Microsoft Dynamics 365 Business Central and the GDPR
As described above, the scope of GDPR is intended to apply to the processing of personal data whatever technology is used. Because Business Central may be used to process personal data there are certain requirements within the GDPR (as noted by the references to regulation Articles contained in the GDPR below) where Business Central users should pay close attention (but this is not to the exclusion of other Articles containing GDPR requirements with which you must comply):
- Consent (Article 7) – Under the new regulation, there must be a basis for any processing. If the basis is consent, that consent must be demonstrable and “freely given.” Furthermore, the data subject must also have the right to withdraw consent at any time. This may change how marketing and sales activities are managed.
- Rights to access (Article 15), rectification (Article 16), and erasure (Article 17) – Under the GDPR, mechanisms need to be provided for data subjects to request access to their personal data and receive information on the processing of that data, to rectify personal data if incorrect, and to request the erasure of their personal data, sometimes known as the “right to be forgotten”. You should ensure any personal data that is requested to be erased does not conflict with other obligations you may have around data retention (e.g., proof of payment, proof of tax). Key GDPR Steps Discover—identify what personal data you have and where it resides. Manage—govern how personal data is used and accessed. Protect—establish security controls to prevent, detect, and respond to vulnerabilities and data breaches. Report—execute on data requests, report data breaches, and keep required documentation. Supporting Your EU GDPR Compliance Journey with Microsoft Dynamics 365 Business Central 12 | 20
- Documentation (Articles 24 and 30) – An important aspect of the GDPR is to maintain audit trails and other evidence to demonstrate accountability and compliance with the GDPR requirements, and to maintain an inventory of your organization’s personal data detailing categories of data subjects and the personal data held by the organization.
- Privacy by design (Article 25) – This is a key element of the GDPR. It requires controllers and processors to implement the necessary privacy controls, safeguards, and data protection principles, such as minimizing the data collected, not just at the time of processing but, in advance, when determining the means of processing.
- Data security (Articles 25, 29, and 32) – the GDPR requires controllers and processors to control access to personal data (e.g., role-based access, segregation of duties) and implement appropriate technical and organizational measures to protect the confidentiality, integrity, and availability of that data and processing systems.
Key features within Microsoft Dynamics 365 Business Central can be brought to bear on the important steps of your journey toward GDPR compliance – Discover, Manage, Protect, and Report. It should be noted that there are many other ways of achieving GDPR compliance, and you can customize your Business Central solution design to meet your business and solution requirements.
Read the White Paper