The information in this section is designed to help both compliance professionals and IT implementers understand how Microsoft Dynamics 365 can assist you in discovering, managing, and protecting your data in the cloud, and compiling the necessary reports and documentation to help meet General Data Protection Regulation (GDPR) compliance requirements.
Compliance is an on-going process and a shared responsibility. Dynamics 365 offers a powerful set of tools and provides extensive documentation on how to use them to make the process easier. Microsoft is investing in additional features and functionality to help organizations with GDPR compliance.
Whether you’re a compliance officer, a decision-maker considering Dynamics 365 as a cloud solution, a current Dynamics administrator seeking help with a specific GDPR-compliant implementation, or an interested party looking for general information on how the GDPR relates to Dynamics 365 and cloud computing, the information here can provide you with a starting point to get what you need.
Every journey needs a roadmap. Your roadmap to GDPR compliance begins with focusing on four key steps, and Microsoft Dynamics 365 provides robust tools and solutions for tackling each step. Learn more about how Microsoft products and services can help you on the road to GDPR compliance.
Assess your organization
The first step towards GDPR compliance is to assess whether the GDPR applies to your organization, and, if so, what data under your control is subject to the GDPR. This analysis includes understanding what data you have and where it resides. Adopting a classification scheme that applies throughout your organization helps you respond to data subject requests because it allows you to more quickly identify and process personal data requests.
Microsoft Dynamics 365 and related tools help you discover and classify personal data. Microsoft Dynamics 365 helps you search and identify personal data with:
- Quick Find and Advanced Find
- Relevance Search
- The Dynamics 365 Web API
Take advantage of tools
The GDPR provides data subjects—individuals to whom data relates—with more control over how their personal data is captured and used. Managing access and controlling how data is used and accessed are fundamental to GDPR compliance. Dynamics 365 provides capabilities to authenticate users and govern access to personal data. Organizations can:
- Display custom privacy notices and request and obtain consent for processing activities.
- Rectify inaccurate or incomplete personal data using a variety of methods.
- Decide if the delete request meets the GDPR requirements for deleting personal data.
- Meet data subject portability requests by using Dynamics 365 data export capabilities.
The organization may decide to use advanced find capabilities to identify the data subject and their related data.
Discover built-in protection
Microsoft Dynamics 365 services are developed using the Microsoft Secure Development Lifecycle which incorporates privacy-by-design and privacy-by-default methodologies. Dynamics 365 and related tools can help you comply with GDPR data protection requirements by providing ways to secure/encrypt personal data at rest and in transit, detect and respond to data breaches, and facilitate regular testing of security measures. Dynamics 365 provides:
- Transport Layer Security (TLS), SQL Server cell-level encryption, and Transparent Data Encryption (TDE) to protect personal data in transit and at rest.
- Support for Azure Active Directory (AAD) to manage user identities.
- The ability to grant and restrict user access to personal data via security roles and fields and hierarchy level security models.
- Dynamics 365 auditing to help detect data breaches with Dynamics 365 auditing.
Tools to help keep detailed records
The GDPR sets new standards in transparency, accountability, and record-keeping. Organizations processing personal data will need to keep detailed records to be compliant. Dynamics 365 provides tools to help meet data reporting requirements. With Microsoft Dynamics 365, you can:
- Track and record changes to personal data using the audit functionality.
- Track and record processing activities relevant to a Data Protection Impact Assessment (DPIA) using audit capabilities.
The GDPR sets requirements regarding the flows of personal data into and out of the EU and flows of personal data to third-party service providers. Exposure to unnecessary cross-border data transfer is reduced by Microsoft using a regional datacenter strategy for Dynamics 365.
Microsoft offers contractual commitments for all of its enterprise cloud services, including Dynamics 365. The commitments include detailed data protection terms, the EU Model Clauses, and compliance with the EU-US Privacy Shield Framework regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Microsoft also maintains an inventory of third-party service providers who may have access to customer data and limits access to customer data by third parties.
Organizations that process personal data may be required to conduct Data Protection Impact Assessments (DPIAs). To help customers who are seeking information that may help them perform a DPIA addressing their use of Dynamics 365, Microsoft provides detailed information about its processing of customer data and the security measures used to protect that data.