Free GDPR Add-on Solution for Microsoft Dynamics 365 CRM Customer Engagement

Today 25th May 2018 is the day GDPR goes live! To “celeberate” this important day, and as a contribution from me to the Microsoft Dynamics 365 community, I’m offering my Dynamics 365 GDPR Add-on Solution free to the community both Customers and Partners. You can find a link to download the solution for free at the end of this post.

The solution delivers the following functionality and Data Subject requests:

  1. Consent Management
  2. The Right to be Forgotten (anonymising contacts information)
  3. Personal Identifiable Information (PII) Management

The solution includes the following components:

  1. “Consent” Custom entity with relationship to Contact entity
  2. New form for Contact entity called GDPR and few additional fields on Contact
  3. “Configuration Settings” entity for capturing config information
  4. A Plugin Assembley for the Anonmisation function
  5. A Workflow for creating tasks to renew Consent at 30, 7 and 0 days from consent end date.

For the solution to work properly, once you import the solution, you will need to do the following:

  1. Create a Queue called “GDPR” so that tasks for consent renewal created by the workflow can be added to this queue.
  2. Create a Configuration Setting record called “GDPR Contact” as the screenshot below. You need to enter names of fields you want to be anonymised separate by semicolons.

The solution takes the approach of anonymising the contact information without actually deleting the contact record. This means everything stays the same, attributed to the same contact record but the record itself will no longer hold any personal identifable information (PII) of the customer.

Here are screenshots on how the “Anonymise” button works:

GDPR Contact Form:

Click on “Anonymise” button:

Anonymised Contact record:

I hope this solution helps many in the Dynamics 365 community. If you find this solution helpful, please review and/or vote on this solution. I’ll be happy to support the solution where I can (and based on its popularity).

N.B. The solution is provided as is with no warranty. It does not guarantee GDPR compliance and your organisation will still need to ensure they are compliant.

Dynamics 365 Saturday in Amsterdam February 2018 – Event Summary and GDPR Slides

We have recently had a fantastic two days as part of our Dynamics 365 Saturday event and Hackathon. It started with a Hackathon on Friday afternoon all the way until the end of the night then followed by a Dynamics 365 Saturday full day event. We had some amazing content including opening keynote by Ben Vollmer, Microsoft Dynamics 365 Field Service Global Lead. We also had an excellent closing keynote by Steven Kaplan, LinkedIn Group Manager for Sales Navigator and an ex-Microsoft Dynamics exec himself.

I had the pleasure to interview Steve as part of the Question and Answer section of the closing keynote. You can read more about the event on this blog post:

You can also see my live LinkedIn video from the closing key note here:

We have also had some fantastic feedback from various attendees including this potential Dynamics 365 Customer:

I have also delivered a sesson on my “favourite” subject: GDPR. The session was titled: Business and Technical Design considerations for a GDPR compliant Dynamics 365 solution.

I’ve been asked many times about the session slides and I have just got round to upload them. You can find them on at the following location:

Enjoy! I hope you find the slides useful.

Directions EMEA 2017 Dynamics 365 GDPR Compliance Session Slides

Presented by myself and James Crowter, we have received various requests to share our slides from Directions EMEA 2017. I have added these here but please note that I have added more information than the original presentation slides. Hopefully it will be of some benefit to some of you.

Please note there is NO WARRANTY for this document and is provided as is without any guarantees. You should not make business decisions based on these or any similar high level material.

Microsoft Dynamics 365 & GDPR compliance – Oslo #MSDyn365 event slides and updates

I had really great audience and some excellent interactions at my Microsoft Dynamics 365 #GDPR compliance session in the stunning #Oslo at Microsoft Norway. I’ve heard and discussed several shared concerns on GDPR significant impact on #CRM solutions, its complexities and how soon the regulation is coming!

I also want to thank everyone for their positive and encouraging feedback. That’s what keep me (and other MVPs) going and make us continue to help the Dynamics 365 community in passion!

