GDPR is one of the biggest changes in European Union (EU) privacy law in about two decades and it will go in effect on May 25th of this year. It will impose a set of new rules and policies and will affect Dynamics CRM/365 deployment. In this session we will get the Waldorf and Statler perspective: "Dynamics 365 and GDPR: boo! It was terrible. Well it isn't that bad. Oh yeah? Well it works good actually. It is great! More! More!"
GDPR and Dynamics 365 - the Waldorf and Statler perspective
1. 5/3/2018
1
GDPR and Dynamics 365 – the
Waldorf and Statler
perspective
Joris Poelmans, Realdolmen, @jopxtwits
Stephane Dorrekens, Business Elements, @stephanedujour
Interactive session:
• GDPR introduction & basics
• Impact on Dynamics 365
• Real life examples
Remarks:
• Share your feedback
• No simple answers
• Inspired by sessions from @MimCRM (Mohamed Mostafa CRM MVP)
• Not an exclusive list of considerations or solution design approaches
• Disclaimer: no warranty!
J
2. 5/3/2018
2
EU launched Data
Protection Directive
back in 1995
When <1% of EU
citizens accessed
the internet
J
Things are about to change …
• Extension of existing privacy practices
• Enforcement of regulation vs recommendations &
guidelines
J
3. 5/3/2018
3
New Framework: GDPR
Into effect on May 25th 2018
Modernize the obsolete 95 directive
Create a unified EU law to replace the
current haywire of inconsistent
framework
Applies both to processors and
controllers
Administrative sanctions – up to 20
mio EUR or 4% of yearly turnover
J
Data processing must comply with 6 GDPR
principles
1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Retention
4. Integrity and confidentiality
5. Data minimization
6. Accuracy
J
“the controller shall be responsible
for, and be able to demonstrate,
compliance with the principles”
4. 5/3/2018
4
What is processing?
S
Key changes in GDPR
• Single set of rules across EU – territorial scope
• One stop shop
• New right for individuals:
• Subject consent expands
• Insight into data
• Right to be forgotten
• Extra accountability and responsibility for data controllers
• Data portability
• Data breach notification
• Data Protection Impact Assessments
• Appointing a Data Protection Officer
• Higher sanctions (€€€)
S
5. 5/3/2018
5
Impacted areas in Dynamics 365
Data classification
(PII and sensitive
data)
Consent and data
access controls
Auditing,
monitoring,
security and
reporting
Governance
S
Impacted areas in Dynamics 365
Data classification
(PII and sensitive
data)
Consent and data
access controls
Auditing,
monitoring,
security and
reporting
Governance
J
6. 5/3/2018
6
Data classification – PII and sensitive data
Factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity (hobbies and leisure, …)
Name, address,email, date of birth
Identification number (e.g. RRN)
Location data (address, GPS/geolocation)
Online identifiers (IP addresses, cookies, …)
J
Sensitive: racial or ethnic origin, political opinions, religious or
philosophical beliefs, genetic or biometric data, health data, union
membership, sexual orientation, etc …
Data classification – challenge of
duplicate/incomplete customer records
J
Mia Smith
m.smith@hotmail.com
Ms. Smith
mia.smith@gmail.com
Ms. Mia Smith
mia.smith@gmail.com
25/5/1992
003277979794
7. 5/3/2018
7
Data classification – deduplication using
machine learning
• Video- https://www.tamr.com/video/tamr-helping-toyota-motor-europe-create-connected-
seamless-customer-experience/
J
Data classification –
Dynamics 365 design options/considerations
• The 5 Ws of personal data
• Use multiple forms: minimum & full, separate non-sensitive and
sensitive data, apply field level security
• Limit/remove data export privileges
• Security roles, access teams, field level security, business units
• Consider storing sensitive data in data warehouse for
aggregate reporting only
• Run regular “Bulk delete” jobs to satisfy your data retention
policies (taking into account interactions/transactions)
• What about file and email attachments?
J
8. 5/3/2018
8
Impacted areas in Dynamics 365
Data classification
(PII and sensitive
data)
Consent and data
access controls
Auditing,
monitoring,
security and
reporting
Governance
S
Consent and data access controls
S
9. 5/3/2018
9
Consent and data access controls–
Dynamics 365 design options/considerations
• Capture consent information in CRM
• Web Site (CRM Portal, Customer Web Sites,..)
• Landing Pages (Dynamics Marketing, Click Dimensions, Adobe,..)
• Self Service Portals (ie: Myxxxx)
• Internal Systems (ie: DWH, Mainframe, etc..)
• NB: For GDPR - consent is not per person but by contact point per usage/purpose (ie: email, phone, etc.)
• Use consent information in CRM
• Outbound integration with Digital Marketing Tools
• Outbound integration with Call Centers
• OOB Campaign Activity
• NB: CRM OOB Usage is per contact/lead not contact point
S
Consent and data access controls–
Dynamics 365 design options/considerations
• Consent Audit Log
• Not sufficient if records can be deleted -> No delete
• Optin vs Optout
• Right to be forgotten, portability & access own data
• Properly identify the person (see Governance)
• It’s easier to delete data for non customers but easier to identify customers
• Use a Unique identifier to find all related data in all systems (ie: CRM GUID is good option)
• Not all data CAN be deleted as some are needed for operational or legal archiving
• Bulk Delete is often not enough, think about other data retentions systems (DHW, BI, Backups,
Excel, etc..)
S
11. 5/3/2018
11
Auditing, monitoring, security and reporting
GDPR requires:
• Pro-active risk based approach: “Always monitoring” and
“Intelligent” breach detection and notification
• Robust procedures for reporting breaches & processes for
reviewing compliance
• Compliance investigations will look at controls, monitoring,
auditing and effective reporting
• For hosted solutions : accountability & reporting on every
person/entity with access to the data (full supply chain)
J
Auditing, monitoring and reporting
Dynamics 365 design options/considerations
• Auditing functionality available on customer entities (contacts, leads,
accounts,custom entities)
• For CRM Online –Activity Log Management available
• Document security mechanism incl. authentication & authorization
• CRM data access security model: system and business roles
• What about dev/test/acc/prod?
• …
• Transparent Data Encryption – change key … and then back it up
• For on premise – SQL Enterprise Edition required
• Cloud vs on premise
J
12. 5/3/2018
12
Impacted areas in Dynamics 365
Data classification
(PII and sensitive
data)
Consent and data
access controls
Auditing,
monitoring,
security and
reporting
Governance
S
Governance
Dynamics 365 design options/considerations
What are existing policies, roles & responsibilities (shared responsibility controller and processor)
Dynamics 365 for Customer Services can help the Data Privacy Office/Officer
• Manage the requests and respects SLA’s.
• Find all pertaining information (as most/all is in CRM and/or the primary links are)
• Communicate the information to the parties (Notification Obligation)
Some Examples of Case Business Flows
Data Breach Information (72h delay)
Right to delete
Right for information
Right for rectification
Right for portability
Right to object
Manual Requests for Optout
…
S