What to look for when preparing for GDPR compliance? How can Dynamics 365 security & audit capabilities help?

This post is part of my GDPR series where I share some of my learnings and research on GDPR in general and how it affects my Dynamics 365 Clients and their Solutions / programmes. You can read the whole GDPR series here.
In this post, I’m trying to highlight key areas where organisations need to focus their attention and resources to ensure their compliance. This is not an exhaustive list of all key areas but are in my view the most urgent ones.
These key areas are: Data Classification, Metadata, Governance and Monitoring.
For Data Classification, this goes back to how you define your customers data as Personal Identifiable Information (PII), sensitive information or just general non-PII data. You need to know all the PII and sensitive data locations in all your systems and solutions including files such as documents, presentations and excel spreadsheets. If you can’t know where you data is stored then you can’t really protect it and you will more than likely be at risk of losing some information and face a massive GDPR related fine.
Second key area is metadata or audit information about collected and stored data. These include the When, Why and What for questions. When the data was collected, why you collected it and what are you going to use it for in the future. If you know the answer to these questions, you should then follow this up with regularly planned audit of your solutions / IT Systems to check if you should continue to store it in the future. It is a good practice to only store information you require to conduct daily business activities and nothing more than you need.
Applying this point on Dynamics 365 CRM would be by ensuring Auditing is switched on for all your Customer entities, mainly Contact and Account entities and other custom entities you might have created for your customers or persons you have relationships with. Auditing can be switched on through the customisation area of Dynamics CRM.
The next key area of focus for businesses preparing for GDPR is the governance and protection of the data including identifying who can access which data and under what circumstances. It also includes putting in place procedures for data access authorisation, apply suitable security roles and limit access to data at a granular level if needed. Microsoft Dynamics 365 has a wide variety of functionality and capability that can allow any business apply these GDPR considerations on their Dynamics Solution. Capabilities include User/Access Team security, Security Roles, Business Units as data containers, Field Level Security Profiles, Auditing, Multiple Forms per entity and many more great functionalities with lots of flexibility to achieve your optimal GDPR governance process.
Finally, the last key area that businesses should give attention to as part of their preparation for GDPR is Monitoring. GDPR stipulates that organisations must have robust procedures for monitoring data access and a strict security measures in an “Always monitoring” mode that immediately alerts relevant parties in case of any data breach. Security procedures and processes should include review of patterns of data access and making sure any irregularities and unexpected behaviour (from a person or a system) are spotted at a very early stage.
With that, I hope I have covered some of the key areas of considerations for organisations preparing for GDPR compliance especially those with Dynamics 365 CRM system. If you need help making your Dynamics 365 solution GDPR compliant and want to know more about Dynamics capabilities and functionality that allows you to achieve that, then please do get in touch via the contact page.
Hope this helps!
Disclaimer: This post like all other posts on my blog, are provided as is with no warranties. Please note that I’m not a GDPR or Data Protection expert but a Dynamics 365 one. All posts on this blog including the GDPR series are provided as is with no warranty and are the product of my research and understanding. Please speak to a legal or regulatory advisor if you need an expert GDPR opinion. However, you can speak to me if you need an expert #MSDyn365 opinion!

Accelerate your GDPR compliance with Microsoft Azure Cloud – a Microsoft blog

As my blog readers are aware, I’m a keen learner, reader and blogger on GDPR Compliance and Customer Relationship Management solutions with focus on Dynamics 365 CRM.

Recently, Microsoft published an interesting blog post (which I’m sure won’t be the last) about how Microsoft Cloud can help businesses accelerate their GDPR compliance. You can read it all here:

https://blogs.microsoft.com/blog/2017/05/24/accelerate-gdpr-compliance-microsoft-cloud/

I’m particularly interested in the fact that hosting your application in a GDPR compliant Cloud, minimises your business risks to GDPR fines (up to 4% of your business revenue). This is because if you host your solutions in the Cloud, you have “outsourced” a good portion of your liability to your Cloud vendor. This obviously does not remove your business direct liability for GDPR but it removes your need to spend time, resources and money ensuring that your on-premise data centre (or server rack!) is compliant with GDPR including who can access it physically and virtually/remotely.

Microsoft Cloud has become the first Cloud Vendor (and I think the only so far) who commits to GDPR contractual commitment to all its Cloud clients.