As per everyone’s request, I have incorporate our useful interactions into my slides and you can now download them via the link below on this post or on http://CRM.Boutique  (free registration is required).

If you would like to attend this session again in person, then you can join me at our next Free Microsoft Dynamics 365 event in Milan at Microsoft Italy offices on 16th September 2017. This will be another great CRM Saturday event, this time in Italy.

One last off-topic point: Oslo and Norway are absolutely stunning (did I say that before?). If you haven’t been there, then try visiting soon – preferably in the summer. Make sure you: a) take the Oslo Fjord cruise, b) do the Oslo River walk and c) eat plenty of Norwegian fish (especially Salmon).

I leave you with some photos from the event and amazing Norway!


What to look for when preparing for GDPR compliance? How can Dynamics 365 security & audit capabilities help?

This post is part of my GDPR series where I share some of my learnings and research on GDPR in general and how it affects my Dynamics 365 Clients and their Solutions / programmes. You can read the whole GDPR series here.
In this post, I’m trying to highlight key areas where organisations need to focus their attention and resources to ensure their compliance. This is not an exhaustive list of all key areas but are in my view the most urgent ones.
These key areas are: Data Classification, Metadata, Governance and Monitoring.
For Data Classification, this goes back to how you define your customers data as Personal Identifiable Information (PII), sensitive information or just general non-PII data. You need to know all the PII and sensitive data locations in all your systems and solutions including files such as documents, presentations and excel spreadsheets. If you can’t know where you data is stored then you can’t really protect it and you will more than likely be at risk of losing some information and face a massive GDPR related fine.
Second key area is metadata or audit information about collected and stored data. These include the When, Why and What for questions. When the data was collected, why you collected it and what are you going to use it for in the future. If you know the answer to these questions, you should then follow this up with regularly planned audit of your solutions / IT Systems to check if you should continue to store it in the future. It is a good practice to only store information you require to conduct daily business activities and nothing more than you need.
Applying this point on Dynamics 365 CRM would be by ensuring Auditing is switched on for all your Customer entities, mainly Contact and Account entities and other custom entities you might have created for your customers or persons you have relationships with. Auditing can be switched on through the customisation area of Dynamics CRM.
The next key area of focus for businesses preparing for GDPR is the governance and protection of the data including identifying who can access which data and under what circumstances. It also includes putting in place procedures for data access authorisation, apply suitable security roles and limit access to data at a granular level if needed. Microsoft Dynamics 365 has a wide variety of functionality and capability that can allow any business apply these GDPR considerations on their Dynamics Solution. Capabilities include User/Access Team security, Security Roles, Business Units as data containers, Field Level Security Profiles, Auditing, Multiple Forms per entity and many more great functionalities with lots of flexibility to achieve your optimal GDPR governance process.
Finally, the last key area that businesses should give attention to as part of their preparation for GDPR is Monitoring. GDPR stipulates that organisations must have robust procedures for monitoring data access and a strict security measures in an “Always monitoring” mode that immediately alerts relevant parties in case of any data breach. Security procedures and processes should include review of patterns of data access and making sure any irregularities and unexpected behaviour (from a person or a system) are spotted at a very early stage.
With that, I hope I have covered some of the key areas of considerations for organisations preparing for GDPR compliance especially those with Dynamics 365 CRM system. If you need help making your Dynamics 365 solution GDPR compliant and want to know more about Dynamics capabilities and functionality that allows you to achieve that, then please do get in touch via the contact page.
Hope this helps!
Disclaimer: This post like all other posts on my blog, are provided as is with no warranties. Please note that I’m not a GDPR or Data Protection expert but a Dynamics 365 one. All posts on this blog including the GDPR series are provided as is with no warranty and are the product of my research and understanding. Please speak to a legal or regulatory advisor if you need an expert GDPR opinion. However, you can speak to me if you need an expert #MSDyn365 opinion!

