Create overview and make a plan – GDPR has a lot of impact

Do you work with personal data from individuals from the EU? Then the General Data Protection Regulation (GDPR) has an impact on your organization. In a negative sense, because the fines are so strong from May 2018 onwards that you do not want to risk them. But also in a positive sense: the sooner you comply with the GDPR, the more trust you win from your customers. Because privacy is for an increasing number of people – including your customers or members – becoming a top priority.

This blog therefore focuses on the impact of the GDPR on your business operations and which first steps you now can take towards GDPR compliance. How do you create an overview and set up an approach with which you prepare your organization and your Dynamics 365 environment well?

Step 1: which personal data do you actually have?  

You are obliged to make an inventory of all so-called ‘PII’ person identifiable information – in a data inventory. This is stated in Article 30 of the GDPR. To do this, you first need to find out what PII you actually have in house. In the data register you then collect all structured PII, for example from your databases, and your unstructured PII, such as data from e-mails and documents in (shared) folders. To that data you link information such as:

  • Purpose of processing
  • A categorization of data subjects and of the categories of personal data
  • The categories of recipients of the PII data
  • Transfers to third countries or an international organization
  • Time limits for erasure per data category

In addition, you must include the contact details of your company and your DPO (Data Protection Officer), plus the general and organizational security measures (Article 32 of the GDPR) that you take to adequately protect your PII.

Has there been a data breach and does the relevant Authority discover that you do not have a data register? Then you will most likely get a fine. Strong fines have already been paid in the US. It is precisely when a data breach is not reported that the fines are substantial. Are you reporting a data breach neatly on time and do you have a data register? Then the chances that you will be fined are much smaller. 

Step 2: create a data inventory in Dynamics 365

You can create a data inventory in Dynamics 365 Business applications (CRM). On this Microsoft site you can read how you do that. See also this screenshot:

Blog2 screenshot MSFT dataregister maken

Source: Microsoft


In Dynamics 365 Enterprise (ERP) it is also possible to create a data register. Use, for example, the Azure Data Catalog and the so-called ‘entities’ of Dynamics 365 Enterprise. For example, take the next steps to use the entities to create a data register:

  • Create a template entity, containing all entities that contain personal information (address book, supplier data, customer data, transactions, etc.).
  • Export this data, analyze them and record the different PII categories.
  • Use this as the basis for your data register.


GDPR – overview of the impact

Personal privacy

Controls and notifications

Transparent business management

IT and training

Individuals have the right to:

Organizations are required to:

Organizations are required to:

Organizations are required to:

- View own data

- Use appropriate security measure to protect personal data

- Clearly communicate when they process personal data.

- Train employees to handle personal data correctly.

- Correct errors in own data.

- Inform autorities about a data breach.

- Inform why personal data are processed.

-  Audit and update data policy.

- Remove data.

- Ask for a consent for processing of personal data.

- Have a data retention policy.

- Employ a Data Protection Officer (DPO, required in most cases)

- To object to the way data is processed.

- Maintain detailed documentation.


- Create and manage compliant contracts with data processors.

- Export their peronal data.


Based on a presentation from Microsoft, November 2017.

Step 3: create a planning

In a planning you determine what the most important activities are. For example:

  • organizational and technical measures for security,
  • procedures for data breach notification,
  • organizing training to make everyone in the company aware of the importance of reporting a data breach.

If you are dealing with a data breach, you only have 72 hours (!) to report it. That is why it is imperative that all your employees know what to do when a breach occurs.

A tool such as the Microsoft Compliance Manager helps you start your planning. You will find a good overview of the requirements that you have to meet. Read more about it in my review of this tool.

Step 4: follow my blog

In the coming months I will help you getting ready for the GDPR (not only) with Microsoft Dynamics 365. In this way I will help you to prepare for the arrival of the GDPR – step – by – step. Always consult with your legal adviser about the measures you take and whether they are sufficient, specifically for your organization. Tip: send the blog to your colleagues. To prevent a data breach from escaping your attention, well-informed colleagues are crucial. In my next blog I will go into that further.

Hiding data breach? A heavy fine!
In the US, a scandal recently occurred around a hack at Uber. Not because of the hack itself – although it was also quite impressive – but the scandal was mainly that Uber had concealed the hack for a year. They even paid the hackers 100,000 US dollars to keep the theft of data from 57 million customers and employees silent, as stated by The Guardian.

Another American company received a record fine of 115 million US Dollar earlier in 2017 for concealing a hack. In the Netherlands, Aleid Wolfsen, chairman of the Dutch Data Protection Authority, stated in the FD that they will soon not issue a ‘volume discount’ for violations. Good preparation is thus not a luxury.


The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2018 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

The KPMG name and logo are registered trademarks or trademarks of KPMG International.