Do you work with personal data from individuals from the EU? Then the General Data Protection Regulation (GDPR) has an impact on your organization. In a negative sense, because the fines are so strong from May 2018 onwards that you do not want to risk them. But also in a positive sense: the sooner you comply with the GDPR, the more trust you win from your customers. Because privacy is for an increasing number of people – including your customers or members – becoming a top priority.
This blog therefore focuses on the impact of the GDPR on your business operations and which first steps you now can take towards GDPR compliance. How do you create an overview and set up an approach with which you prepare your organization and your Dynamics 365 environment well?
Step 1: which personal data do you actually have?
You are obliged to make an inventory of all so-called ‘PII’ person identifiable information – in a data inventory. This is stated in Article 30 of the GDPR. To do this, you first need to find out what PII you actually have in house. In the data register you then collect all structured PII, for example from your databases, and your unstructured PII, such as data from e-mails and documents in (shared) folders. To that data you link information such as:
- Purpose of processing
- A categorization of data subjects and of the categories of personal data
- The categories of recipients of the PII data
- Transfers to third countries or an international organization
- Time limits for erasure per data category
In addition, you must include the contact details of your company and your DPO (Data Protection Officer), plus the general and organizational security measures (Article 32 of the GDPR) that you take to adequately protect your PII.
Has there been a data breach and does the relevant Authority discover that you do not have a data register? Then you will most likely get a fine. Strong fines have already been paid in the US. It is precisely when a data breach is not reported that the fines are substantial. Are you reporting a data breach neatly on time and do you have a data register? Then the chances that you will be fined are much smaller.
Step 2: create a data inventory in Dynamics 365
You can create a data inventory in Dynamics 365 Business applications (CRM). On this Microsoft site you can read how you do that. See also this screenshot:
In Dynamics 365 Enterprise (ERP) it is also possible to create a data register. Use, for example, the Azure Data Catalog and the so-called ‘entities’ of Dynamics 365 Enterprise. For example, take the next steps to use the entities to create a data register:
- Create a template entity, containing all entities that contain personal information (address book, supplier data, customer data, transactions, etc.).
- Export this data, analyze them and record the different PII categories.
- Use this as the basis for your data register.
Step 3: create a planning
In a planning you determine what the most important activities are. For example:
- organizational and technical measures for security,
- procedures for data breach notification,
- organizing training to make everyone in the company aware of the importance of reporting a data breach.
If you are dealing with a data breach, you only have 72 hours (!) to report it. That is why it is imperative that all your employees know what to do when a breach occurs.
A tool such as the Microsoft Compliance Manager helps you start your planning. You will find a good overview of the requirements that you have to meet. Read more about it in my review of this tool.
Step 4: follow my blog
In the coming months I will help you getting ready for the GDPR (not only) with Microsoft Dynamics 365. In this way I will help you to prepare for the arrival of the GDPR – step – by – step. Always consult with your legal adviser about the measures you take and whether they are sufficient, specifically for your organization. Tip: send the blog to your colleagues. To prevent a data breach from escaping your attention, well-informed colleagues are crucial. In my next blog I will go into that further.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
© 2018 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.