The GDPR has many requirements pertaining to the collection, storage, and use of personal data, making it necessary to first identify the personal data you possess about your data subjects. Once you have identified what data you are storing and using, you must classify all personal data, which with their GDPR-elevated rights, users are entitled to request.
Search for and identify personal data
Key consideration: How much of the personal data about your data subjects under your organization’s control have you identified?
Dynamics 365 solution:
Microsoft Dynamics 365 provides multiple methods for you to search for personal data within your records, including Advanced Find, Quick Find, and Relevance Search. These functions enable you to identify personal data with greater accuracy and speed.
Facilitate data classification
Key consideration: How confident are you in the tools your organization currently leverages to classify personal data?
Dynamics 365 solution:
The Dynamics 365 platform offers the flexibility to build an application extension around data classification, such as the Entity and Field-level. With these levels, customers can configure Forms and Views to look for personal information based on GDPR requests. At the row-level, data classification can be achieved via solution customization.
Govern how personal data is used and accessed
Enable data governance practices and processes
Key consideration: Does your organization have a data governance program in place that meets the demands of the GDPR?
Dynamics 365 solution:
Dynamics 365 provides a set of features to manage access to personal data. Dynamics 365 uses Azure Active Directory to protect your data from unauthorized access by simplifying the management of users and groups and enabling admins to easily assign and revoke privileges. Role-based security allows you to group privileges that limit the tasks a user can perform, Record-based security lets you restrict access to specific records, and Field-level security lets you restrict access to specific high-impact fields, such as those containing personally identifiable information.
Provide detailed notice of processing activities to data subjects
The GDPR requires that controllers be transparent with data subjects about the intended processing of personal data.
Key consideration: Do your existing privacy notices meet GDPR requirements?
Dynamics 365 solution:
Dynamics 365 provides the ability to display custom privacy notices with detailed information; this information can be displayed on a form or on the login screens of the internal and external Portals. While Dynamics 365 provides a platform capable of hosting external-facing privacy notices, it is your responsibility to ensure that the specific language of the notice meets the obligations under the GDPR.
Discontinue processing on request
The GDPR requires that organizations give data subjects the right to object to the processing of their data and discontinue processing on request.
Key consideration: Would your organization currently be able to discontinue processing on request?
Dynamics 365 solution:
Dynamics 365 has several tools to help you discontinue processing on request. Tools like Advanced Find, Quick Find, and Relevance Search enable you to manually discontinue processing in features of Dynamics 365, including marketing and text analytics.
Collect unambiguous, granular consent from data subjects
Before processing data, the GDPR requires that controllers have a legal basis to do so, such as through the affirmative consent of the data subject.
Key consideration: In how many cases would your organization currently be able to obtain needed consent?
Dynamics 365 solution:
Dynamics 365 offers Portals, through which you can request and obtain consent prior to processing personal data. When collecting personal data, Dynamics 365 Customer Engagement allows you to create checkboxes and other elements that enable data subjects to indicate affirmative consent prior to submitting their personal data. While Dynamics 365 can provide a platform capable of hosting external-facing privacy notices, it is your responsibility to ensure that the specific language of the notice meets the obligations under the GDPR.
Facilitate requests for rectification, erasure, or transfer of personal data
The GDPR requires that a controller processing personal data provides data subjects with a way to submit requests to rectify, erase, or transfer their personal data.
Key consideration: Does your organization currently have a way for these requests to be submitted by data subjects and processed?
Dynamics 365 solution:
Dynamics 365 provides users with several tools to erase and edit personal data associated with third-party data subjects, as well as with employee user accounts. Users can manually track their requests for rectification, erasure, or transfer of personal data, and they can create support cases to track and manage data subject rights requests. Additionally, actions taken during the lifecycle of the request can be tracked, and the case can be marked as resolved upon completion. Using Portals, Dynamics 365 Customer Engagement administrators can make and receive requests pertaining to personal data.
Rectify inaccurate or incomplete personal data on request
The GDPR requires controllers that process personal data to enable data subjects to request the rectification of “inaccurate personal data” and the completion of “incomplete personal data.”
Key consideration: Could your organization currently rectify inaccurate or incomplete personal data if requested to do so by a data subject?
Dynamics 365 solution:
Dynamics 365 offers you several methods to rectify inaccurate or incomplete personal data. Using Excel Online, you can export, bulk edit, then re-import multiple records to Dynamics 365. You can change personal data stored as Contacts by manually amending the data element containing the target personal data. Alternatively, you can edit a single row or modify multiple rows directly using Dynamics 365 forms.
Erase personal data on request
Under the GDPR, all data subjects have the right to request the erasure of their personal data by controllers.
Key consideration: How would your organization currently handle a request to erase personal data?
Dynamics 365 solution:
Dynamics 365 offers several methods to erase personal data about a data subject. With tools like Advanced Find to help you identify the personal data, Dynamics 365 enables you to easily locate and directly delete records.
Provide data subject with their personal data in a common, structured format
Under the GDPR, data subjects have the right to data portability. This means they can request and receive their personal data from controllers in a structured, commonly used, and machine-readable format.
Key consideration: If a data subject made a portability request for personal data, would your organization be able to accommodate this request?
Dynamics 365 solution:
Dynamics 365 data can be exported to a static Excel file to facilitate a data portability request. Using Excel, you can then edit the personal data that will be included in the request and then save the data in a commonly used, machine-readable format, such as .csv or .xml.
