

 

Disclaimer: I’m not a GDPR or Data Protection expert but a Dynamics 365 one. All posts on this blog including the GDPR series are provided as is with no warranty and are the product of my research and understanding. Please speak to a legal or regulatory advisor if you need an expert GDPR opinion. However, you can speak to me if you need an expert #MSDyn365 opinion! 🙂