GDPR-compliant with tools in Dynamics 365 for Finance & Operations
The new European privacy law – the GDPR – will enter into force on 25th of May. In a series of blogs I help you prepare for this. This time in a practical blog highlighting the standard tools for the Dynamics 365 for Finance and Operations.
When it comes to the GDPR, Microsoft organizes their information very clearly in 4 themes: discover, manage, protect and report. I would like to add here: data transfer and processor agreements. This blog will discuss the available tools in all 6 steps.
Standard available: entities
The first thing that has to be done to become GDPR-compliant is to create a data inventory. I already discussed that in an earlier blog. After you have discovered where personal data is located, you want to know what kind of data it concerns. The standard entity structure of Dynamics 365 is very useful for that. Create a template entity and link all entities containing personal data. The result is a complete overview of all field names from all tables in which personal data were found.
Coming soon standard available: person search report & more
Microsoft recently announced an extension to the entity functionalities, allowing you to call up all entities associated with a specific record from the address book. They call this the Person search report. I do not know it yet, but it sounds pretty handy. It also becomes possible – under the name Data tagging – for developers to categorize table fields for the GDPR. And there is a Data flow diagram, so that you can view the data exchange between systems. These future possibilities are extensively described on the Microsoft site.
The Azure Information Protection (discussed below) is also very useful, just like the Azure Data Catalog. The latter is a cloud service that allows you to register and label metadata from multiple data sources. The tool makes a copy of your metadata and saves the reference to the actual location. You can then add tags to your content, for example to tables that contain personal data. Not only useful for Dynamics 365, but also for other programs that use structured data. You end up with all data sources in one overview.
Keep the overview
The Compliance manager is a handy tool that I wrote a positive review about earlier. In one overview you manage all risks, action points and responsibilities – within Office 365, Azure and Dynamics 365 – that need to be executed to be GDPR-compliant. Next to GDPR compliance, this tool helps you with ISO27 series or the NIST as well. The tool is constantly adapted to the latest regulations. Microsoft makes it very clear which compliance steps are its responsibility and which yours. The practical compliance score makes your risk transparent per component. On the Microsoft site you can read an overview of all features and updates.
Comply with the rights of your customers
Customers will soon be entitled to delete their personal data if you no longer have any purpose or basis for this. And when they ask, you must give customers access to their data, correct them or hand them in for transfer. How do you organize that?
- Right to access and data portability: the entity structure already discussed works well for this. Use the template entity and export the personal data in Excel or CSV. This allows your customer to view or take the data in a commonly acceptable format.
- Correcting and removing data remains manual work. But deleting data remains tricky or impossible. Your system will not allow you to delete data that have a relationship with other data, or if a transaction is booked for example. What you can do – and that is also much smarter – is anonymizing data. This way you can also leave your analyses intact and aggregated. For example, change an exact date of birth into a year and a specific address into a (sufficiently large) region, next to replacing the full name and changing gender. It is important to determine when anonymization is truly anonymous (for example, it should not be possible to identify a person by combining your ‘anonymous’ data with publicly available data). Therefore, consult an expert in this matter.
In Azure, the standard Active Directory – Role Based Access control already provides excellent options for managing authorizations. You also use specific role templates in Dynamics 365 for Finance & Operations. You can arrange these according to your own wishes, up to the level of specific fields or groups of data. More information can be found on the Microsoft site.
Microsoft is committed to making you feel safe in their cloud. Their data centers, connections and procedures are extremely well protected. In Dynamics 365 your data is encrypted in transit and at rest. In Azure you have several choices: Azure Key Vault, Azure Storage Data Encryption, Azure MFA, Azure Identity Protection and Azure Information Protection. On their site, Microsoft highlights the key functionality of the various tools you can use.
The GDPR makes responsible for data losses. Microsoft offers three redundancy mechanisms that assure you against data loss. Azure backup can back up your data and restore. Azure Site Recovery offers disaster recovery in the cloud. And Azure geo-redundant storage can make and save a replica of your data in another region.
Know what your responsibilities are
According to the GDPR you must be able to demonstrate that you comply with the rules. But as a user of Microsoft Dynamics 365 you alone do not bare this responsibility; Microsoft is partly responsible. As a rule of thumb, Microsoft provides this clarifying overview:
You can use standard reports in Azure to report on your compliance. For example, Azure Advanced Reports or Azure Identity Protection. The latter provides an overview of safety risks based on your policy. For example, which users you must keep an eye on and for what reason. If you want to create reports yourself, you can use Power BI for instance.
Much has been written about data breaches. Here, I would like to note one element that is related at your cooperation with Microsoft. In the case of a data breach, they have to move with you quickly (within the 72-hour period). You can read all about their reaction in case of a data breach in their Microsoft Azure Security Response in the Cloud.
If you transport data outside the countries allowed by the GDPR, you must comply with additional rules. When signing a contract, pay attention to the location of your data center. If you already have a contract, read about the Azure regions and the Dynamics 365 locations. It is wise to also delve into the subcontractors to whom Microsoft passes your data, and how they deal with requests from governments.
According to the GDPR you, as a data controller, bear the responsibility for the correct handling of personal data. If you collaborate with a processor for processing data, you must do this according to GDPR proof processor agreements. Microsoft does that differently. Instead of a separate agreement with every customer, Microsoft applies Online licensing terms, which therefore also apply to you. Read this document carefully.
General tools for the whole process
Azure Information Protection
The Azure Information Protection Scanner can scan, classify and label unstructured data. Convenient in the Discover phase. But also, in the Manage phase, because the software can keep on scanning and so can monitor your progress. For security, this tool also has useful options. You can secure a document so that it is impossible to send it with an e-mail for example. Or ensure that a certain e-mail cannot be forwarded. Interesting possibilities. Try it out with the public preview of the scanner.
Microsoft Cloud App Security
You can achieve comparable security on documents with the Microsoft Cloud App Security. This prevents, for example, that a certain document is uploaded to Dropbox. This tool follows your documents in other cloud applications and ensures that your security policy is also followed there.
I would like to complete this overview with our own tool that I am enthusiastic about and that helps you with data discovery: the GDPR Insight. This tool uses KPMG expertise and scans all your structured and unstructured data, indexes the data and provides a risk assurance. This gives you immediate insight into data privacy risks and potential data leaks in your systems. The tool also offers handy workflows so that you can manage meeting requests from data subjects, such as the right of access, to be forgotten, or data portability.