GDPR – TopOneCRM BLOG

December 29, 2017

WHAT’S THE FUSS AND NOISE ALL ABOUT GDPR?

I am sure some of you have seen my recent posts and made that conclusion that this is too much noise around the introduction of the EU-wide General Data Protection Regulations (GDPR) which replaces the current UK Data Protection Act on 25 May 2018. Why is it creating such a stir and fuss? How will organisations be affected by it? What will they need to do? Remember l am not a GDPR Solicitor or Lawyer but my reason in writing this post is to help you and your business better prepare for GDPR.

Penalties

One of the reasons GDPR has caught the attention of business owners is the potential for eye-wateringly large fines for non-compliance – up to €20m or 4% of global annual turnover. GDPR also makes it considerably easier for individuals to bring claims for ‘material and non-material damage’ – ie they will be able to claim for distress, hurt feelings, or reputational damage, even when they can’t prove financial loss. That’s a sea change from the present law.

Data Protection Officers

Organisations with more than 250 employees, or which process data on a large scale must appoint a Data Protection Officer. Others will need a DPO-equivalent to ensure GDPR compliance and to be the liaison for clients and others with privacy concerns.

Consent

Consent to hold and process personal data is the cornerstone of GDPR. Data is defined as ‘any information … that can be used to directly or indirectly identify the person’, eg electronic and paper records of names, email addresses, bank account details, photographs, medical records, IP addresses or social media posts. You must request consent in clear, simple language, separately from other T&Cs, and be specific about how information will be used. Data subjects (this includes clients and employees) must positively opt-in, with an easy way to withdraw consent at any time. Using personal data for a different purpose needs a new consent.

Holding Data Lawfully

Organisations must document all the personal data they hold, its source, who can access it, where it’s held, and why it’s held. Most law firms can call up their database and list their data by client. But how many would be as confident about their paper records, including archives, and files inherited from other firms during mergers? And what’s stored on individual desktops, laptops or in email records?

Communicating Privacy Information

Once you have a complete list of data, you need to document the lawful basis on which you’re holding it. Refresh privacy notices, ensuring they are concise, clear and simple, stating how you intend to use the information and the lawful reason for processing it. The privacy notice should also tell people of their right to complain to the ICO if they think there’s a problem with the way you are handling their data.

Accountability

Organisations must be able to prove compliance with the new legislation, and detail the steps taken. Firms must have proper policies and audit trails documenting how processing decisions were made and how they achieve effective data protection.

New Rights

GDPR provides people with additional rights, notably:

The right to be forgotten – individuals will have the right to demand deletion of personal data where there’s no compelling reason for its continued processing. All Organisations/Businesses must have the processes and technology to be able to identify and delete data on request. What do you hold and where?

Subject access requests – people can ask for all data held on them: organisations must provide this ‘without delay’, at the latest within one month, and without charge. Can you do this?

Privacy by Design

Under GDPR, privacy risks must be assessed at the start of any new project, and reassessed continuously. You must carry out a privacy impact assessment whenever the risk of breach is high due to the nature or scope of the processing operation, e.g., where an organisation/business is planning to buy new software and data will be migrated, or in a merger where datasets will be combined. It also applies to processing data concerning vulnerable subjects. GDPR defines ‘vulnerable’ as where there is a power imbalance between the data controller and the data subject, and the individual may not be able to consent to or oppose the processing of their data. This could apply to children and vulnerable adults, but also to HR activities.

Reporting Breaches

This doesn’t just mean the loss of data, but also destruction, alteration, unauthorised disclosure of, or access to, personal data. Currently, there is no obligation to report a breach, but GDPR requires the report of data breaches to the ICO within 72 hours. There are potentially serious consequences of failing to do so – a fine of up to €20m or 2% of global turnover. Practically, this means that everyone in a firm must be able to recognise a breach, with clear reporting lines to ensure a rapid response.

