GDPR & What It Means For CRM & Microsoft Dynamics 365 Users
The new General Data Protection Regulation (GDPR) is the most significant change to European Union (EU) privacy law in two decades to bring this in line with current technologies.
This replaces the Data Protection Directive (DPD) that came into force in 1995 when web technology was in its infancy, before the arrival of cloud services and proliferation of mobile devices.
In the UK our 1998 Data Protection Act (DPA) is similar need of replacement as technology has evolved.
Many aspects of the DPD (and DPA) are now obsolete so new legislation is being passed to protect EU citizens and their data from being exploited.
GDPR requires organizations to respect and protect personal data – no matter where it is sent, processed or stored.
It imposes new rules on companies, non-profits, government agencies and other organizations that offer goods and services to people in the EU.
This is set to be an important step forward for individual privacy rights by giving EU residents greater control over their personal data, and removing ambiguity about the definition of personal data.
How GDPR will impact an organisation is less certain as each industry will face its own unique challenges with regards to data protection.
Another of the complexities of GDPR is that the regulation will vary across EU member states because each is an autonomous entity with their own laws and legislation.
The costs of non-compliance are set to prove significant in terms of reputation damage and financial penalties that could be as much as 4% of annual turnover, or €20m.
While there is currently uncertainty surrounding some of the detail and the implications of GDPR, this much we do know:
GDPR was first adopted in May 2016 with a 2 year transition period to give organisations time to bring themselves into compliance.
This applies to all organisations handling the data of EU citizens and GDPR regulation came into force on 25 May 2018.
Brexit will not matter – The Secretary of State for Department for Culture, Media & Sport (DCMS) has confirmed that GDPR will apply in the UK from May 2018. The UK will still be part of the EU at this time and will need to be recognised as a safe data haven in order to continue trading with EU members. In August 2017, UK government delivered a statement of intent for how a new Bill will bring the GDPR into UK law.
Privacy policies – in line with the new directive, privacy policies will need to be more detailed but written in plain language. Marketing teams will need to work with legal reps to review and rephrase these documents to ensure greater transparency.
Permission marketing – organisations will need to confirm they are the owner of an opted-in email address. GDPR also recognizes that permission is not indefinite and data would have to stop being used after a period of inactivity. Clearly this will impact on the usage of email addresses that are included in CRM marketing lists.
Given the ramifications of this directive, organisations are urged to begin reviewing their privacy and data management practices now.
Microsoft has shared a 5 step plan to begin the journey to GDPR compliance:
Microsoft has pledged to ensure anybody signing up to its cloud services will have a GDPR compliant solution.
It has set out three commitments that it's writing into its contracts for make firms automatically compliant - these are to help companies respond to any requests to correct, amend or delete personal data, detect and report data breaches, and demonstrate each company's compliance with the GDPR.
If you are a Microsoft Dynamics 365 customer, you can be sure that your instance of Dynamics will automatically meet the required EU compliance standard.
Within the application controlling how and which users have access to personal data has always been crucial and now even more of a priority in the context of GDPR compliance.
Established Dynamics 365 controls include granting users access permissions and privileges based on defined job roles, individual records and restricting access to specific highly sensitive fields.
Azure Active Directory (Azure AD) is another solution to protect Dynamics 365 from unauthorized access by simplifying the management of users and groups and easily revoke privileges.
Azure AD Privileged Identity Management is a further solution to reduce the risks associated with admin privileges through access control, management, and reporting.
Read more about how Microsoft is preparing for the new era in privacy regulation and specifically how Dynamics 365 helps to enable data privacy for GDPR compliance. To learn more about the GDPR visit the ICO website.
Using Microsoft services is a significant step towards being GDPR compliant but more will depend on the capability of organisations to manage their customer information and CRM technology will be a vital part of this process.
Organisations that don't currently have their email marketing service integrated with CRM should look to review these processes.
With the increasing importance of tracking customer opt in / out actions, having clear visibility of this information in one place alongside other customer data will be crucial to demonstrate GDPR compliance. Dynamics integrated solutions such as ClickDimensions and dotmailer already provide a clearer route to help make these processes GDPR compliant.
Contact Preact to find out more about connecting email marketing with Dynamics 365 / CRM.