What to look for when preparing for GDPR compliance? How can Dynamics 365 security & audit capabilities help?

This post is part of my GDPR series where I share some of my learnings and research on GDPR in general and how it affects my Dynamics 365 Clients and their Solutions / programmes. You can read the whole GDPR series here.
In this post, I’m trying to highlight key areas where organisations need to focus their attention and resources to ensure their compliance. This is not an exhaustive list of all key areas but are in my view the most urgent ones.
These key areas are: Data Classification, Metadata, Governance and Monitoring.
For Data Classification, this goes back to how you define your customers data as Personal Identifiable Information (PII), sensitive information or just general non-PII data. You need to know all the PII and sensitive data locations in all your systems and solutions including files such as documents, presentations and excel spreadsheets. If you can’t know where you data is stored then you can’t really protect it and you will more than likely be at risk of losing some information and face a massive GDPR related fine.
Second key area is metadata or audit information about collected and stored data. These include the When, Why and What for questions. When the data was collected, why you collected it and what are you going to use it for in the future. If you know the answer to these questions, you should then follow this up with regularly planned audit of your solutions / IT Systems to check if you should continue to store it in the future. It is a good practice to only store information you require to conduct daily business activities and nothing more than you need.
Applying this point on Dynamics 365 CRM would be by ensuring Auditing is switched on for all your Customer entities, mainly Contact and Account entities and other custom entities you might have created for your customers or persons you have relationships with. Auditing can be switched on through the customisation area of Dynamics CRM.
The next key area of focus for businesses preparing for GDPR is the governance and protection of the data including identifying who can access which data and under what circumstances. It also includes putting in place procedures for data access authorisation, apply suitable security roles and limit access to data at a granular level if needed. Microsoft Dynamics 365 has a wide variety of functionality and capability that can allow any business apply these GDPR considerations on their Dynamics Solution. Capabilities include User/Access Team security, Security Roles, Business Units as data containers, Field Level Security Profiles, Auditing, Multiple Forms per entity and many more great functionalities with lots of flexibility to achieve your optimal GDPR governance process.
Finally, the last key area that businesses should give attention to as part of their preparation for GDPR is Monitoring. GDPR stipulates that organisations must have robust procedures for monitoring data access and a strict security measures in an “Always monitoring” mode that immediately alerts relevant parties in case of any data breach. Security procedures and processes should include review of patterns of data access and making sure any irregularities and unexpected behaviour (from a person or a system) are spotted at a very early stage.
With that, I hope I have covered some of the key areas of considerations for organisations preparing for GDPR compliance especially those with Dynamics 365 CRM system. If you need help making your Dynamics 365 solution GDPR compliant and want to know more about Dynamics capabilities and functionality that allows you to achieve that, then please do get in touch via the contact page.
Hope this helps!
Disclaimer: This post like all other posts on my blog, are provided as is with no warranties. Please note that I’m not a GDPR or Data Protection expert but a Dynamics 365 one. All posts on this blog including the GDPR series are provided as is with no warranty and are the product of my research and understanding. Please speak to a legal or regulatory advisor if you need an expert GDPR opinion. However, you can speak to me if you need an expert #MSDyn365 opinion!