You can read the rest of my articles on GDPR and CRM / Dynamics 365 under this section of my blog:

http://www.mohamedmostafa.co.uk/blog/category/gdpr/

GDPR Series: Protecting Dynamics 365 Customer Sensitive Data and Personal Identifiable Data in the new GDPR world

In the new world of Europe’s General Data Protection Regulation (GDPR), businesses, organisations and delivery partners are now directly responsible for the protection of Customers Data and everything related to processing it including: Who, How, Where and Why. This is another article in my series on GDPR and Dynamics 365 Compliance for this data protection regulation. You can find all articles on this subject here.

Customer Data can be divided into two main categories:

  1. Personal Identifiable Data (PID for short): This any data that a customer can be identified with. This may include customers first and last name, email address, phone number, address, National Insurance number, GPS / Geographical & location data, etc.
  2. Sensitive Data: This is any data that is regarded as sensitive by Customers which businesses may need to capture for regulatory reporting purposes or for their own operational and diversity reporting needs. This includes: Sexuality (Sexual orientation), Religion, Ethnicity or Race, Disability, etc.

Many businesses need Personal Identifiable Data (Category 1) for their daily operations so this data is normally accessible by all its employees. However, some businesses do not need to know of or capture sensitive data unless for operational, reporting or regulatory compliance reasons as stated above. If a business doesn’t need sensitive data, they are encouraged not to capture it. However, it is obviously essential for all businesses to have some PID about their customers.

Now, how can Dynamics 365 security model help you ensure your business or solution GDPR compliant.

Dynamics 365 CRM security model have a number of features that allows a business to protect, hide and separate customers sensitive data from customers PID so that the former is only accessible by a subset of employees. However, the latter (PID) will need to be available to all employees who needs this information to perform their work activity with the added protection that prevents PID and any customer data loss.

Every business needs to rigorously protect their Customer Data from loss and should invest in all the necessary resources, controls and systems to prevent data loss with all its consequences of brand damage, compensation payments and hefty fines especially with the new Data loss fines. Robust data protections controls in Dynamics 365 solutions can be achieved in many ways and various flavours. The Dynamics 365 provide an array of capabilities to utilise including Security Roles, Access Teams, Field Level Security, Business units / teams / users ownership that can all be used to apply robust security measures on your data in Dynamics CRM solutions.

Protecting Customer PID and Sensitive data should include considerations of who can export data into excel to avoid data loss. This is a very important consideration and locking down this privilege in security roles allocated to users who don’t need this functionality should always be a high priority as part of your Solution Security Design.

Here is the “Export to Excel ” privilege in security roles:

 

Additionally, Sensitive data (category 2 above) should only be presented to organisation employees who require access to it. To achieve this in Dynamics 365 CRM, you can do the following:

  1. Setup two forms for your Dynamics CRM Contact (Customer) entity: One form is the Main Form that is accessible by the whole organisation and another form which additionally includes sensitive data. This form should then be only allocated to a special Security Role that allows access to this sensitive data. For example: Sensitive data security role.
  2. This first step only protects the display of the data but it does not protect sensitive data from being searched or reported on. To actually protect the sensitive data fields completely, you will need to create a Field Level Security Profile and allocate it to the Team / Security role you have allowed access to sensitive data.
  3. Once this is done, you can then allocate a selected number of users to this team / security role so they can access your sensitive data.

 

The above approach is obviously just one way of achieving this requirement of protecting customers sensitive data for GDPR compliance. However, there are many other ways of achieving this and you can always adjust your Dynamics 365 solution design to your exact business and solution requirements.

Hope this helps!

 

Disclaimer: I’m not a GDPR or Data Protection expert but a Dynamics 365 one. All posts on this blog including the GDPR series are provided as is with no warranty and are the product of my research and understanding. Please speak to a legal or regulatory advisor if you need an expert GDPR opinion. However, you can speak to me if you need an expert #MSDyn365 opinion! 🙂

Microsoft becomes the first Cloud Provider to offer GDPR contractual commitment publicly

In an official Microsoft blog post, Microsoft has guaranteed contractual public commitment for the European Union’s General Data Protection regulation (GDPR), a privacy regulation which goes into effect on May 25, 2018.

If your organization collects, hosts or analyses personal data of EU residents, GDPR provisions require you to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR.

