How to manage the GDPR 'Right to Be Forgotten' in Microsoft Dynamics 365

To help Dynamics 365 users demonstrate compliance with the General Data Protection Regulation, Data8 has launched a GDPR management solution, data8 Provenance.

This includes new Microsoft Dynamics 365 processes for handling one of the headline aspects of the GDPR, the ‘Right to Erasure’, also known as the ‘Right to be Forgotten’.

Individuals have the right to ask an organisation to delete their personal data but this does not necessarily provide an absolute ‘right to be forgotten’.

WEBINAR: GDPR Management for Dynamics 365 - 5 April

As with many aspects of the GDPR, complying with the right to erasure involves managing numerous elements including:

  • Handling the removal of personal data
  • Ensuring that your organisation doesn't contact the individual again
  • Providing an audited trail
  • Being aware of these actions if the person subsequently re-engages with you

In some instances, an organisation will continue to have legal grounds for processing this personal data, for example they may have a legal obligation to do so, or it might be in the individual’s vital interests for an organisation to retain this personal information.

However, these will likely be exceptional circumstances. In most cases to comply with the GDPR once such a request is made, individuals should not be contacted any longer and their personal details should be removed from the database.

But how much data should be erased?

There may be key information that a business would justifiably want to maintain which will does not compromise this GDPR requirement but would be lost if the Dynamics contact record was deleted.

To minimise the costs involved in complying with a 'request for erasure' while preserving other important data, data8 Provenance adapts Dynamics deactivation functionality with a new status and a configurable process.

It is difficult to argue that the default Dynamics 365 / CRM deactivation would represent compliance with an erasure request. While this would remove a contact from a marketing list, preventing them from being contacted again, their personal data still exists in the system and could easily be accessed.

data8 Provenance introduces an erasure configuration entity enabling CRM admins to select which fields will be wiped when a 'GDPR Erasure' deactivation process is set.

In the example below, the first and last name fields have been set for erasure on this process but this could easily be extended to include phone and address fields.

The email address field has not been marked for erasure but is instead marked with a hash:

With the email address marked with a hash, email address data will be encrypted upon deactivation and the contact record will only report this 'hashed' data. No Dynamics user will be able to access, report or retrieve the original email address.

As part of the 'GDPR Erasure' deactivation, rules can be defined to handle other records that are associated with a contact, including cases and activities, to have these records deleted or unlinked.

For future maintenance of the subject’s data you will need to understand if they re-engage with you so you can manage this process correctly and identify them. As such, it will be important to understand that an individual has previously issued a request for erasure.

By using this type of pseudonymization, if a user subsequently creates a new contact record using the original email address they will be alerted to the duplication.

This still does not reveal the original email address but with the logic rules built into the GDPR Manager solution, the user can see the deactivated 'hashed' record and act accordingly.

This is just one example of how data8 Provenance reduces GDPR complexity by helping Dynamics 365 / CRM users demonstrate their compliance.

To find out more and arrange a demonstration of this GDPR management solution please get in touch.

Receive CRM and Microsoft Dynamics 365 Updates

If you enjoyed this post, why not join our mailing list to receive emails about the latest updates and events from Preact?