Experts and Outsourcing

Some Business/Organisations commonly transfer personal data to other individuals and organisations, eg medical experts, or to outsourced providers, such as digital dictation or secure shredding companies. Under GDPR the firm, as data controller, retains responsibility (and liability) for the proper and secure handling of their data by third parties and must only engage with those who can provide ‘sufficient guarantees’. So, Organisations/Businesses must conduct thorough due diligence and review existing agreements to ensure that they are protected.

Conclusion

With the introduction of GDPR on 25 May 2018, privacy becomes central to everything you do, and firms should start preparing now. You should review all the data you hold and assess whether you have consent to process it. This is no mean feat and will require board/partner level commitment. Privacy just became real.

If you would like help in reviewing and revising your policies and procedures to achieve GDPR compliance, please contact TopOneCRM

December 29, 2017

How Can Dynamics CRM System Help With GDPR Compliance?

Dynamics CRM system can be a vital tool to gaining and maintaining GDPR compliance. Your policies will dictate what the systems need to do to support your compliance position. For example, simply having a CRM system that collects personal data doesn’t make it compliant. If your policies state that you only need name, address, email information, to carry out the required management/service to your customers, then Dynamics CRM needs to be configured such that this is all it is able to store.

Dynamics CRM should not allow users to enter personal details such age, marital status etc. beyond that, otherwise clearly your Dynamics CRM system is not compliant because it is not following policies which have been defined around the agreed business need. There is then the associated data, such as emails, transactional history like Orders, Cases, enquiries etc. to consider. All Users of the Dynamics CRM instance need to be informed and trained on the implications of GDPR and the use of the system. A Dynamics CRM system will hold records about individuals you sell to or do business. It is important you can identify where, when and how the record got into your system. Typically the ‘Source’ field of a Lead or Customer record is going to answer that question.

Marketing via Email. If you use Dynamics CRM to market via Email then you need to implement a double Opt-In process for gaining permission to email to that individual and stating when you gain that email address for your list, what you intend to do with that address. I.e. if you get the individuals details about Product A and then you start emailing them about Product B, this could be deemed as a breach of GDPR. With double opt-in, not only has a user subscribed to a newsletter, mailing list or other email marketing messages by explicit request but he or she also confirmed the email address is their own in the process.

How long can Dynamics CRM hold a person’s data for? The GDPR legislation has rules around the polices which mean depending on your specific business needs, there may be limitations in terms of the extent of this data, the length of time it may be reasonable to hold this data etc. The legislation indicates that say beyond a product warranty period, there would be no reasonable need for a company to retain that person’s data. Your policy would need to state a case as to why a longer retention period is appropriate. However, with just the subject area of emails, there is complexity. Does this include all emails a person has simply been copied on? If emails are stored in Dynamics CRM, then there is the double issue of managing this whole area in both your email service and Dynamics CRM.

But what do I do with the data in the backups? There is also the consideration of backups and archiving, and this will apply to Dynamics CRM as much as any other application. So, when for example you are using an online hosted instance of a Dynamics CRM, you need to understand what the archiving and backup processes of that online systems are such that if your policies state that you will delete any records of a certain nature that are greater than N years old, then that can be done and you know that that will be done through the backups and archiving taken place with your online instance.

The right to be forgotten. Similarly, when it comes to an individual requesting an update of their information, a report of what information you hold on them, or an individual requests the right to be forgotten, then your policies need to define the requirements that your system needs to be able to support. Clearly good data quality, a subject very close to our hearts, is going to be an even greater requirement for GDPR than it has been to date to simply make Dynamics CRM work efficiently. When such requests are made, high quality data will make it easier to ensure you identify the right person and that person only has one record in your system. Therefore, any actions required can be carried out in confidence. Knowing that if a person simply requests not to be contacted, i.e. unsubscribes, that as there is only one record, they will not receive further communications because they have a duplicate entry in Dynamics CRM that was missed.

Review your user’s access rights – look at all your users and what access rights they have to your Dynamics CRM instance.

