14 Ways That Dynamics 365 Will Help You Meet The Demands of GDPR Compliance

The General Data Protection Regulation is fundamentally about protecting and enabling the privacy rights of individuals. This establishes updated and more stringent privacy requirements that govern how organisations manage and look after personal data while respecting individual choice. 

GDPR represents a step change in clarifying privacy rights and empowering people to take greater control of their personal data. Through updated privacy legislation, GDPR holds organisations more accountable in how they collect and store personal data - and do so in a fair and transparent way.

As a result, this requires significant change from organisations worldwide in how they manage and process personal data.

CRM technology is a major focus as this will be the one of the main locations where personal data is stored in most organisations. For businesses using Microsoft Dynamics 365 in the cloud, industry-leading security measures reduce risks by safeguarding data and help demonstrate compliance. 

In this post we've shared 14 examples to demonstrate how Dynamics 365 helps organisations meet the demands of GDPR:

1. Keeps data in the EU

Dynamics 365 minimises the need to transfer of personal data outside of the European Union (except for directory data needed to authenticate access to the online service) by enabling organisations to select a region or country during the initial setup of services. This enables data to be stored in more than 30 data-centres worldwide including UK specific locations.

2. Privacy by Design

Azure Active Directory helps protect Dynamics 365 from unauthorised access by simplifying the management of users and teams enabling CRM admins to easily assign and revoke privileges. 

Azure AD tools include Multi-Factor Authentication for highly-secure sign-in and Azure AD Privileged Identity Management helps reduce risks associated with administrative privileges through access control, management, and reporting.

Dynamics 365 is built using the Security Development Lifecycle, a mandatory Microsoft process that embeds security requirements into every phase of the development process.

3. Data Encryption in Transit

Microsoft uses encryption technology to protect data while at rest in a Microsoft database and when it travels between user devices and its data-centres. 

Dynamics 365 production environments are monitored to protect against online threats using distributed denial-of-service attack prevention and regular penetration testing to help validate security controls. At the interface with the public network, Microsoft uses special-purpose security devices for firewall, NAT, and IP filtering functions.

4. Field Level Security

Field-level security enables CRM administrators to restrict user access by shielding data stored in high-impact fields, such as those containing sensitive personal data which can only be read by selective approved users.

5. Role-based Security

Dynamics 365 role-based security restricts access to specific records and limits the tasks a user can perform based on their job role. This process authorises a user to perform defined CRM actions on a specific entity type in Dynamics 365 such as create, red, write and share. For example, if a user security role does not have the privilege to export contact data to Excel, any attempt by a user to export data will fail.

6. Auditing

An important aspect of the GDPR is to maintain audits that will demonstrate accountability and compliance. Dynamics 365 auditing logs changes made to records and track user access so that activity can be reviewed later. The data and operations that can be audited include: the creation, modification, and deletion of records. This will also log admin changes to the shared privileges of records, adding and deleting users, assigning security roles, and associating users with teams and business units.

This is designed to meet compliance, security and governance policies by enabling CRM admins to answer questions about: which user accessed the system - and when, who updated a record, what was the previous field value, who deleted a record, what other actions has this user taken recently.

7. Easily find personal data

Dynamics 365 provides multiple search capabilities quickly find personal data within CRM records. These include advanced find search to build queries that reference multiple entity types and data fields.

8. Microsoft Compliance Manager

The Compliance Manager dashboard helps system admins manage their compliance activities from one place with a risk-based score reflecting an assessment into the current compliance status of an organisation across Microsoft cloud services including Dynamics 365.

This shows at a glance the regulatory compliance status of Microsoft's controls for its solutions, as well as the status of the customer managed controls to reflect the shared responsibility of managing data in the cloud. This helps administrators perform on-going risk assessments, gain regulatory insights and is designed to simplify the journey for managing on-going compliance activities.

9. Managing Consent

GDPR is more prescriptive in comparison to earlier data protection laws for the conditions of consent which must be unambiguous and require clear affirmative action.

Many organisations rely on consent as the legal basis for processing personal data so it is crucial that opt-in actions are tracked and easily accessible in CRM.

