Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR and Dynamics 365 - the Waldorf and Statler perspective

716 views

Published on

GDPR is one of the biggest changes in European Union (EU) privacy law in about two decades and it will go in effect on May 25th of this year. It will impose a set of new rules and policies and will affect Dynamics CRM/365 deployment. In this session we will get the Waldorf and Statler perspective: "Dynamics 365 and GDPR: boo! It was terrible. Well it isn't that bad. Oh yeah? Well it works good actually. It is great! More! More!"

Published in: Software
  • Be the first to comment

  • Be the first to like this

GDPR and Dynamics 365 - the Waldorf and Statler perspective

  1. 1. 5/3/2018 1 GDPR and Dynamics 365 – the Waldorf and Statler perspective Joris Poelmans, Realdolmen, @jopxtwits Stephane Dorrekens, Business Elements, @stephanedujour Interactive session: • GDPR introduction & basics • Impact on Dynamics 365 • Real life examples Remarks: • Share your feedback • No simple answers • Inspired by sessions from @MimCRM (Mohamed Mostafa CRM MVP) • Not an exclusive list of considerations or solution design approaches • Disclaimer: no warranty! J
  2. 2. 5/3/2018 2 EU launched Data Protection Directive back in 1995 When <1% of EU citizens accessed the internet J Things are about to change … • Extension of existing privacy practices • Enforcement of regulation vs recommendations & guidelines J
  3. 3. 5/3/2018 3 New Framework: GDPR  Into effect on May 25th 2018  Modernize the obsolete 95 directive  Create a unified EU law to replace the current haywire of inconsistent framework  Applies both to processors and controllers  Administrative sanctions – up to 20 mio EUR or 4% of yearly turnover J Data processing must comply with 6 GDPR principles 1. Lawfulness, fairness and transparency 2. Purpose limitation 3. Retention 4. Integrity and confidentiality 5. Data minimization 6. Accuracy J “the controller shall be responsible for, and be able to demonstrate, compliance with the principles”
  4. 4. 5/3/2018 4 What is processing? S Key changes in GDPR • Single set of rules across EU – territorial scope • One stop shop • New right for individuals: • Subject consent expands • Insight into data • Right to be forgotten • Extra accountability and responsibility for data controllers • Data portability • Data breach notification • Data Protection Impact Assessments • Appointing a Data Protection Officer • Higher sanctions (€€€) S
  5. 5. 5/3/2018 5 Impacted areas in Dynamics 365 Data classification (PII and sensitive data) Consent and data access controls Auditing, monitoring, security and reporting Governance S Impacted areas in Dynamics 365 Data classification (PII and sensitive data) Consent and data access controls Auditing, monitoring, security and reporting Governance J
  6. 6. 5/3/2018 6 Data classification – PII and sensitive data Factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity (hobbies and leisure, …) Name, address,email, date of birth Identification number (e.g. RRN) Location data (address, GPS/geolocation) Online identifiers (IP addresses, cookies, …) J Sensitive: racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic or biometric data, health data, union membership, sexual orientation, etc … Data classification – challenge of duplicate/incomplete customer records J Mia Smith m.smith@hotmail.com Ms. Smith mia.smith@gmail.com Ms. Mia Smith mia.smith@gmail.com 25/5/1992 003277979794
  7. 7. 5/3/2018 7 Data classification – deduplication using machine learning • Video- https://www.tamr.com/video/tamr-helping-toyota-motor-europe-create-connected- seamless-customer-experience/ J Data classification – Dynamics 365 design options/considerations • The 5 Ws of personal data • Use multiple forms: minimum & full, separate non-sensitive and sensitive data, apply field level security • Limit/remove data export privileges • Security roles, access teams, field level security, business units • Consider storing sensitive data in data warehouse for aggregate reporting only • Run regular “Bulk delete” jobs to satisfy your data retention policies (taking into account interactions/transactions) • What about file and email attachments? J
  8. 8. 5/3/2018 8 Impacted areas in Dynamics 365 Data classification (PII and sensitive data) Consent and data access controls Auditing, monitoring, security and reporting Governance S Consent and data access controls S
  9. 9. 5/3/2018 9 Consent and data access controls– Dynamics 365 design options/considerations • Capture consent information in CRM • Web Site (CRM Portal, Customer Web Sites,..) • Landing Pages (Dynamics Marketing, Click Dimensions, Adobe,..) • Self Service Portals (ie: Myxxxx) • Internal Systems (ie: DWH, Mainframe, etc..) • NB: For GDPR - consent is not per person but by contact point per usage/purpose (ie: email, phone, etc.) • Use consent information in CRM • Outbound integration with Digital Marketing Tools • Outbound integration with Call Centers • OOB Campaign Activity • NB: CRM OOB Usage is per contact/lead not contact point S Consent and data access controls– Dynamics 365 design options/considerations • Consent Audit Log • Not sufficient if records can be deleted -> No delete • Optin vs Optout • Right to be forgotten, portability & access own data • Properly identify the person (see Governance) • It’s easier to delete data for non customers but easier to identify customers • Use a Unique identifier to find all related data in all systems (ie: CRM GUID is good option) • Not all data CAN be deleted as some are needed for operational or legal archiving • Bulk Delete is often not enough, think about other data retentions systems (DHW, BI, Backups, Excel, etc..) S
  10. 10. 5/3/2018 10 Sample Implementation CRM Data Structure S Impacted areas in Dynamics 365 Data classification (PII and sensitive data) Consent and data access controls Auditing, monitoring, security and reporting Governance J
  11. 11. 5/3/2018 11 Auditing, monitoring, security and reporting GDPR requires: • Pro-active risk based approach: “Always monitoring” and “Intelligent” breach detection and notification • Robust procedures for reporting breaches & processes for reviewing compliance • Compliance investigations will look at controls, monitoring, auditing and effective reporting • For hosted solutions : accountability & reporting on every person/entity with access to the data (full supply chain) J Auditing, monitoring and reporting Dynamics 365 design options/considerations • Auditing functionality available on customer entities (contacts, leads, accounts,custom entities) • For CRM Online –Activity Log Management available • Document security mechanism incl. authentication & authorization • CRM data access security model: system and business roles • What about dev/test/acc/prod? • … • Transparent Data Encryption – change key … and then back it up • For on premise – SQL Enterprise Edition required • Cloud vs on premise J
  12. 12. 5/3/2018 12 Impacted areas in Dynamics 365 Data classification (PII and sensitive data) Consent and data access controls Auditing, monitoring, security and reporting Governance S Governance Dynamics 365 design options/considerations What are existing policies, roles & responsibilities (shared responsibility controller and processor) Dynamics 365 for Customer Services can help the Data Privacy Office/Officer • Manage the requests and respects SLA’s. • Find all pertaining information (as most/all is in CRM and/or the primary links are) • Communicate the information to the parties (Notification Obligation) Some Examples of Case Business Flows Data Breach Information (72h delay) Right to delete Right for information Right for rectification Right for portability Right to object Manual Requests for Optout … S
  13. 13. 5/3/2018 13 References • https://www.microsoft.com/en-us/trustcenter/cloudservices/dynamics365 • http://www.mohamedmostafa.co.uk/blog/category/gdpr/ • http://jopx.blogspot.be/2018/04/update-on-activity-log-management-for.html • https://technet.microsoft.com/en-us/library/jj134930.aspx (Dynamics 365 security and compliance planning guide) • https://docs.microsoft.com/en-us/dynamics365/customer-engagement/portals/implement-gdpr • https://www.eugdpr.org/ • https://docs.microsoft.com/en-us/dynamics365/get-started/gdpr/ S

×