Accelerate your GDPR compliance with Microsoft Azure Cloud – a Microsoft blog

As my blog readers are aware, I’m a keen learner, reader and blogger on GDPR Compliance and Customer Relationship Management solutions with focus on Dynamics 365 CRM.

Recently, Microsoft published an interesting blog post (which I’m sure won’t be the last) about how Microsoft Cloud can help businesses accelerate their GDPR compliance. You can read it all here:

I’m particularly interested in the fact that hosting your application in a GDPR compliant Cloud, minimises your business risks to GDPR fines (up to 4% of your business revenue). This is because if you host your solutions in the Cloud, you have “outsourced” a good portion of your liability to your Cloud vendor. This obviously does not remove your business direct liability for GDPR but it removes your need to spend time, resources and money ensuring that your on-premise data centre (or server rack!) is compliant with GDPR including who can access it physically and virtually/remotely.

Microsoft Cloud has become the first Cloud Vendor (and I think the only so far) who commits to GDPR contractual commitment to all its Cloud clients.

You can read the rest of my articles on GDPR and CRM / Dynamics 365 under this section of my blog:

GDPR Series: Protecting Dynamics 365 Customer Sensitive Data and Personal Identifiable Data in the new GDPR world

In the new world of Europe’s General Data Protection Regulation (GDPR), businesses, organisations and delivery partners are now directly responsible for the protection of Customers Data and everything related to processing it including: Who, How, Where and Why. This is another article in my series on GDPR and Dynamics 365 Compliance for this data protection regulation. You can find all articles on this subject here.

Customer Data can be divided into two main categories:

  1. Personal Identifiable Data (PID for short): This any data that a customer can be identified with. This may include customers first and last name, email address, phone number, address, National Insurance number, GPS / Geographical & location data, etc.
  2. Sensitive Data: This is any data that is regarded as sensitive by Customers which businesses may need to capture for regulatory reporting purposes or for their own operational and diversity reporting needs. This includes: Sexuality (Sexual orientation), Religion, Ethnicity or Race, Disability, etc.

Many businesses need Personal Identifiable Data (Category 1) for their daily operations so this data is normally accessible by all its employees. However, some businesses do not need to know of or capture sensitive data unless for operational, reporting or regulatory compliance reasons as stated above. If a business doesn’t need sensitive data, they are encouraged not to capture it. However, it is obviously essential for all businesses to have some PID about their customers.

Now, how can Dynamics 365 security model help you ensure your business or solution GDPR compliant.

Dynamics 365 CRM security model have a number of features that allows a business to protect, hide and separate customers sensitive data from customers PID so that the former is only accessible by a subset of employees. However, the latter (PID) will need to be available to all employees who needs this information to perform their work activity with the added protection that prevents PID and any customer data loss.

Every business needs to rigorously protect their Customer Data from loss and should invest in all the necessary resources, controls and systems to prevent data loss with all its consequences of brand damage, compensation payments and hefty fines especially with the new Data loss fines. Robust data protections controls in Dynamics 365 solutions can be achieved in many ways and various flavours. The Dynamics 365 provide an array of capabilities to utilise including Security Roles, Access Teams, Field Level Security, Business units / teams / users ownership that can all be used to apply robust security measures on your data in Dynamics CRM solutions.

Protecting Customer PID and Sensitive data should include considerations of who can export data into excel to avoid data loss. This is a very important consideration and locking down this privilege in security roles allocated to users who don’t need this functionality should always be a high priority as part of your Solution Security Design.