Microsoft is making its contractual commitments available so that it provides key GDPR-related assurances about Microsoft services. Microsoft contractual commitments guarantee that any organisation using Microsoft cloud can:

  • Respond to requests to correct, amend or delete personal data.
  • Detect and report personal data breaches.
  • Demonstrate compliance with the GDPR.
This is great news for all Microsoft Azure cloud customers and equally significant for Microsoft Dynamics 365 CRM Customers in Europe who are directly impacted by all the new GDPR regulations.
Read the full blog post at https://blogs.microsoft.com/on-the-issues/2017/04/17/earning-trust-contractual-commitments-general-data-protection-regulation/#H1002zFpei8dJ9wC.99

 

Earning your trust with contractual commitments to the General Data Protection Regulation

What’s different in GDPR from existing Data Protection Act & how it impacts Dynamics 365

This is the third article in my series covering GDPR considerations for Dynamics 365. If you haven’t read the previous two articles, then you can read the first post here and the second article here.

In this post, I’m covering some of the highlights of GDPR and how they affect Dynamics 365. The main changes and their impact on Dynamics 365 can be summarised in the following points:

  1. GDPR applies to EU citizens personal data even if the data is processed outside the EU. This was not the case before. This has massive impact on outsourcing development work to teams outside of the EU as it may mean a change to implementation processes or lack of access to data to comply.
  2. With GDPR, you are required to have an explicit and informed consent by your data subjects (e.g. customers). This consent must be given to all entities that will process or analyse personal data. The consent should also be easy to withdraw. This is particularly important for Dynamics 365 Portals and websites to allow customers to easily withdraw their consent for you to access, process or analyse their data. This means your Dynamics 365 system and its portals must have the processes and the capability to allow for such easy withdrawal of consent.
  3. GDPR will give customers the right to compensation for monetary damages in the event that unlawful data processing occurs. Fines could go as high as 1 million Euros or up to 2 % of a company’s total worldwide annual turnover for non-compliance!
  4. Mandatory risk assessments and in-house data protection offices means you have to include rigorous Dynamics 365 data protection policies to your system and to your implementation project including everyone who may process any data in your Dynamics CRM system to be GDPR compliant.
  5. GDPR brings reporting requirements for every person or entity that is part of the Cloud supply chain. So every supplier and every contractor (not just employee) with access to Dynamics 365 cloud will have direct accountability and the vendor, Microsoft in this case, as well as the clients and Dynamics partners will have to satisfy reporting requirements on who can access this data.

 

In this post, we covered 5 main changes that GDPR will impact Dynamics 365, projects and live systems. These are really important considerations and changes that require amendments and adjustments to Dynamics 365 solutions and implementation projects.

In my next article, I’ll be covering in detail 7 areas of interest that directly impact Dynamics 365 programmes and solutions once GDPR is effective in May 2018:

  • Personal Identifiable Data (PII)
  • Customer Sensitive data versus Personal Identifiable Data & how to handle in Dynamics 365
  • Children data
  • Consent
  • The Right to Data Portability
  • Governance and Accountability
  • Incident and Breach Management

 

Disclaimer: I’m not a GDPR or Data Protection expert but a Dynamics 365 one. All posts on this blog including the GDPR series are provided as is and are the product of my research and understanding. Please speak to a legal or regulatory advisor if you need an expert GDPR opinion. However, you can speak to me if you need an expert #MSDyn365 opinion! 🙂

Is Microsoft Dynamics 365 Ready for GDPR ? General Data Protection Regulation considerations for Dynamics 365 CRM Series

This is the second article in my series on GDPR considerations for Microsoft Dynamics 365. If you are not aware or not sure in details what GDPR is and how it impacts Microsoft Dynamics 365 Solutions and Projects, then please read my first article in this series.

In this article, I’m trying to cover Microsoft Dynamics 365 CRM readiness for GDPR which is due to be effective on the 25th May 2018. In summary, Microsoft is committed to bring all its products, services and processes to be compliant with GDPR by May 2018.

For Microsoft Dynamics 365, there are many ways where you can design your Dynamics 365 CRM Solution to manage and control access to your data. Some example approaches include the following capabilities in Microsoft Dynamics CRM platform:

  • Role-based security in Microsoft Dynamics 365 allows you to group together a set of privileges that limit the tasks that can be performed by a given user applied against a specific Dynamics CRM entity or specific task/action privilege. This is an important capability, especially when people change roles within an organization and directly impact data protection and security.
  • Record-based security in Dynamics 365 allows you to restrict access to specific records using capabilities such as Access Teams in Dynamics 365 CRM
  • Field-level security allows you to restrict access to specific high-impact fields, such as personally identifiable information and sensitive data such as sexuality, religion and ethnicity/race.