November 30, 2017November 30, 2017

(GDPR)Managing Dynamics CRM Data Retention Policy With Bulk Record Deletion

Thank you for taking time to read this post. I am a Microsoft Dynamics Certified Professional.I am not a lawyer so l am not making conclusions but pointing out key GDPR considerations
This means that organisations should remove information pertaining to data subjects when:

• There is no further requirement to do so, either contractually or legally (i.e. they are no longer required to as part of a statutory instrument)

• The subject has withdrawn their consent

• It has been identified that data is being held which is at odds with an organisations policies or primary business activities

Article 5 extends this further by making it clear that data which you are unable to keep sufficiently accurate should be “erased…without delay”. To avoid this scenario would require the need to regularly contact the data subject concerned to verify their details are correct. One of the major “get out of jail free” cards that GDPR provides surrounding data retention is in instances where the data will be used as part of “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes..” (Article 5). The scope of this is, as you can tell, rather limited and most non-governmental organisations/businesses may struggle to demonstrate their data archiving is in line with these broad principals.

The importance of ensuring a clearly defined and structured process for the removal of customer data, therefore, becomes a paramount concern under GDPR. Investigating and defining your organization’s data retention periods is an exercise that should be carried out if it has not been done so already. Once implemented, we can then turn to a component within CRM/D365 to automate and streamline the actual process – the Bulk Record Deletion feature. (Check the technet article for further guidance) https://technet.microsoft.com/library/dn531072.aspx
In a nutshell, this feature is a really efficient means of deleting large amounts of predefined data within CRM/D365. Administrators of the application will most often work with them when attempting to reduce the storage footprint of a CRM/D365 instance, via the removal of completed System Job records and other superfluous record types. The ability to define filter criteria, re-occurrence settings and to send out email notifications upon completion of a job, make them an excellent candidate to consider when streamlining your internal processes surrounding data retention.

For example, let’s assume your business has implemented a data retention policy that states Contact entity data that has not been updated or changed within 12 months should be deleted from the system. Setting up a Bulk Record Deletion Job within the application to assist with this task is remarkably straightforward, as the step-by-step guide below indicates:
1. Within the application, navigate to Settings -> Data Management on the Sitemap and click the icon to navigate to the Data Management page:

2. On the Data Management page, click on the Bulk Record Deletion icon to open the All Bulk Deletion Systems Jobs view. Once this has loaded, click on the New icon:

3. The Bulk Deletion Wizard will open a pop-up window. Click Next on the first screen to move to the Define Search Criteria window. Modify the settings as follows:
o Look for: Contact

o Search Criteria: Modified On Older Than 365 Days

Click Next when you are ready to navigate to open the Select Options page. Give the Bulk Record Deletion Job a descriptive name and then ensure that the following settings are configured:

o Specify whether the Job should run immediately or in the future. It is recommended to schedule Jobs out of peak hours to prevent any performance detriment to other users.

o Ensure that the Run this job after every box is ticked and then select an appropriate time period. I would recommend 30 days.

o Ensure that the Send an email to me… box is ticked. You can also (optionally) specify additional email recipients, but note that these have to be valid application users (i.e. not any other email enabled entity such as Contact, Account etc.)
1. The final step in the wizard gives you the opportunity to review all configured settings. Press Submit to create the Job in the system and, if specified to start immediately, begin running it in the background. You can also navigate to the Recurring Bulk Deletion System Jobs view at any time to review the current status of a job, check to see when it is next scheduled to run or even modify its properties to suit your requirements:

A simple example is as below

• Create a custom entity to store contractual/statutory data retention limits and link these to your common entities within the application via a 1:N relationship. Once selected when a record is created, you can then define a workflow with a wait condition that updates a Two Option custom field on the entity as a flag for a Bulk Delete Job to remove from the system.

• Using a custom field on your entity to indicate that a customer has expressed their “right to be forgotten”, define a workflow that sends a customer confirmation that their details will be removed from the system within 30 days and then use this same field as a flag for a Bulk Record Deletion Job.