Restrict the processing of personal data
Under the GDPR, data subjects may request a temporary restriction of processing activities.
Key consideration: Would your organization currently be able to handle a request to restrict the processing of an individual data subject’s personal data?
Dynamics 365 solution:
To protect sensitive information and the service availability required by the GDPR, Dynamics 365 incorporates security measures at the platform and service levels. Dynamics 365 has several tools to assist with requests to restrict the processing of personal data, such as using Advanced Find, Quick Find, or Relevance Search to manually locate the specified data and restrict processing.
Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches
Data protection and privacy by design and default
The GDPR requires controllers that collect or process personal data to ensure that their activities and supporting technology are built to include data privacy and security principles.
Key considerations: Does your organization’s IT resources meet this standard today?
Dynamics 365 solution:
Dynamics 365 services are developed utilizing the Microsoft’s Secure Development Lifecycle, which incorporates privacy-by-design and privacy-by-default methodologies, and are in accordance with Microsoft privacy policies. Furthermore, many Dynamics 365 services are audited at least annually against several global data privacy and network security standards, including ISO/IEC 27018.
Secure personal data through encryption
Key considerations: How much of the personal data that you currently store is encrypted?
Dynamics 365 approach: Dynamics 365 uses technology such as Transparent Data Encryption (TDE) to encrypt data at rest and Transport Layer Security (TLS) to secure communication between services. For Dynamics 365, Microsoft SQL Server field-level encryption is available for a set of default entity attributes that contain sensitive information.
Secure personal data by leveraging security controls that ensure the confidentiality, integrity, and availability of personal data
Key consideration: Does your organization’s approach to securing personal data currently meet this standard?
Dynamics 365 solution:
Dynamics 365 offers multiple tools to help safeguard data according to an organization’s specific security and compliance needs. This includes Security concepts for Dynamics 365, which helps protect data integrity and privacy in a Dynamics 365 organization; Role-based security, which allows you to group privileges that limit the tasks a user can perform; Record-based security, which allows you to restrict access to specific records; Field-level security, which allows you to restrict access to specific high-impact fields; and Transparent Data Encryption (TDE) and cell-level encryption.
Detect and respond to data breaches
Key consideration: Does your organization currently have a process in place to handle personal data breach notifications?
Dynamics 365 solution:
Dynamics 365 deploys security measures intended to prevent and detect data breaches, including software to provide intrusion detection and distributed denial-of-service (DDoS) attack prevention. Dynamics 365 responds to incidents involving data stored in Microsoft datacenters by following a Security Incident Response Management process.
Facilitate regular testing of security measures
Key consideration: Does your organization’s approach to security testing meet the GDPR’s testing standard?
Dynamics 365 solution:
Dynamics 365 provides administrative users with audit functionality that can help identify data changes, as well as highlight opportunities to improve the security poster to protect personal data and detect data breaches. Microsoft also conducts ongoing monitoring and testing of Dynamics 365 security measures. These include ongoing threat modeling, code review and security testing, live site penetration testing, and centralized security logging and monitoring.
Execute on data requests, report data breaches, and keep required documentation
Maintain audit trails to show GDPR compliance
Key considerations: Does your organization currently maintain records of processing activities?
Dynamics 365 solution:
Dynamics 365 allows you to track and record data changes in a Dynamics 365 environment. The data and operations that can be audited in Dynamics 365 include the creation, modification, and deletion of records; changes to the shared privileges of records; the addition and deletion of users; the assignment of security roles; and the association of users with teams and business units. You can use these logging and auditing tools to record the resolution of requests by a data subject and to log events associated with amending, erasing, or transferring personal data.
Track and record flows of personal data into and out of the EU
Key consideration: Do you have mechanisms in place to transfer personal data outside the EU, such as Binding Corporate Rules or Standard Contractual Clauses?
Dynamics 365 solution:
Dynamics 365 reduces your need to transfer personal data out of the EU by giving you choice in where you store your data. During the initial setup, you can select data centers from more than 30 regions around the globe. Additionally, Microsoft has made several contractual commitments related to Azure that enable the appropriate flow of personal data within the Microsoft ecosystem. Microsoft has implemented EU Model Clauses and is certified to the EU-US Privacy Shield framework.
Track and record flows of personal data to third-party service providers
Key consideration: How frequently does your organization track and record the transfer of personal data of EU data subjects to third-party services providers?
Dynamics 365 solution:
Dynamics 365 customers acting as controllers are responsible for tracking distribution of personal data to third parties via their custom services and applications hosted on Dynamics 365. Microsoft maintains an inventory of third-party service providers who may have access to customer data. The Microsoft Online Services Subcontractor List covers the subcontractors for all the online services offered under the Data Processing Terms section of the Online Services Terms.
Facilitate Data Protection Impact Assessments
Key consideration: Does your organization currently conduct DPIAs?
Dynamics 365 solution:
Dynamics 365 enables you to use the Dynamics 365 audit log. This allows you to track and record processing activities across the Dynamics 365 ecosystem to inform your organization’s DPIA processes. To help you find information that may support a DPIA addressing your use of Dynamics 365, Microsoft provides detailed information regarding its collection and processing of customer data and the security measures used to protect that data. This information, accessible via the Microsoft Trust Center, includes what data Microsoft collects and processes, how and where Microsoft sends customers’ data, sub-processors who have access to customers’ data, details on Dynamics 365 security measures, and details regarding Microsoft’s privacy reviews process.