Supporting Your EU GDPR Compliance Journey With Microsoft Dynamics 365 Business Central

The GDPR and Its Implications

The GDPR is a complex regulation that may require significant changes in how you gather, use and manage personal data. Microsoft has a long history of helping our customers comply with complex regulations, and when it comes to preparing for the GDPR, we are your partner on this journey.

The GDPR imposes new rules on organizations established in the European Union (EU) and on organizations – wherever they are located – that offer goods and services to people in the EU or that monitor the behavior of people that takes place in the EU. Among the key elements of the GDPR are the following:

• Enhanced personal privacy rights – strengthened data protection for individuals within the EU by ensuring they have the right to: access their personal data, correct inaccuracies in that data, have their personal data erased upon request, object to the processing of their personal data, and move their personal data;
• Increased duty for protecting personal data – reinforced accountability of companies and public organizations that process personal data, providing increased clarity of responsibility in ensuring compliance;
• Mandatory personal data breach reporting – companies are required to report personal data breaches to their supervisory authorities without undue delay, and generally no later than 72 hours; and
• Significant penalties for non-compliance – steep sanctions, including substantial fines that are applicable whether an organization has intentionally or inadvertently failed to comply.

Microsoft Dynamics 365 Business Central and the GDPR

As described above, the scope of GDPR is intended to apply to the processing of personal data whatever technology is used. Because Business Central may be used to process personal data there are certain requirements within the GDPR (as noted by the references to regulation Articles contained in the GDPR below) where Business Central users should pay close attention (but this is not to the exclusion of other Articles containing GDPR requirements with which you must comply):

• Consent (Article 7) – Under the new regulation, there must be a basis for any processing. If the basis is consent, that consent must be demonstrable and “freely given.” Furthermore, the data subject must also have the right to withdraw consent at any time. This may change how marketing and sales activities are managed.
• Rights to access (Article 15), rectification (Article 16), and erasure (Article 17) – Under the GDPR, mechanisms need to be provided for data subjects to request access to their personal data and receive information on the processing of that data, to rectify personal data if incorrect, and to request the erasure of their personal data, sometimes known as the “right to be forgotten”. You should ensure any personal data that is requested to be erased does not conflict with other obligations you may have around data retention (e.g., proof of payment, proof of tax). Key GDPR Steps Discover—identify what personal data you have and where it resides. Manage—govern how personal data is used and accessed. Protect—establish security controls to prevent, detect, and respond to vulnerabilities and data breaches. Report—execute on data requests, report data breaches, and keep required documentation. Supporting Your EU GDPR Compliance Journey with Microsoft Dynamics 365 Business Central 12 | 20
• Documentation (Articles 24 and 30) – An important aspect of the GDPR is to maintain audit trails and other evidence to demonstrate accountability and compliance with the GDPR requirements, and to maintain an inventory of your organization’s personal data detailing categories of data subjects and the personal data held by the organization.
• Privacy by design (Article 25) – This is a key element of the GDPR. It requires controllers and processors to implement the necessary privacy controls, safeguards, and data protection principles, such as minimizing the data collected, not just at the time of processing but, in advance, when determining the means of processing.
• Data security (Articles 25, 29, and 32) – the GDPR requires controllers and processors to control access to personal data (e.g., role-based access, segregation of duties) and implement appropriate technical and organizational measures to protect the confidentiality, integrity, and availability of that data and processing systems.

Key features within Microsoft Dynamics 365 Business Central can be brought to bear on the important steps of your journey toward GDPR compliance – Discover, Manage, Protect, and Report. It should be noted that there are many other ways of achieving GDPR compliance, and you can customize your Business Central solution design to meet your business and solution requirements.