• Define a workflow that sends an email to owners of records that have not been modified within a set period (i.e. are inaccurate), prompting them to speak to the customer to update their details. Records that are not updated would then be deleted, using a Job similar to the one above.

November 16, 2017November 16, 2017

GDPR – Q/A by Microsoft

When will Azure have their GDPR DPA ready?

I assume that by “DPA” you mean Data Processing Agreement, i.e., the contractual guarantees and commitments that are required by Article 28 of the GDPR. If so, Microsoft made those terms available earlier this year. You can find them in Microsoft’s Online Services Terms (https://www.microsoft.com/en-us/Licensing/product-licensing/products.aspx), which cover Azure Services along with other online services. And those terms are incorporated into all of our volume licensing agreements.

Will Microsoft update its on-premises software to meet GDPR requirements?

Thank you for your question. We believe the Microsoft Cloud can accelerate the path to GDPR compliance for our customers. The design and development of the Microsoft Cloud are guided by our Trusted Cloud Principles, which include security, privacy, compliance, and transparency. That means the Microsoft Cloud aligns with the underlying principles of the GDPR and comes with technologies and capabilities that can help you comply with the GDPR. For customers who have invested in and deployed Microsoft software on-premises, we… In many instances, when customers deploy our on-premises software, we may not have any role in the data processing. We are currently reviewing our existing on-premises software offerings to determine what if any obligations we have under the GDPR and what guidance we can provide our customers to help them use that software to meet their obligations under the GDPR. Additional information will be available at the Trust Center.

Does Microsoft need to be certified by the European Commission before you are compliant with GDPR and how do the conflicts in having a US tenant for processing our data when US legislation seems to be in conflict with GDPR?

Thank you for your question. At this point, there is no certification available for the GDPR and as such no company can get “certified.” That said, the GDPR provides for the development of certification mechanisms over time. Microsoft has a long-standing commitment to meet the highest standards with respect to privacy and security and its portfolio of certifications is among the broadest in the industry. And GDPR compliance is no exception. We have already committed publicly to comply with GDPR and to offer contractual commitments to our customers. And we are engaging in audits to provide our customers with the verifications necessary. Microsoft will process personal data in compliance with the GDPR regardless of where the customer tenant is located. We make a commitment to our customers to comply with applicable law. At this point in time, we are not aware of specific conflicts between the GDPR and U.S. legislation, but it is an area we continue to monitor to ensure we’re meeting the needs of our customers and supporting their compliance. For more on Microsoft and GDPR, see the Trust Center.

Currently legal liability of service providers are not matching the liabilities enforced by GDPR. Is MS planning to introduce better financial assurance in their SLAs to secure organizations using their cloud?

Thank you for your question. The relevant data protection authorities have not yet issued any guidance regarding enforcement of the GDPR and the assessment of liability. However, the regulation includes provisions that allocate liability between controllers (enterprise customers using online services) and processors (service providers) for violations based on fault. Microsoft is committed to compliance with the GDPR across its cloud services. It is backing up that commitment with contractual provisions in its customer agreements. So, you can be assured that we will do our part to comply with the GDPR.

During the webinar, a screen displayed in 365 the use of a Privacy Search; and configuring that with policies. Is that an additional feature in 365?

Many Office 365 compliance controls and features, such as the ability to perform a content search, come by default with any Office 365 subscription. Learn more about the compliance standards of Office 365 on the Microsoft Trust Center. Rights Management and Data Loss Prevention for emails come with most subscriptions like Office 365 E3. Some advanced features that use Machine Learning to automatically assist you in better managing and protecting personal data, such as Advanced Data Governance, are available as Add-Ons or in Office 365 E5 Suites.

What was the Azure tool called for scanning on-prem file servers?

Azure Information Protection Scanner. See https://docs.microsoft.com/en-us/information-protection/deploy-use/deploy-aip-scanner for more information.

