With GDPR (General Data Protection Regulation) legislation coming into effect in May 2018, all companies who either operate within or offer goods/services to individuals in the EU will be required to comply with GDPR.
So, what does this mean for you as an organisation and a Dynamics NAV | 365 Business Central user? In simple terms, it means all of us need to review how we hold and use PII (Personally Identifiable Information) and take steps to show that we are adhering to the data protection principles. The steps don’t just apply to data held within your ERP systems but all data, be it paper-based or electronic.
All of us will fall into one of two categories:
1. Data Controller – a person who (either alone or jointly or in common with other persons) determines the purposes for which and the way any personal data is, or will be processed. A Data Controller must be a “person” recognised in law, that is to say:
(c) Other corporate and unincorporated bodies of persons.
2. Data Processor – is defined as a person, public authority, agency or other body which processes personal data on behalf of the Data Controller.
An organisation engages a company which provides business services to administer its employee payroll function. The organisation also engages a marketing company to carry out a satisfaction survey of its existing customers. The business services company will need information about the organisation’s employees, and the marketing company will need information about its customers. Both companies will be processing the information on behalf of the organisation, and so they are both data processors. However, they will also be processing personal data about their own employees and, in respect of that personal data, they will be data controllers.
Once you have established whether you are a Data Controller, Data Processor or both, the first step to GDPR compliance is knowing where all your PII data is!
How can we help?
Identifying what you have and where it is forms the very foundation of GDPR compliance. The Data Inventory Library in our GDPR product, provides a place where we can identify PII data within standard Dynamics NAV | 365 Business Central tables. It also allows you to record any customised PII data sources that have been added to your Dynamics NAV | 365 Business Central solution.
As well as recording data held within Dynamics NAV | 365 Business Central, the Data Inventory Library allows you to record other digital sources, i.e. a spreadsheet with customer data and the place they are held as well as recording any non-digital records you hold, such as customer files and where they are located.
Once you have identified the data sources, you need to identify and record the Data Subjects, these are not the individual records but the type of record. Data Subjects are then grouped by type, i.e. Customer, Vendor, Employee etc. Each Data Subject will also have a Lawful Basis Code assigned to it.
For data stored in Standard Dynamics NAV | 365 Business Central tables we have the ability to pre-load the Data Inventory Library.
Lawful Basis Codes
Lawful Basis Codes define the reason you are holding that data for processing. Lawful basis reasons are defined by the GDPR. They are as follows:
(a) Consent – processing of the data is permitted if the data subject has consented to processing
(b) Contractual Necessity – personal data may be processed on the basis that such processing is necessary to enter or perform a contract with the data subject
(c) Compliance with Legal Obligations – processing is permitted if it is necessary for compliance with a legal obligation
(d) Vital Interests – personal data may be processed on the basis that it is necessary to protect the ‘vital interests’ of the data subject (primarily applies in life or death scenarios)
(e) Public Interest – processing is permitted if it is necessary for the performance of a task carried out that is in acting in the public interest
(f) Legitimate Interest – personal data may be processed where the controller has a legitimate interest in processing the data, providing that it does not override the rights or freedoms of the affected data subjects
Rights of Individuals
One of the primary goals of GDPR is to empower individuals to take back control of their personal data. The legislation aims to ensure that individuals have a range of rights regarding their data, these include:
The right to be informed – the individual may request information on how their data is being used by your organisation, the supply of this information must be provided free of charge, must be concise and intelligible as well as being easily accessible.
The right of access – the individual has the right to obtain confirmation of whether personal data is being processed and where it is, access to that data with the following information:
(a) The purpose of processing
(b) The categories of personal data being processed
(c) Details of the recipients or categories of recipients to whom the data has or will be disclosed, in particular, third countries (territories or countries outside the EEA) or international organisations
The right of rectification – an individual can ask for data to be rectified where incorrect or where it is incomplete, updated to be complete without an undue delay.
The right to erasure – in this case the individual doesn’t have the absolute right to be forgotten, but an individual does have the right to have their personal data erased and the right to prevent the processing of that data in certain circumstances, those being:
(a) Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
(b) When the individual withdraws consent
(c) When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
(d) The personal data was unlawfully processed (i.e otherwise in breach of the GDPR)
(e) The personal data has to be erased in order to comply with a legal obligation
(f) The personal data is processed in relation to the offer of information society services to a child
(g) There are specific circumstances where the right to erasure does not apply and you can refuse to deal with the individuals request.
Our GDPR Cloud product provides a centralised place for organisations to log all requests, including their outcome and timings. In addition the product allows searching of your Dynamics NAV | 365 Business Central system for specific PII data which is then attached to the request.
Under the GDPR Right to erasure, organisations have a duty to erase the personal data that is no longer necessary, due to the data integrity issues that erasing the data would cause in Dynamics NAV | 365 Business Central, we are providing the tools to allow this data to be obfuscated once a successful Right to erasure has been validated.
We deliver nHanced GDPR as a cloud-based service held securely in Microsoft Azure. This approach minimises the modified objects needed in your existing Dynamis NAV | 365 Business Central system, while providing full visibility and the ability to report against the GDPR logs. This product is compatible with Dynamics NAV 2009 R2 executables and all Dynamics NAV versions following Dynamics NAV 2009 R2. It consumes a full concurrent Dynamics NAV licence at the point at which it requests data.
Over the next few months we will introduce additional features to help you with your GDPR compliance, as well as FREE training (both online as well as classroom based training hosted at our Newbury and Stockport offices) and videos to help you get the most out of the GDPR product.
So, to be fully compliant with GDPR you need to record an inventory of your GDPR relevant data. Your business will hold a lot of information in Dynamics NAV | 365 Business Central, but it will also have information held in other databases and programs, SharePoint, Excel spreadsheets and in paper files. Ensure that you document what personal data you hold, where it came from, what it is for and who you share it with.
If you'd prefer to chat with one of our consultants at The NAV | 365 People, please feel free to contact us.