On May 25, 2018, the General Data Protection Regulation (GDPR) comes into effect. The GDPR is a legal act binding in Europe the purpose of which is to ensure data privacy and security, as well as to establish new standards in the scope of the right to privacy and data security. The GDPR sets forth privacy requirements governing how organizations should manage and protect personal data while respecting individual preferences — no matter where data is collected, processed, or stored.
The regulation supersedes Directive 95/46/EG and shall be applicable for all companies that process personal data of EU citizens, regardless of the company’s location.
The GDPR is applicable both for Data Controllers and Data Processors (i.e web hosting service providers). The regulation introduces the obligation to notify of any legal infringement within 72 hours, and in the case of companies that have not complied with the GDPR, the fine can amount to 4% of their annual revenue or 20 million euros, whichever is higher.
The decision to enforce the General Data Protection Regulation (GDPR) is a result of deep implementation differences between EU member states that have caused multiple inconsistencies in terms of administrative and legal issues. The need to update the existing regulation is also triggered by the rapid technological growth encompassing social media, cloud-computing, mobile and geolocation services.
The General Data Protection Regulation imposes several
obligations related to the methods for collecting and managing data by entrepreneurs. The key GDPR elements the Data Controller has to take into account regardless of the type of the organization, include:
Stricter data protection in the European Union that ensures that individuals have the right to: access their personal data, correct data inaccuracies, have their personal data erased upon request, object to the processing and transferring of their personal data;
The obligation for companies and public organizations that process data to provide reports that ensure a better overview on how the GDPR requirements have been implemented by delegated individuals;
Companies are obliged to immediately submit personal data infringements to relevant authorities not later than within 72 hours;
Stricter sanctions that include severe fines to be applied if an organization does not comply with the regulations intentionally or unintentionally.
The GDPR is expected to have a significant impact on organizations as it requires them to update personal privacy policies, implement control and reporting tools for personal data protection and infringement, deploy highly transparent policies, and further invest in IT and training.
Each organization within which data is processed is obliged to implement an effective policy for the management of structured and non-structured data.
Personal Data Management Solution has been designed for Microsoft Dynamics NAV to speed up personal data searches and enable data anonymization and portability.
When preparing for the implementation of the GDPR, each company should carry out a detailed audit of personal data it possesses, taking into account two groups of data:
Collected within various types of databases such as the Microsoft Dynamics NAV system that ensure appropriate data storage and protection;
Any type of data stored in electronic mail, files available on disc drives, personal computers, pen-drives, mobile phones and other carriers for which data protection requirements have not been fulfilled and the storage method used may result in infringement.
Taking into account the complexity and large number of tasks to cope with, it is recommend to start preparations for the GDPR before it becomes effective.
Therefore, privacy and data management practices that your company has been using so far should be reviewed now. In this document, we have focused on how Dynamics NAV, enhanced with Personal Data Management Solution, can support compliance with the GDPR.
Personal Data Management Solution is an add-on module for Microsoft Dynamics NAV that has been designed to fulfill the requirements of the GDPR. It is a set of functions that support Data Controllers, enabling them to control how the obligations have been implemented in the scope of:
Right to be forgotten,
Right to access data,
Right to data portability.
Personal Data Management Solution is an end-to-end solution, however the successful implementation of the GDPR requires companies to comply with consistent standards and practices and prove their organizational skills.
When getting ready for GDPR implementation, each organization should ensure that its in-company policy and processes have been adopted to fulfill the obligations under the GDPR. Personal Data Management Solution is a tool that supports Data Controllers in data management activities.
One of the most important issues that the GDPR requires is to define the types of permissions for system users and ensure that they have access to limited data relevant to their roles in the organization. Assigning user permissions and passwords is the following requirement.
In all its modules, Microsoft Dynamics NAV ensures:
Microsoft Dynamics NAV offers features for registering consents the company obtains from its customers for its sales and marketing activities to comply with the GDPR.
The system supports the registration of the following data items:
Each consent can be cancelled at any time. After the consent is cancelled, the system will still store:
The GDPR entitles data subjects to have his or her data erased, ensuring the right to be forgotten at the same time. According to the new regulations, each data subject can require the Data Controller to immediately remove his/her data.
Owing to the right to be forgotten, it is possible to demand that the Data Controller should take every possible measure to notify other Data Controllers who process data of the request to erase this data.
The Data Controller is obliged to ensure proper technical and organizational means that will enable the company to erase data. In such a case, the GDPR imposes the obligation to erase data from such locations as servers, electronic mail, data carriers, Excel and Word files, external and portable discs. It has to be erased from all backup copies and logs. This obligation also applies to printed versions.
The administrator is obliged to inform data processors such as vendors or marketing automation service providers to erase data.