What do you see as the major technological differences between GDPR and the expired Safe Harbour?

Thank you for your question. The GDPR is a broad regulation governing the protection and use of personal data for individuals in the EU. It generally applies to organizations in the EU that process personal data and to organizations – whether inside or outside of the EU – that offer of goods or services to individuals in the EU or monitor the behavior of individuals in the EU. The expired Safe Harbour agreement was much narrower. It allowed US companies, who certified that they would comply with EU data protection standards, to transfer European data to the US. The standards to which that agreement was anchored pre-dated the GDPR. Those standards included the 1995 EU Data Protection Directive. The GDPR will replace that directive. While some of the provisions between the two regulations are similar, many are different. We encourage you to work with a legally qualified professional to discuss the GDPR, what changes it introduces, how it applies specifically to your organization, and how best to ensure compliance. For more on Microsoft and GDPR, see the Trust Center.

Will Microsoft’s data tagging and search system be able to access local non-cloud data in a hybrid environment?

Microsoft Azure Information Protection (AIP) is designed to provide this persistent data protection both on-premises and in the cloud. Azure Information Protection helps you classify and label data at the time of creation or modification. Protection can then be applied to personal and sensitive data. Classification labels and protection are persistent, traveling with the data so that it’s identifiable and protected at all times – regardless of where it’s stored or with whom it’s shared. You also get deep visibility and control over shared data. Microsoft is in the process of standardizing all its labels: Office 365 Data Governance, Windows Information Protection, and Azure Information protection will soon share the same format, both in transit and persisted. Find more detailed information in the following whitepapers, Supporting your EU GDPR compliance journey with Microsoft EMS and Data Classification for Cloud Readiness.

At present Microsoft products offers only Create/Edit Audit trail (useful for financial audits but not enough for GDP compliance). When will Microsoft publish clear information on which software products (not only cloud services) will offer full Audit trail inline with GDPR, from which version onwards and whether this will cost extra?

Auditing and Logging is an important component of any effective security and compliance strategy. As a starting point, check out the article on Get started with SQL database auditing. You can also use the Office 365 Security & Compliance Center to search the unified audit log to view user and administrator activity in your Office 365 tenant. The unified audit logs allows you to search for user and admin activity across SharePoint Online, OneDrive for Business, Exchange Online (with Exchange mailbox audit logging turned on), Sway, Power BI for Office 365, Microsoft Teams, Yammer and Azure Active Directory (the directory service for Office 365). Please refer to https://www.microsoft.com/en-us/trustcenter/Privacy/GDPR, which is our customer hub for GDPR-related support. We’ll continue to post information on this and other questions over time. Just today we released several new whitepapers on how GDPR will be supported and more product-specific content is being developed to assist customers.

What was the name of the technology that allows you to scan on-prem data i.e. local file server?

Azure Information Protection Scanner – see https://docs.microsoft.com/en-us/information-protection/deploy-use/deploy-aip-scanner for more information.

What is GDPR ? GDPR is the EU General Data Protection Regulation.

I wish to add that GDPR not only affects the member states of EU but also other countries who are part of European Union Association Agreement (23 countries).

Yes, because GDPR is a Regulation it applies to the European Economic Area (EU Member States Norway, Iceland and Liechtenstein). Given the reach of GDPR across borders (e.g., where processing relative to an individual in the EU happens outside Europe), we also recommend that all organizations carefully examine GDPR-applicability relative to their business. For more on Microsoft and GDPR, see the Trust Center.

How does this exercise the rights of the individual though? Subject Access Request (Right of Access), Data Portability etc?