Here is the “Export to Excel ” privilege in security roles:


Additionally, Sensitive data (category 2 above) should only be presented to organisation employees who require access to it. To achieve this in Dynamics 365 CRM, you can do the following:

  1. Setup two forms for your Dynamics CRM Contact (Customer) entity: One form is the Main Form that is accessible by the whole organisation and another form which additionally includes sensitive data. This form should then be only allocated to a special Security Role that allows access to this sensitive data. For example: Sensitive data security role.
  2. This first step only protects the display of the data but it does not protect sensitive data from being searched or reported on. To actually protect the sensitive data fields completely, you will need to create a Field Level Security Profile and allocate it to the Team / Security role you have allowed access to sensitive data.
  3. Once this is done, you can then allocate a selected number of users to this team / security role so they can access your sensitive data.


The above approach is obviously just one way of achieving this requirement of protecting customers sensitive data for GDPR compliance. However, there are many other ways of achieving this and you can always adjust your Dynamics 365 solution design to your exact business and solution requirements.

Hope this helps!


Disclaimer: I’m not a GDPR or Data Protection expert but a Dynamics 365 one. All posts on this blog including the GDPR series are provided as is with no warranty and are the product of my research and understanding. Please speak to a legal or regulatory advisor if you need an expert GDPR opinion. However, you can speak to me if you need an expert #MSDyn365 opinion! 🙂

Microsoft becomes the first Cloud Provider to offer GDPR contractual commitment publicly

In an official Microsoft blog post, Microsoft has guaranteed contractual public commitment for the European Union’s General Data Protection regulation (GDPR), a privacy regulation which goes into effect on May 25, 2018.

If your organization collects, hosts or analyses personal data of EU residents, GDPR provisions require you to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR.

Microsoft is making its contractual commitments available so that it provides key GDPR-related assurances about Microsoft services. Microsoft contractual commitments guarantee that any organisation using Microsoft cloud can:

  • Respond to requests to correct, amend or delete personal data.
  • Detect and report personal data breaches.
  • Demonstrate compliance with the GDPR.
This is great news for all Microsoft Azure cloud customers and equally significant for Microsoft Dynamics 365 CRM Customers in Europe who are directly impacted by all the new GDPR regulations.
Read the full blog post at


Earning your trust with contractual commitments to the General Data Protection Regulation

What’s different in GDPR from existing Data Protection Act & how it impacts Dynamics 365

This is the third article in my series covering GDPR considerations for Dynamics 365. If you haven’t read the previous two articles, then you can read the first post here and the second article here.

In this post, I’m covering some of the highlights of GDPR and how they affect Dynamics 365. The main changes and their impact on Dynamics 365 can be summarised in the following points:

  1. GDPR applies to EU citizens personal data even if the data is processed outside the EU. This was not the case before. This has massive impact on outsourcing development work to teams outside of the EU as it may mean a change to implementation processes or lack of access to data to comply.
  2. With GDPR, you are required to have an explicit and informed consent by your data subjects (e.g. customers). This consent must be given to all entities that will process or analyse personal data. The consent should also be easy to withdraw. This is particularly important for Dynamics 365 Portals and websites to allow customers to easily withdraw their consent for you to access, process or analyse their data. This means your Dynamics 365 system and its portals must have the processes and the capability to allow for such easy withdrawal of consent.
  3. GDPR will give customers the right to compensation for monetary damages in the event that unlawful data processing occurs. Fines could go as high as 1 million Euros or up to 2 % of a company’s total worldwide annual turnover for non-compliance!
  4. Mandatory risk assessments and in-house data protection offices means you have to include rigorous Dynamics 365 data protection policies to your system and to your implementation project including everyone who may process any data in your Dynamics CRM system to be GDPR compliant.
  5. GDPR brings reporting requirements for every person or entity that is part of the Cloud supply chain. So every supplier and every contractor (not just employee) with access to Dynamics 365 cloud will have direct accountability and the vendor, Microsoft in this case, as well as the clients and Dynamics partners will have to satisfy reporting requirements on who can access this data.


In this post, we covered 5 main changes that GDPR will impact Dynamics 365, projects and live systems. These are really important considerations and changes that require amendments and adjustments to Dynamics 365 solutions and implementation projects.

