Personal Data Management Solution

Implementation of the GDPR with Microsoft Dynamics NAV

Introduction to the General Data Protection Regulation (GDPR)

On May 25, 2018, the General Data Protection Regulation (GDPR) comes into effect. The GDPR is a legal act binding in Europe the purpose of which is to ensure data privacy and security, as well as to establish new standards in the scope of the right to privacy and data security. The GDPR sets forth privacy requirements governing how organizations should manage and protect personal data while respecting individual preferences — no matter where data is collected, processed, or stored.

 

The regulation supersedes Directive 95/46/EG and shall be applicable for all companies that process personal data of EU citizens, regardless of the company’s location.

The GDPR is applicable both for Data Controllers and Data Processors (i.e web hosting service providers). The regulation introduces the obligation to notify of any legal infringement within 72 hours, and in the case of companies that have not complied with the GDPR, the fine can amount to 4% of their annual revenue or 20 million euros, whichever is higher.

 

The decision to enforce the General Data Protection Regulation (GDPR) is a result of deep implementation differences between EU member states that have caused multiple inconsistencies in terms of administrative and legal issues. The need to update the existing regulation is also triggered by the rapid technological growth encompassing social media, cloud-computing, mobile and geolocation services.

RODO
RODO

Obligations imposed on entrepreneurs

The General Data Protection Regulation imposes several
obligations related to the methods for collecting and managing data by entrepreneurs. The key GDPR elements the Data Controller has to take into account regardless of the type of the organization, include:

Enhanced requirements for personal data protection

Stricter data protection in the European Union that ensures that individuals have the right to: access their personal data, correct data inaccuracies, have their personal data erased upon request, object to the processing and transferring of their personal data;

Stricter requirements for personal data protection

The obligation for companies and public organizations that process data to provide reports that ensure a better overview on how the GDPR requirements have been implemented by delegated individuals;

The obligation to notify of an infringement of personal data

Companies are obliged to immediately submit personal data infringements to relevant authorities not later than within 72 hours;

Substantial penalties for non-compliance

Stricter sanctions that include severe fines to be applied if an organization does not comply with the regulations intentionally or unintentionally.

The GDPR is expected to have a significant impact on organizations as it requires them to update personal privacy policies, implement control and reporting tools for personal data protection and infringement, deploy highly transparent policies, and further invest in IT and training.

Personal Data Management Solution

Each organization within which data is processed is obliged to implement an effective policy for the management of structured and non-structured data.

 

Personal Data Management Solution has been designed for Microsoft Dynamics NAV to speed up personal data searches and enable data anonymization and portability.

RODO
RODO

Structured and non-structured data

When preparing for the implementation of the GDPR, each company should carry out a detailed audit of personal data it possesses, taking into account two groups of data:

Structured data

Collected within various types of databases such as the Microsoft Dynamics NAV system that ensure appropriate data storage and protection;

Non-structured data

Any type of data stored in electronic mail, files available on disc drives, personal computers, pen-drives, mobile phones and other carriers for which data protection requirements have not been fulfilled and the storage method used may result in infringement.

Implementation of the GDPR with ERP system

Personal Data Management Solution

Implementation of the GDPR in Microsoft Dynamics NAV

Taking into account the complexity and large number of tasks to cope with, it is recommend to start preparations for the GDPR before it becomes effective.
Therefore, privacy and data management practices that your company has been using so far should be reviewed now. In this document, we have focused on how Dynamics NAV, enhanced with Personal Data Management Solution, can support compliance with the GDPR.

 

Personal Data Management Solution is an add-on module for Microsoft Dynamics NAV that has been designed to fulfill the requirements of the GDPR. It is a set of functions that support Data Controllers, enabling them to control how the obligations have been implemented in the scope of:

Right to be forgotten,

Right to access data,

Right to data portability.

Personal Data Management Solution is an end-to-end solution, however the successful implementation of the GDPR requires companies to comply with consistent standards and practices and prove their organizational skills.

When getting ready for GDPR implementation, each organization should ensure that its in-company policy and processes have been adopted to fulfill the obligations under the GDPR. Personal Data Management Solution is a tool that supports Data Controllers in data management activities.

User permissions in the ERP system

 

One of the most important issues that the GDPR requires is to define the types of permissions for system users and ensure that they have access to limited data relevant to their roles in the organization. Assigning user permissions and passwords is the following requirement.

