The General Data Protection Regulation (GDPR) imposes new rules on organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents, no matter where they are located. Enforcement of the GDPR regulation is approaching (May 2018). Is your Dynamics 365 ready? My fellow Microsoft MVP Mohamed Mostafa is probably one of the most expert in this field. I invite you to watch his space, specifically this conversation: https://www.nz365guy.com/gdpr-dynamics-365-mohamed-mostafa/


In this post, I want to point you to a few tools that may help you assess your Dynamics 365 tenant for GDPR compliance:

Auditing

System administrators can use the User log functionality in Microsoft Dynamics 365 to keep an audit log of users who have logged on to the system. Audit logs provide answer to the following questions that may arise as part of an investigation for GDPR compliance of your system:

  • Which user was accessing the system and when?
  • Who updated this field value on this record and when?
  • What was the previous field value before it was updated?
  • What actions has this user taken recently?
  • Who deleted this record?
  • What locale was used to make the update?

The User log capability allows administrators to define roles that can access sensitive data. Logs of users who have access to data that’s been declared to be sensitive can be retained separately from all other data in the log.

Rights

GDPR introduces a set of “rights” for users to regulate how their data is used and, possibly, removed from a system, or transferred. For more information about how to manage the right to view, right to modify, right to be forgotten, right to port and right to restrict processing personal data, see this article from the Microsoft Dynamics 365 for Talent documentation: Respond to a request for personal data using Talent.

Microsoft GDPR Assessment

The Microsoft GDPR Assessment tool is free assessment that helps you understand if your organization is ready to protect personal and sensitive data. It takes only five minutes to see where your organization falls and get important information on how to take the next steps.

The assessment is made of several questions, to which you are expected to answer in full honesty. No-one is judging the quality of your IT systems. This is purely meant to provide you with an understanding of the readiness of your systems to meet GDPR requirements, and the tools for correct any discrepancy. Questions are like:

  1. Does your organization have sufficient technical measures and processes in place to secure personal and sensitive data?
  2. Are your data collection, data processing, and supporting technologies built to include privacy and protection principles?
  3. How much of your personal and sensitive data is currently encrypted both at rest and in transit?
  4. I would describe my organization’s process for classifying and labeling end user sensitive data as: Manual to 100% automated.
  5. Which of the following protection policies do you use to classify and label sensitive data? Encryption, rights restrictions, watermarks, end-user notifications.
  6. How much control do you have over access to personal and sensitive data (e.g., physical, remote, etc.)?
  7. For which types of data can you apply your control policies? Emails, documents, HR, finance…
  8. If a data breach occurred, how would your organization be able to respond?
  9. How often does your organization test the effectiveness of technical measures and processes for ensuring security of data processing?
  10. How much of your data currently resides in the cloud?

At the end of the 10 questions, you are presented with an assessment of your current stage of data protection, and the possibility to access the “GDPR and Microsoft 365: Streamline your path to compliance” e-book to broaden your understanding of GDPR compliance, identify issues you may not have considered, and understand how Microsoft solutions can help accelerate your compliance journey.

The book provides directions to address three critical aspect of your data protection requirements:

  1. Assessing and managing compliance risk. Assessing and managing your risk environment won’t end when you meet your GDPR obligations. You’ll continue to face new regulations and compliance requirements after the May 2018 deadline.
  2. Protecting personal data. Complying with such far-reaching regulations goes well beyond any collection of point solutions, let alone a single solution. Companies need to think in terms of an infrastructure and solutions platform that will help them meet customer expectations and GDPR obligations.
  3. Streamline processes. The GDPR is also an opportunity for companies to make sure their compliance program is as efficient as possible. A streamlined process benefits the company in terms of productivity while providing a better experience for the customer.

Microsoft 365 Enterprise and GDPR Compliance

The microsoftgdprscenarios.com web site, aptly named, exposes some typical scenarios, presented as short animations, to guide you have a better understanding of GDPR requirements and actions related to:

  • Data Breach
  • IT and Security
  • HR
  • Legal and Compliance
  • Sales

The site adds also a GDPR Hands on demo, aimed at technical people, hosted on the Microsoft Demos platform. The demo provides a set of fully functional Microsoft 365 environments that are configured to meet GDPR requirements.

For additional information on your journey to GDPR compliance, your starting point is microsoft.com/gdpr and, obviously, engage with the qualified community of Dynamics 365 experts that can assist properly.