The General Data Protection Regulation or GDPR will go into effect on May 25 in 2018. GDPR is an item that will shape the way we handle data of EU citizens in all our systems, including Dynamics 365.
What does GDPR mean?
- Personal Privacy
Individuals have the right to:
- Access their personal data
- Correct errors in their personal data
- Erase their personal data (right to be forgotten)
- Object to processing of their personal data
- Export personal data
- Controls and notifications
Organizations will need to:
- Protect personal data using appropriate security
- Notify authorities of personal data breaches
- Obtain appropriate consents for processing data
- Keep records detailing data processing
- Transparent policies
Organizations are required to:
- Provide clear notice of data collection
- Outline processing purposes and use cases
- Define data retention and deletion policies
How do I get started?
Identity what personal data you have and where it resides. This is all personal information you could use to identify an EU citizen.
Some examples are:
- Name, address, contact details, gender, date of birth
- Copies of resumes (CVs), copies of IDs, your building’s sign in sheet
- Supplier details, who works where
- Emails you’ve stored, forms that were submitted, voicemails that are stored
Govern how personal data is used and access. For every point of data, make sure to take account of why you need it, why you store it and for how long. Also take a look at who needs to access which points of data and who is responsible for access control.
Establish security controls to prevent, detect and respond to vulnerabilities and data breaches. Make sure you know who access which data, to detect moments of unauthorized access.
- keep required documentation and keep it up-to-date.
- Manage data requests when they come in, respond to them in a timely manner
- Ensure timely breach notifications, nobody want to get a data breach but, prepare for when one happens. You are obligated to publish a breach notification within 72 hours.
How JumpStart 365 for GDPR helps
JumpStart 365 is a configuration and deployment method and technology developed by MindsUnited to reduce the time of the traditionally long Dynamics 365 implementations.
Using a wizard-style questionnaire we focus on a particular vertical, horizontal or process (like GDPR) and ask a Dynamics 365 customer about how their current business process. Using the answers, we automatically configure Dynamics 365 by importing a tailored Solution file and configuring the system, so that it matches the business process of the customer.
The JumpStart for GDPR contains a set of tools to help your compliance using Dynamics 365.
- Classification of data
The wizard asks Dynamics 365 customers about their data, which fields are used for what and whether the information there is needed. The Solution that will be deployed contains additional entities and Form modifications to allow you to track the classifications of data
- Business rules and restrictions for explicit consent
For all fields that can be considered personal information, the JumpStart 365 for GDPR deployment enable business rules, field security and other restrictions that require Dynamics 365 users to explicitly confirm that they have consent, from the EU citizen, to store this data and provide evidence.
- Protecting and auditing data access
For all fields that can be considered personal information, JumpStart 365 for GDPR deployment enables field security to ensure that only users explicitly authorized can access this information. Auditing will auto be enabled for all of these fields, to gain insights into when data is being accessed and by which users and if been changed in response to a data request
- Data requests
The Solution that will be deployed contains reports and report templates that can be used to respond to data requests.
These reports include:
- ‘Compliance Data Report’
This report states what information the company keeps about an individual, why this information is kept and for which period the data is stored (or the criteria used to determine that period
- ‘Personal Data Report’
This report provides a list with all the information (including the values) the company keeps about an individual. This report include a page for correction and a page for the erasure of personal information. These pages then can be used by the individual to request correction or erasure of his/her personal data.
- ‘Consent Form’
This is a form that can be sent via email or printed so an individual can give explicit consent for the storing of their data.
- ‘Compliance Data Report’