 

In all its modules, Microsoft Dynamics NAV ensures:

  • Access to the system based on a unique user identifier and password;
  • Access to specific data based on the roles defined in the setup;

Registration of various consent types under the GDPR

Microsoft Dynamics NAV offers features for registering consents the company obtains from its customers for its sales and marketing activities to comply with the GDPR.

The system supports the registration of the following data items:

 

  • consent type
  • person registering the consent
  • consent date
  • date and ID of the user who has registered the consent; these data fields are filled in automatically
  • consent expiry date.

 

Each consent can be cancelled at any time. After the consent is cancelled, the system will still store:

  • consent cancellation date,
  • date and ID of the user who registered the cancellation; these data fields are filled in automatically,
  • cancellation type.

The implementation of the right to be forgotten with Personal Data Management Solution

Right to be forgotten (Right to erase data)

The GDPR entitles data subjects to have his or her data erased, ensuring the right to be forgotten at the same time. According to the new regulations, each data subject can require the Data Controller to immediately remove his/her data.

 

Owing to the right to be forgotten, it is possible to demand that the Data Controller should take every possible measure to notify other Data Controllers who process data of the request to erase this data.

 

The Data Controller is obliged to ensure proper technical and organizational means that will enable the company to erase data. In such a case, the GDPR imposes the obligation to erase data from such locations as servers, electronic mail, data carriers, Excel and Word files, external and portable discs. It has to be erased from all backup copies and logs. This obligation also applies to printed versions.

 

The administrator is obliged to inform data processors such as vendors or marketing automation service providers to erase data.

 

The obligation to erase data becomes effective, if:

 

  • the data is no longer necessary to perform intended objectives,
  • the entity has withdrawn its consent and no legal basis to continue the processing of the data exists,
  • the entity has raised its objection to having the entity’s data processed and no primary legally justified reason for processing exists,
  • the data has been processed illegally,
  • the data has to be removed to fulfill legal obligations that have been provided for by domestic or UE law.
  • the data has been collected in order to provide internet services to a child.

Personal Data Management Solution

 

With its default setup, the solution enables the user to browse Microsoft Dynamics NAV to check if it contains any personal data to be erased. In addition, it analyses data files to identify what can be forgotten and keeps record of the forgotten data. The solution enables the user to:

 

Browse the system, analyze and erase personal data

 

After clicking the Search action in a selected primary table and relation tables, the search is run for fields that have been selected in the setup.
If a search string is found in any field, the system displays a dialogue box with a question if the date should be deleted. After the user confirms the action, the data is deleted in the fields selected in the master and relational tables.

 

The possibility to define an obligatory data storage period

 

When searching for the data selected in the module setup in the “Date Constraints Fields”, the system browses entries in the master table and relational tables.

 

For each card (an entry in the master table), the system identifies the last date after which an entry can be deleted (e.g. the date of the last transaction with a vendor). If the user has selected a card to be forgotten, the system will check if sufficient time has passed since the date defined in the backup setup (e.g.  for a Customer, it is five years since the last transaction). If the period defined has not passed, it will not be possible to have data forgotten or deleted.

 

If it is not possible to have data forgotten because of the archiving period set up for a master table, the system will display a relevant message. If the period for obligatory archiving defined in the master table has expired, it will be possible to run the Erase Data action.

 

Maintaining the Personal Data Erasure Register

 

Each process of data archiving is recorded in the Personal Data Erasure Register. The register displays all entries that have been created with the Erase Data action.

 

For each of the entries in the register, it is possible display a detailed list of tables and fields where the data has been erased. Information included in the listed entries can be printed as a report.

The implementation of the right to access data with Personal Data Management Solution

Right to access data

The General Data Protection Regulation ensures that each data subject can have access to his/her data that is processed by a company. The request for access can include:

 

  • Purpose of processing
  • Personal data category
  • Information about data receivers and their categories
  • Period of data storage

 

Each data subject that submits a request for access to his or her data, should be notified of the right to correct and erase data, restrict or object data processing, right to lodge a complaint with a supervisory authority and obtain information about data sources. The data subject should be also informed about automated decision-making processes, including profiling.

 

Each data subject is entitled to obtain direct access to data and the Data Controller is obliged to provide a free copy of processed data in writing or electronically. If the data subject requests for another copy, the Data Controller can charge a fee the amount of which is reasonably justified and covers administrative costs.