The obligation to erase data becomes effective, if:
With its default setup, the solution enables the user to browse Microsoft Dynamics NAV to check if it contains any personal data to be erased. In addition, it analyses data files to identify what can be forgotten and keeps record of the forgotten data. The solution enables the user to:
After clicking the Search action in a selected primary table and relation tables, the search is run for fields that have been selected in the setup.
If a search string is found in any field, the system displays a dialogue box with a question if the date should be deleted. After the user confirms the action, the data is deleted in the fields selected in the master and relational tables.
When searching for the data selected in the module setup in the “Date Constraints Fields”, the system browses entries in the master table and relational tables.
For each card (an entry in the master table), the system identifies the last date after which an entry can be deleted (e.g. the date of the last transaction with a vendor). If the user has selected a card to be forgotten, the system will check if sufficient time has passed since the date defined in the backup setup (e.g. for a Customer, it is five years since the last transaction). If the period defined has not passed, it will not be possible to have data forgotten or deleted.
If it is not possible to have data forgotten because of the archiving period set up for a master table, the system will display a relevant message. If the period for obligatory archiving defined in the master table has expired, it will be possible to run the Erase Data action.
Each process of data archiving is recorded in the Personal Data Erasure Register. The register displays all entries that have been created with the Erase Data action.
For each of the entries in the register, it is possible display a detailed list of tables and fields where the data has been erased. Information included in the listed entries can be printed as a report.
The General Data Protection Regulation ensures that each data subject can have access to his/her data that is processed by a company. The request for access can include:
Each data subject that submits a request for access to his or her data, should be notified of the right to correct and erase data, restrict or object data processing, right to lodge a complaint with a supervisory authority and obtain information about data sources. The data subject should be also informed about automated decision-making processes, including profiling.
Each data subject is entitled to obtain direct access to data and the Data Controller is obliged to provide a free copy of processed data in writing or electronically. If the data subject requests for another copy, the Data Controller can charge a fee the amount of which is reasonably justified and covers administrative costs.
All data provided should be carefully selected as the right to obtain a copy cannot have a negative impact on the right and freedom of other individuals. The Data Controller is obliged to validate if the data provided fulfills this requirement. The data should be selected carefully so that it does not contain the data of other entities and infringe any trade secret or intellectual property, in particular software copyrights.
Personal Data Management Solution fulfills the right to access data by enabling the user to run effective data searches, identify the purpose of processing, correct, erase it as well as restrict data processing
The solution enables the user to:
When implementing the right to access personal data and information about data storage locations within the system, the Data Controller can search through the tables in the Investigate window that displays lines for the tables in which personal data has been found.
With the list of tables that contain personal data of the data subject, it is possible to correct the data manually by clicking and drilling down into relevant tables – locations within the system. From the Investigate window, it is also possible to display a log of changes made while processing the data of a data subject.
The system offers features for registering consents the company obtains from its customers for its sales and marketing activities. The features are compliant with the GDPR, ensuring that customers have right to withdraw or limit their consents at any time.
Dynamics NAV provides an overview of data for the requester.
The Change Log Entries window contains detailed information such as:
Each person the data of which is to be processed by a company is entitled to require:
The right to data portability refers only to data that can be accessed in IT systems (in an automated way). Personal data that is to be transferred includes pseudonymized data.
If Data Controllers process information that contains data of several persons, they should interpret the concept of data subjects too narrowly. Such data should be treated as information belonging to a requester.
For example, information registered in the logs of telephone calls and bank transfers is not limited to a requester’s data. However, the requester should be entitled to receive all data as the subscriber or transfer sender. If personal data transferred is related to third parties, the new Data Controller is forbidden to process the data for the controller’s own purposes. The Data Controller is also forbidden to transfer data that is excessive for the new processing purposes.
The right of data portability does not directly entail the right to be forgotten.
The previous Data Controller will not have to erase data automatically, unless explicitly requested by a data subject.
The right does not apply to the so called inferred data and derived data such as algorithm results.
Personal Data Management Solution fulfills the right to data portability and ensures that data can be provided to a requester in a structured format such as XML, CSV or in a printed form.
Personal Data Management Solution is an end-to-end module that supports companies in the proper management of personal data, however it is not sufficient to implement the GDPR. The successful implementation of GDPR requires companies to comply with consistent standards and practices and prove their organizational skills. The GDPR is expected to have a significant impact on organizations as it requires them to update personal privacy policies, implement control and reporting tools for personal data protection and infringement, deploy highly transparent policies, and further invest in IT and training.
This document contains remarks on the GDPR, as IT.integro interprets it, as of the date of its publication. The document should not be deemed to be legal advice or guidelines on how GDPR might apply to an organization. We encourage you to contact a legally qualified professional to determine how the GDPR applies specifically to your organization, and how best to ensure compliance when it is implemented.
IT.integro makes no warranties (express, implied, or statutory), as to the information in this document. Information and views expressed in this document, available in writing, on the Internet website or from other online resources may change without notice.