GDPR-compliant met Dynamics 365 for business (CRM)

Blog 6 GDPR-complaint met Dynamics CRM Image
Over een maand gaat de nieuwe Europese privacywet in. Met diverse blogs help ik u zich daarop voor te bereiden. Voorgaande keer bekeek ik de Microsoft ERP-software Dynamics 365 for Finance and Operations, ditmaal juist het CRM-gedeelte. Mijn Engelse collega en CRM-specialist Simon Morris beschrijft in dit blog hoe uw bedrijf GDPR-compliant kan zijn door gebruik te maken van standaard beschikbare onderdelen binnen de Dynamics CRM business oplossingen. En waar u zoal aan moet denken. Hij zoomt met name in op functionaliteit rondom data van leden, klanten en marketing. Want dat is de toch de kern van ieder CRM.



Simon Morris, Dynamics 365 Solutions Architect at KPMG Crimsonwing: 

Hi, I’ve been in the CRM space for over twenty years and during that time have seen a lot of changes around how we identify, acquire and manage peoples’ personal data on our CRM systems. GDPR is, by a large margin, the most fundamental change to data privacy rules I have ever seen so I thought I would pen a few small pieces highlighting how – from a CRM perspective – the new GDPR regulations impact your customer facing systems. And shine a light on the sorts of measures you will need to take to avoid falling foul of GDPR in the future. I’m going to start off with the basics and work my way up.


What standard features in Dynamics 365 for Sales and Service can we use to help us be GDPR Compliant?

Well let’s be honest. There is not a whole load of stuff in Dynamics 365 for Sales and Service that helps us identify or manage our PII (personally identifiable information) data to the level of granularity that we’ll need in order not to get a sweat on if the GDPR auditors come knocking on our door. Sure, Microsoft have handled all the data security and encryption stuff for us, as long as you are hosting your data in their cloud. However they’ve not provided a lot of out-of-the-box features in Dynamics 365 that help us answer the question ‘prove you have a right to have this data in the first place’. So what could you look at to help?


Low bearing fruit: entry

Lead source codes were originally created primarily to allow you to differentiate the channels through which you first got the information, such as Web, Email, Phone, Marketing List etc. You could add some additional ones to get a little more granularity such as a specific web landing page reference or a named external marketing list. This would allow you at least to be able to review the content of the landing page to see what the PII data the individual agree to share with you and what you said you would do with it. Or to examine the terms of the agreement with the relevant marketing list provider to see what the data usage policy is or was. This is a bit of a fig-leaf though and even if you have this information on your system I wouldn’t feel that I had met my GDPR obligations.


Use the campaigns

Source Campaigns are useful if we are just talking about working out what marketing consents we have, as quite a lot of details can be recorded in a campaign relating to the communication with the individual – what was sent to them and what their responses were. You can also associate campaigns with specific products or brands. This at least gives you some background information if you are challenged as to why you hold this data. However there is nothing in campaigns that allows you determine how long you can hold the data for and, importantly, they are not mandatory fields so you may have a large number of records that have no source campaign at all. So again they go a bit of the way but not enough to allow you to put your feet up.


New Microsoft marketing module and consent

On the plus side if you look at the new Marketing module Microsoft has provided there are some new fields relating to whether you have ‘Consent’ to use the record and when that consent expires. To be honest I was a bit surprised to see this as it’s Microsoft’s first foray into genuine GDPR related functionality and all the talk around the industry to date has been on how end-users can extend their systems to be compliant or how ISV’s will plug the gap.


At face value these new fields look like they can be set and unset manually so make sure you have decided under what conditions they can be set or unset and sorted out your field and record security accordingly before relying on them. And the other thing is that to get these three fields you have to pay for the Marketing Module which, at the time of writing, is only available in Dynamics 365, so no help for on-premise users! And to top it all the marketing module is not free so if you want to get these additional fields you’re going to have to shell out some hard-earned cash.


Put basic tick-boxes to use

The other key area you can use standard functionality in Dynamics 365 for Sales and Service is the standard tick-box controls that have been in CRM since day one. Namely the ‘Do Not Allow’ fields for Email, Phone, Mail etc. Whilst these don’t do anything to explain why you have the data in the first place, they do allow you at least try to prevent you doing things with the data that you don’t have permissions to do.


The marketing materials flag & unsubscribe links

For most businesses the most important one is the ‘Marketing Materials’ flag. If this flag is cleared then your contact cannot be included in marketing campaigns that are created and run from Dynamics 365. This gives you some protection from a GDPR breach. You can also enable the Unsubscribe links in your outbound CRM emails to permit the end-user a simple mechanism for opting out of further marketing communication. 


Check selection criteria for exports

If you are using external marketing tools, or creating marketing lists for distribution to a fulfilment house then go check that the query you use to extract the data takes account of the ‘Send Marketing Materials’ and whichever channel permission flag is relevant. So if you are generating a list for a phone campaign then ensure that the ‘Phone’ flag is ‘Allow’, if it’s for a mail campaign then check the ‘Mail’ flag and so on.


Last but not least: adjust your settings

One small change that you should check is on your Personal Settings page is that the tick box on the ‘Email’ tab that says ‘Automatically create records in Microsoft Dynamics 365 is turned off. It’s a bit pointless to try to be compliant with GDPR when in the background the system is creating contacts or leads for which you have no mandate to hold or process. Make them contacts or leads when the relevant agreements with them to hold their data are in place.



Over deze GDPR-blogs

GDPR staat voor General Data Protection Regulation, de nieuwe Europese privacywet. Deze gaat op 25 mei in. Werkt u met persoonsgegevens? Dan heeft de GDPR (in het Nederlands: Algemene Verordening Gegevensbescherming) impact op uw organisatie. In een serie blogs schrijf ik als securityspecialist bij KPMG Crimsonwing over deze impact.