I am about to take the MB2-719 certification, this certification covers the Dynamics 365 for Marketing Application. I plan to create a series of blog posts that collectively should help anyone else preparing for this exam. In this post I’ll look at the basic concepts around data privacy.

Below, you can see the section of the skills measured statement that references data privacy. It is no surprise that GDPR is mentioned! Data privacy is an important topic and one we must demonstrate a good understanding of. Not just in terms of the software but also of the core concepts in the regulations which govern privacy.

There are many regulations that govern data privacy, the latest of which is called General Data Protection Regulation (GDRP). GDPR imposes rules on organisations that offer goods and services to people in Europe. (Or work with any data tied to EU residents.) Rights connected with GDPR include;

  • Right to access
  • Right to Erasure
  • Right to correct errors
  • Right to object to processes or export of personal data

Companies must responsibly handle personal data.  They must protect it using appropriate security measures. (Notifying authorities of data breaches.)

Plus, they must keep records detailing data processing.  They must also be transparent by providing clear notice of data collection, outlining the processes and use cases, and defining data retention and deletion policies.

Organizations will need to train employees, audit and update data policies on a regular basis, and employ a data protection officer. And possibly create and manage compliant vendor contacts.

Consent for organisations to store your data must be explicit for the information being collected and the purposes it will be used for. Meaning you cannot contact someone with marketing messages unless you have previously gained their consent. It is however valid for companies to communication transactional messages directly related to the goods or services purchased by the customer.

I hope you can see that applying these rules, involves capturing the required consent and ensuring all bulk messages comply with the correct usage rules. And will therefore be an essential part of Dynamics 365 for Marketing.

Enabling GDPR

By default, enforcement of GDPR consent logic will not be enabled. To activate it you need to use the “Data Protection Tools” option that can be found in the settings area of Dynamics 365 for Marketing.

Below you can see that I have created a GDPR configuration record and selected that consent is required.

Consent Levels on Contact

Once GDPR is enabled it will be essential to ensure that an appropriate consent level has been set on all contacts. You can see in the data protection section of the details tab on contacts that we can set consent given and also if this contact is a child or guardian of a child.

The “is a child” flag maybe needed to ensure extra protection is provided to minors. Whilst it will also be a requirement to capture the detail of the child’s parent / custodian. (As a separate contact.)

Below I have shown Microsoft’s definition for each of these consent levels;

Level Consent level name Description
0 (none) No consent has been given by the contact. The organization should not reach out to the individual or perform data processing or automated decision making until consent is given. Regardless of the given consent, individuals can submit information using an online form (landing page) provided by the organization.
1 Consent The individual allows the organization to reach out only to confirm consent or obtain a higher level of consent. A typical example is a re-consenting customer journey that sends an email containing a link to a subscription center page where the individual can give consent.
2 Transactional The individual consents to be sent transactional messages that relate to specific, existing business between the two parties. These messages can’t include marketing or promotional content. Examples include bank statements, order receipts, and membership status messages.
3 Subscriptions The individual consents to receive messages that include offers to sign up for mailing lists or other subscribed content.
4 Marketing The individual agrees to receive marketing messages and promotional content.
5 Profiling The individual allows the organization to use demographic and behaviour information (such as website visits, email opens, and email clicks) for automated decision making. It is the organization’s responsibility to classify which of their processing activities fall under the category of automated decision making. Examples include automatic calculation of credit limits or loan promises based on available data, and calculation mechanics using rule-based or predictive calculations. Children shall never be subject to such profiling and automated decision making.

Additionally, on the contact you can maintain a history of GDPR consent record changes. This maybe essential information if you need to demonstrate GDPR compliance;

Customer Journeys

When using GDPR all customer journeys will need to have the minimum consent level which applies to this record recorded.

Tip:
Additionally, you may find it useful to filter any segments included in the customer journeys based on consent level. This is achieved by filtering on the contact’s consent given field. (Just as we would with any attribute on the contact!)

Lead Scoring Models

Additionally, as you can see below, a minimum consent level can be applied to lead scoring models. Ensuring that any leads considered “sales ready” have given the required consent to be targeted.

Subscription Center

I will cover the concept of a subscription center in greater detail in a future post. But you may additionally want to make changes to your subscription center to allow contacts to modify their own consent levels. This will be done by using a marketing form, embedded into a marketing page of type subscription center.

Each customer journey must link to a content setting. That content setting will in turn define which subscription center gets applied to which customer journey.

In addition to the subscription center organisations can enable t double opt in process. This makes use of email messaging to ensure all requests for changes to consent levels did originate from the target contact.

I have covered some of the key topics connected with GDPR at a very high level. As part of your MB2-719 revision, I suggest you experiment with these concepts to ensure you understand use and implication of each one. No doubt GDPR will come up again and again as I dive deeper into managing customer Journeys!