Using email marketing integrated with Dynamics 365, double opt-in processes can be easily implemented that track posted web forms for new subscriptions together with URL clicks that demonstrate an affirmative consent to process data. For consent collected through other channels including verbally or by posts, Dynamics 365 can adapt to capture each method of consent, the date it was given and if needed, store accompanying evidence on contact records.

As a result, marketers can easily manage lists to make sure communications are only sent to individuals who have expressly opted in where consent is used as the legal basis for processing.

10. Suppressing Unsubscribed Contacts

Connecting email marketing solutions like dotmailer and ClickDimensions will ensure that online unsubscribe instructions are automatically written back to contact records immediately when these notifications are received. Further controls ensure that any subsequent marketing emails will be suppressed to avoid a potential GDPR breach by repeatedly emailing people who've previously opted out from these communications.

For organisations, that will still need to send transactional or other non-marketing emails, ClickDimensions includes further subscription controls enabling emails to be sent even if recipients have opted out from marketing emails. This will reflect the processing of personal data by an alternative GDPR lawful basis that is not based on consent such as fulfilling a contractual responsibility.

11. Protect Marketing List Quality

Repeatedly sending marketing emails to people who are unresponsive has never been good practice and could now be ruled as being non-compliant with GDPR. While an organisation might have a clear statement of consent from a contact which is used as the basis for sending then marketing communications this will be less credible if this person hasn't opened a sequence of messages for many months which could be interpreted as an implied withdrawal of consent.

In these instances, for good data housekeeping and to keep marketing lists fresh, the recommended action would be to send a reactivation email or remove these people from marketing lists. GDPR heightens the need to identify unresponsive contacts and take the appropriate action to make sure there remains a lawful basis for continued marketing.

Again, the advantage of integrating email marketing with Dynamics 365 means that marketers can use a series of fields that will roll-up email campaign data to identify unresponsive contacts. Personalised list views and dashboards will highlight contacts who've never engaged with marketing emails as well as individuals who haven't recently been responsive so teams can take the appropriate course of action.

12. Avoid Duplicate Records

Duplicated records are biggest cause of CRM data quality problems that undermine the quality of marketing lists. These will be especially problematic if duplicate records contain conflicting consent statements that create GDPR compliance issues. Two or more records may exist with alternative contact preferences for the same person but it isn't clear which is the truth. In another case, an organisation may believe it is complying with GDPR by deleting personal data that is no longer required without knowing a duplicate records exists which continues to store personal data.

To manage duplicated record in Dynamics 365, and stop these occurring, a specialist duplicate management solution is available from data8 to protect data quality.

13. Comply with the Right to be Forgotten

When a person exercises their right to erasure (also referred to as the right to be forgotten) in line with their rights under GDPR, organisations will need to respond accordingly. 

However, in dealing with these requests there will be wider considerations for organisations. For example, there may still be a clear legal basis for continuing to process data in Dynamics 365, for example to fulfill a contract. There will also be instances where an organisation justifiably may not want to completely delete these records which would also remove non-personal data that will be beneficial to retain for reporting purposes, or be helpful in the event that this person makes contact in the future.

As an alternative to deleting records, another solution from the data management experts at data8 enables Dynamics 365 users to select which fields hold personal data to have these erased or securely hashed when the right to be forgotten is invoked. Using a hashed key field such as email address is a form of pseudonymisation that will prevent data being accidentally re-entered in the future after the data subject has asked for it to be erased by matching records using hashed data.

14. Using Web Portals to Display Personal Data

A Dynamics 365 web portal can be configured to display your privacy policy and other legal terms. Portal capabilities can also be used to display to data subjects the personal data that is being processed in Dynamics 365. As well as basic contact detail including name, email, phone and address fields this could also be configured to show consent detail and contact preferences. Customers are then able to check this detail is correct and request amendments, or if enabled, directly edit selective data within the portal interface. This will increase transparency and potentially deflect some subject information requests as individuals are able to access this detail on-demand.

Demonstrating GDPR Compliance in Dynamics 365

As these examples demonstrate there are various ways how Dynamics 365 can be configured to ensure compliance with the new data protection legislation. GDPR has far reaching implications for the management of personal data in Dynamics 365 and to find out more please get in touch to discuss implementing any of the points covered in this post.

Visit our GDPR hub to access more GDPR resources including PDF's, blog posts, white papers and recorded webinars.