In my next article, I’ll be covering in detail 7 areas of interest that directly impact Dynamics 365 programmes and solutions once GDPR is effective in May 2018:

  • Personal Identifiable Data (PII)
  • Customer Sensitive data versus Personal Identifiable Data & how to handle in Dynamics 365
  • Children data
  • Consent
  • The Right to Data Portability
  • Governance and Accountability
  • Incident and Breach Management


Disclaimer: I’m not a GDPR or Data Protection expert but a Dynamics 365 one. All posts on this blog including the GDPR series are provided as is and are the product of my research and understanding. Please speak to a legal or regulatory advisor if you need an expert GDPR opinion. However, you can speak to me if you need an expert #MSDyn365 opinion! 🙂

Is Microsoft Dynamics 365 Ready for GDPR ? General Data Protection Regulation considerations for Dynamics 365 CRM Series

This is the second article in my series on GDPR considerations for Microsoft Dynamics 365. If you are not aware or not sure in details what GDPR is and how it impacts Microsoft Dynamics 365 Solutions and Projects, then please read my first article in this series.

In this article, I’m trying to cover Microsoft Dynamics 365 CRM readiness for GDPR which is due to be effective on the 25th May 2018. In summary, Microsoft is committed to bring all its products, services and processes to be compliant with GDPR by May 2018.

For Microsoft Dynamics 365, there are many ways where you can design your Dynamics 365 CRM Solution to manage and control access to your data. Some example approaches include the following capabilities in Microsoft Dynamics CRM platform:

  • Role-based security in Microsoft Dynamics 365 allows you to group together a set of privileges that limit the tasks that can be performed by a given user applied against a specific Dynamics CRM entity or specific task/action privilege. This is an important capability, especially when people change roles within an organization and directly impact data protection and security.
  • Record-based security in Dynamics 365 allows you to restrict access to specific records using capabilities such as Access Teams in Dynamics 365 CRM
  • Field-level security allows you to restrict access to specific high-impact fields, such as personally identifiable information and sensitive data such as sexuality, religion and ethnicity/race.

This is significantly essential for GDPR compliance and I have personally been involved in applying these considerations to some of our ongoing Dynamics 365 projects to ensure our Dynamics 365 solution is in compliance with GDPR in advance. Similarly, all current Dynamics 365 projects and live Dynamics 365 solutions must be updated and modified to ensure compliance with GDPR using these and similar capabilities.

  • Azure Active Directory (Azure AD) helps you protect Dynamics 365 from unauthorized access by simplifying the management of users and groups and allowing you to assign and revoke privileges easily. Azure AD includes tools such as Multi-Factor Authentication for highly-secure sign-in. Additionally, Azure AD Privileged Identity Management helps you reduce risks associated with administrative privileges through access control, management, and reporting.

Microsoft confirms they have mandatory processes and encryption restrictions within Dynamics 365 both Online / Cloud and on-premise to comply with GDPR. Some of these include:

  • Security Development Lifecycle: a mandatory Microsoft process that embeds security requirements into every phase of the development process. Dynamics 365 is built using the Security Development Lifecycle.
  • Encryption: in transit between your users’ devices and Microsoft data centers, as well as while at rest in a Microsoft database. This helps protect your Dynamics 365 data at all times according to Microsoft. This restriction particularly applies to Dynamics CRM Online / Azure Cloud.

Here is also a 20 minutes video outlining Microsoft’s commitment to GDPR:

You can read more about Microsoft’s commitment to GDPR on their dedicated GDPR section on Microsoft website here:

You can also visit Dynamics 365 Trust Centre for full details


Disclaimer: I’m not a GDPR or Data Protection expert but a Dynamics 365 one. All posts on this blog including the GDPR series are provided as is with no warranty and are the product of my research and understanding. Please speak to a legal or regulatory advisor if you need an expert GDPR opinion. However, you can speak to me if you need an expert #MSDyn365 opinion! 🙂