In scenarios where Microsoft is a processor, which generally includes our enterprise online services like Office 365, Azure, and Dynamics 365 (among others), it’s long been our view that our customers are owners of the data and as such should be empowered to manage it. To support that in GDPR, we want to enable our customers to leverage the services to act on data subject requests. But because the data is yours, we also want to be clear that we won’t act on data subject requests directly—after all, only you should determine how to respond to a request related to your data. And we are engaging in audits to provide our customers with the verifications necessary. Microsoft was the first major cloud service provider to commit to enabling support for data subject rights and we have since backed that with contractual commitments to our customers. For more on Microsoft and GDPR, see the Trust Center.

If we have customer data that was submitted by a customer can we also share that data with a spin off business?

Great question, but this is one you’re going to need to have a more detailed conversation with an expert to resolve. GDPR turns significantly on whether the data is “personal data”, the nature of the consent associated with the data, and other factors that require a more detailed analysis. For a primer on some of these issues, see the overview of GDPR we prepared. But please also engage an expert for legal guidance on how GDPR applies to your specific scenario and to ensure your compliance. For more on Microsoft and GDPR, see the Trust Center.

What is Microsoft threat detection called?

Microsoft has a few products that do this. The one that was just mentioned was Windows Defender Advanced Threat Protection. See https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection for more information.

How do you get the Compliance Manager?

https://aka.ms/ComplianceManager

Need to understand the impact for us as a customer and user of O365 where we are geographically based in South Africa and alignment with our own local legislation – where our data is presumable stored in the EU, but we need to be able to access the information not only from South Africa, but also other African countries where privacy laws may be less stringent on non-existent! No Privacy Shield type arrangement currently exist between South Africa and the EU.Will there be an update in the agreements with Microsoft and O365/Azure customers to address the transfer of data from the EU back to countries outside of the EU in terms of GDPR?

Thanks for the question. Microsoft uses a number of mechanisms to support the international transfer of data. One of these mechanisms is the Standard Contractual Clauses (also known as the Model Clauses), which is applicable in the case you describe. Companies like Microsoft that have signed the Model Clauses with their customers can export data to countries that have not met the EU’s adequacy requirements. The EU’s Article 29 Working Party has validated Microsoft’s approach. And Microsoft makes the benefit of these commitments applicable to volume license customers automatically. See the Online Services Terms at Attachment 3 for these terms. And be sure to review the Microsoft Trust Center for more on GDPR (including the page on data location).

Can you give a link to the compliance manager tool

https://aka.ms/ComplianceManager

I have expected some real case scenarios. I know it’s too early, but from the other hand it will soon be too late. For example: How data logging should be supported. Should program always ask: what is the reason to access data? How should be supported data deletion. For example company A has CRM with contacts. One of the contact is me, and I want to be erased from database. How to I do that? I don’t have even access to CRM in this company. I think there are still 100 scenarios that have to be solved. At least talk about.

Thanks for sharing the concern. We have met with many customers and partners to work through the top scenarios for which they would like support from Microsoft technology. These range from security, to supporting and enabling data subject requests, to mapping data environments, and beyond. We’re capturing the top issues and building white papers and best practices to share with customers. See the Microsoft Trust Center for our current materials and check back in for further updates—we have a lot in development.

What is the linked for the compliance tool kit

You can access to Compliance Manager here: https://aka.ms/compliancemanager

If we as an organization adopt Office pro plus, Exchange online and Azure PAAS/IAAS products from Microsoft in coming year, will the compliance to GDPR come as part of the default service offerings Or would we have to sign up for special services at additional cost to comply with GDPR requirements?

Thanks for the question. We’ve committed that all of our enterprise online services will be compliant with GDPR by May 25, 2018. In effect that means that we’ll have enabled the capabilities required of processors in Article 28 as well as a number of other capabilities that we are developing that we think will simplify the GDPR compliance experience for our customers. There may be products that have varying components depending on the package a customer chooses, and so some features that make compliance with GDPR easier may or may not be available in the specific package a customer chooses. But even if a customer chooses the “base” offering it will meet the GDPR requirements on processors.

where can I get the data scanner

https://docs.microsoft.com/en-us/information-protection/deploy-use/deploy-aip-scanner

What is your favourite CRM ?