 

All data provided should be carefully selected as the right to obtain a copy cannot have a negative impact on the right and freedom of other individuals. The Data Controller is obliged to validate if the data provided fulfills this requirement. The data should be selected carefully so that it does not contain the data of other entities and infringe any trade secret or intellectual property, in particular software copyrights.

Personal Data Management Solution fulfills the right to access data

 

Personal Data Management Solution fulfills the right to access data by enabling the user to run effective data searches, identify the purpose of processing, correct, erase it as well as restrict data processing

The solution enables the user to:

 

Access and analyze personal data in the system

 

When implementing the right to access personal data and information about data storage locations within the system, the Data Controller can search through the tables in the Investigate window that displays lines for the tables in which personal data has been found.

 

With the list of tables that contain personal data of the data subject, it is possible to correct the data manually by clicking and drilling down into relevant tables – locations within the system. From the Investigate window, it is also possible to display a log of changes made while processing the data of a data subject.

 
Possibility to restrict the processing of personal data

 

The system offers features for registering consents the company obtains from its customers for its sales and marketing activities. The features are compliant with the GDPR, ensuring that customers have right to withdraw or limit their consents at any time.

 

 

A detailed overview of actions performed in personal data processing

 

Dynamics NAV provides an overview of data for the requester.
The Change Log Entries window contains detailed information such as:

 

  • Date and Time – specifies the time when personal data was entered;
  • User ID – specifies the person that has made changes in personal data;
  • Table Label, Field Label – contains information in which table (window) and field data has been changed;
  • Change Type – specifies what type of change has been entered (e.g. modification)
  • Previous Value/Previous Value (local) – specifies the value in the field before the change was made
  • New Value/New Value (Local) – specifies the value in the field after the change has been made

The implementation of the right to data portability with Personal Data Management Solution

Right to data portability

Each person the data of which is to be processed by a company is entitled to require:

  • The provision of data in a structured, commonly-recognized, machine readable format such as XML, CSV and JSON;
  • The right to transfer data to another Data Controller;
  • The transfer of data from IT system of the Data Controller to another Data Controller if it is technically feasible.

 

The right to data portability refers only to data that can be accessed in IT systems (in an automated way). Personal data that is to be transferred includes pseudonymized data.

If Data Controllers process information that contains data of several persons, they should interpret the concept of data subjects too narrowly. Such data should be treated as information belonging to a requester.

For example, information registered in the logs of telephone calls and bank transfers is not limited to a requester’s data. However, the requester should be entitled to receive all data as the subscriber or transfer sender. If personal data transferred is related to third parties, the new Data Controller is forbidden to process the data for the controller’s own purposes. The Data Controller is also forbidden to transfer data that is excessive for the new processing purposes.

The right of data portability does not directly entail the right to be forgotten.

The previous Data Controller will not have to erase data automatically, unless explicitly requested by a data subject.

The right does not apply to the so called inferred data and derived data such as algorithm results.

Personal Data Management Solution fulfills the right to data portability

 

Personal Data Management Solution fulfills the right to data portability and ensures that data can be provided to a requester in a structured format such as XML, CSV or in a printed form.

Benefits for entrepreneurs

Streamlined communication with the customer

Effective management of personal data

Data search

Data anonymization

Data protected in compliance with the GDPR

Minimized risk of financial penalties

Data exported in a well-known format

Data portability

Access Control

Time and money savings

Personal Data Management Solution is an end-to-end module that supports companies in the proper management of personal data, however it is not sufficient to implement the GDPR. The successful implementation of GDPR requires companies to comply with consistent standards and practices and prove their organizational skills. The GDPR is expected to have a significant impact on organizations as it requires them to update personal privacy policies, implement control and reporting tools for personal data protection and infringement, deploy highly transparent policies, and further invest in IT and training.

 

Disclaimer

This document contains remarks on the GDPR, as IT.integro interprets it, as of the date of its publication. The document should not be deemed to be legal advice or guidelines on how GDPR might apply to an organization. We encourage you to contact a legally qualified professional to determine how the GDPR applies specifically to your organization, and how best to ensure compliance when it is implemented.

IT.integro makes no warranties (express, implied, or statutory), as to the information in this document. Information and views expressed in this document, available in writing, on the Internet website or from other online resources may change without notice.