How Business Central Can Keep You GDPR Compliant

Easily Classify Your Data With Microsoft D365 BC

Learn how to stay compliant with the awesome tools provided by D365 Business Central

We recently wrote an article on the importance of classifying your data and the benefit’s it can bring to an organisation.

However, depending on the amount of data you have, classifying it may seem a bit of a daunting task! Fortunately, Microsoft’s Dynamics 365 Business Central is here to help.

Many different territories operate different data standard regulations. One of the best known is the EU’s GDPR or General Data Protection Regulations.

GDPR states there are different reasons for holding data and an organisation needs to classify why they hold each piece…

• Consent – Under consent, an organisation can process an individual’s data if that person has consented to it.
• Contractual Necessity – An individual doesn’t need to consent to their data being processed by an organisation if that data is needed for a contractual necessity. This also applies to the Right To Be Forgotten – Some information may need to be retained if required as part of a pre-existing contract.
• Compliance With Legal Obligations – As with contractual necessity, it’s entirely inline with GDPR requirements to process an individuals data if the organisation is required to do so to fulfil a separate legal obligation.
• Vital Interest – This is one of the rarest reasons to process an individual’s data but in life and death scenarios (and life and death doesn’t mean they just have to get your latest sales email) it’s entirely withing the remit of GDPR to do so.
• Public Interest – Another form of data processing that’s compliant with GDPR but that most organisations won’t see (it’s more common for instance in news outlets for example) is the processing of an individual’s data when acting in the public interest.
• Legitimate Interest – Legitimate Interest is by far the broadest category of classification for processing data and is defined as if an organisation has a legitimate interest in doing so.

As you can see, with so many different ways to classify data, it’s important to have a reliable way to do it… like D365 Business central.

1. The first thing you’ll need to do if you’re hoping to classify data in your system for GDPR is to make sure you’re signed in correctly. If you don’t sign is as an Administrator of Users in the User Groups and Permissions role centre, you wont be able to access any of the awesome GDPR tools D365 BC has as standard.

It’s been set up that way as it’s a legal requirement for only authorised users (such as a Data Protection Officer) to access the privacy features within.

2. After you’ve logged in with the correct profile you’ll find Business Central has added a Data Privacy activity pane that lists all of the handy GDPR features you can use.
3. Clicking on Data Privacy will show you these options…

4. Data Classification, will, as you’d expect, open up a Data Classification work sheet that will enable you to set the correct level of data sensitivity for all of your tables (both standard and custom).

5. If you click the Set Up Data Classification button you’ll be presented with a wizard (a Data Classification Assisted Setup… not a graduate of Hogwarts). From here BC will let you import and export data from Excel which will massively help if you need to ever change classifications.

6. Next you can go back to the Data Subjects Page. You’ll now see all the physical entities with their assigned classification attached. Once that’s done you can create a Data Privacy Utility so that, going forward, you’ll be able to see logs for every Data Privacy Activity.

7. Clicking on Data Privacy Utility will open up another wizard; this one will let you either export all of the data you hold on an individuals in your systems (incredibly handy for Subject Access Requests) or create a complete data privacy configuration package.

8. Exporting data for a subject access request will export either all the data you hold or just the data you request based on a sensitivity level.  You’ll be able to preview the export before it generates to make sure it all looks right and then generate an Excel spreadsheet which will be added to your role centres report inbox. If you instead create a data privacy configuration package, a data package for the subject will be created which you can then view and edit.

9. Once you’re done, you’ll be able to see a log in the Data Privacy Activity as this is required by GDPR for all activities related to data manipulation.

These features in Dynamics 365 Business Central any organisation should easily be able to handle the vast majority of GDPR issues that come their way.