This is significantly essential for GDPR compliance and I have personally been involved in applying these considerations to some of our ongoing Dynamics 365 projects to ensure our Dynamics 365 solution is in compliance with GDPR in advance. Similarly, all current Dynamics 365 projects and live Dynamics 365 solutions must be updated and modified to ensure compliance with GDPR using these and similar capabilities.

  • Azure Active Directory (Azure AD) helps you protect Dynamics 365 from unauthorized access by simplifying the management of users and groups and allowing you to assign and revoke privileges easily. Azure AD includes tools such as Multi-Factor Authentication for highly-secure sign-in. Additionally, Azure AD Privileged Identity Management helps you reduce risks associated with administrative privileges through access control, management, and reporting.

Microsoft confirms they have mandatory processes and encryption restrictions within Dynamics 365 both Online / Cloud and on-premise to comply with GDPR. Some of these include:

  • Security Development Lifecycle: a mandatory Microsoft process that embeds security requirements into every phase of the development process. Dynamics 365 is built using the Security Development Lifecycle.
  • Encryption: in transit between your users’ devices and Microsoft data centers, as well as while at rest in a Microsoft database. This helps protect your Dynamics 365 data at all times according to Microsoft. This restriction particularly applies to Dynamics CRM Online / Azure Cloud.

Here is also a 20 minutes video outlining Microsoft’s commitment to GDPR:

You can read more about Microsoft’s commitment to GDPR on their dedicated GDPR section on Microsoft website here: https://www.microsoft.com/en-us/trustcenter/privacy/gdpr

You can also visit Dynamics 365 Trust Centre for full details https://www.microsoft.com/en-us/trustcenter/cloudservices/dynamics365

 

Disclaimer: I’m not a GDPR or Data Protection expert but a Dynamics 365 one. All posts on this blog including the GDPR series are provided as is with no warranty and are the product of my research and understanding. Please speak to a legal or regulatory advisor if you need an expert GDPR opinion. However, you can speak to me if you need an expert #MSDyn365 opinion! 🙂

Is your Microsoft Dynamics 365 solution / project ready for GDPR? :: Introducing Dynamics 365 GDPR considerations

If your solution / project is in Europe, built-on Microsoft Dynamics 365 and you are not aware / sure what GDPR is, then you better act fast! You need to get familiar with it very soon.

GDPR stands for General Data Protection Regulation effective from 18th May 2018.

According to Wikipedia, GDPR is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.

The primary objectives of the GDPR are to give citizens and residents back control of their personal data and to “simplify” the regulatory environment for international business by unifying the regulation within the EU.

As per the ICO, the UK’s independent body set up to uphold information rights, the GDPR applies to “controllers” and “processors”. The definitions of controllers and processes are broadly the same as those under the Data Protection Act. In short, the controller says how and why personal data is processed and the processor acts on the controller’s behalf.

If you are a processor, the GDPR places specific legal obligations on you.

For example, if you/ your organisation / your solution / your product maintains or stores records of personal data and includes processing activities, you will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR and were not as such in the Data Protection Act (DPA).

If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.

Applying this on Microsoft Dynamics 365 solutions, especially Dynamics CRM projects, this is a significant legal obligation. The Majority, if not All, Dynamics CRM projects include the storage, maintenance and processing of personal data and hence, they will most probably fall under GDPR rules.

If you are a Dynamics 365 consultant, developer or working for a Dynamics 365 client or partner implementing Dynamics 365, then you need to be aware and ready for GDPR as it directly affects you and your work.

In my next post on GDPR, I will be covering in more details what obligations you have and how GDPR obligations affect your Dynamics 365 solution/project. So watch this space.

Please comment below if you are interested in this subject and/or if you would like to be informed about the full whitepaper I will be releasing soon about GDPR and Dynamics 365.

Looking forward to read your comments and finding out if you are interested in the whitepaper

Sources:

 

Disclaimer: I’m not a GDPR or Data Protection expert but a Dynamics 365 one. All posts on this blog including the GDPR series are provided as is with no warranty and are the product of my research and understanding. Please speak to a legal or regulatory advisor if you need an expert GDPR opinion. However, you can speak to me if you need an expert #MSDyn365 opinion! 🙂