By: Mohamed Mostafa
Editor’s note: Mohamed Mostafa, along with James Crowter of Technology Management delivered the session “Is your Dynamics 365 CRM and ERP Solution ready for GDPR? Get ready for your business and personal legal obligations!” at Directions EMEA, earlier this month.
Many organizations in Europe (as well as global firms who work within or deal with EU customers) view GDPR as a concern, or even a threat. It’s true that organizations have to take GDPR very seriously. If you haven’t already, you must start now. However, GDPR is also an opportunity for Microsoft Dynamics customers and partners alike. Wait! Don’t close the article yet – just hear me out!
GDPR comes with extensive additional compliance and legal obligations, coupled with large financial fines and the risk of reputational damage. That’s the threat. However, this is also an opportunity! Microsoft customers with existing Dynamics 365 solutions that store or process EU residents’ data should all now do a review of their Dynamics 365 solutions, both Customer Engagement (CRM) as well as Finance and Operations (including AX, NAV, GP and SL).
The obligation
Every organization that does business with the EU, or handles EU citizens data, must at least carry six essential data management activities towards achieving GDPR compliance. These activities are represented in the following infographic provided by the GDPR Coalition.
Businesses will have no option but to allocate budgets for existing system audit and compliance reviews. They will then have to fund any updates, enhancements and essential upgrades required for their Dynamics 365 solutions to be compliant. Even current Dynamics 365 implementation programs will have to go through an audit and review cycle to ensure GDPR compliance is embedded in every Personal Identifiable Data (PID) related screen. Processes to capture customers’ information must include steps for acquiring consent from customers. Governance, proactive monitoring and statutory reporting must be in place before the May 2018 deadline.
Microsoft’s commitment to compliance
Microsoft is working very hard to help its customers and partners achieve GDPR compliance, and they are not holding back on resources for that objective. If you go to Microsoft Trust Centre, which is dedicated to all things Microsoft data security, you will find that GDPR has a large share of the Trust centre focus. Microsoft has even set up a dedicated GDPR demos website. Microsoft has announced that they are committed to GDPR compliance across all their cloud services by GDPR enforcement date, 25th May 2018.
Microsoft has also provided financially-backed assurances to all its customers as a contractual commitment. It’s fair to say, Microsoft is the first global firm to provide these assurances and I have seen first-hand Microsoft’s commitment to GDPR. To give you an example, I am engaged with Microsoft Central and Eastern Europe providing a series of free webinars to Microsoft partners in this region to prepare them for GDPR.
Does an upgrade to Dynamics 365 ensure compliance?
Microsoft Dynamics 365 already lends itself well to data security, and the platform’s built-in security model makes applying data protection policies not overly complex. I have personally been involved in a project in which we applied GDPR policies and regulations on a fairly large Dynamics 365 customer engagement solution. Using a variety of out-of-the-box security capabilities, we managed to design and implement all the data protection requirements. Many features can be used effectively to achieve these requirements such as security roles, business units segregation, access teams, owner teams, and field level security, to name a few.
However, a simple upgrade of a Dynamics 365 CRM or ERP solution, does not guarantee GDPR compliance. All business processes and data collection procedures need to adhere to new GDPR policies. Data cleansing, processes re-mapping, acquiring consents, building governance controls, and proactive monitoring functionality as well as creating statutory reports demand a wide combination of expertise across data security and Dynamics 365, both functional and technical experience.
The opportunity for customers and Dynamics partners is a joint one
All this work and these activities open up the opportunity for business stakeholders and IT departments to get budgets allocated to upgrade their existing Dynamics solutions and include in their upgrades those enhancements that were not implemented before due to budget constraints. At the same time, the demands of GDPR open opportunities to Microsoft Dynamics partners, which will play an important role in helping their customers deliver these Dynamics 365 solution upgrades and enhancements.
Organizations will need to seek expertise to ensure that various GDPR policies and procedures are embedded while adhering to Microsoft standards and Dynamics platform best practices. For this reason, businesses should not aim to save costs by trying to implement all these changes into their Dynamics 365 solutions on their own without adequate expertise and enough internal resource.
To summarize, I believe both Microsoft Dynamics partners and Dynamics 365 customers have an opportunity with the upcoming GDPR legal obligations to achieve three objectives for the benefits of their organizations:
- Ensure their Dynamics 365 solutions are updated/upgraded, secure, and compliant
- Implement enhancements that can improve their Dynamics 365 solution
- For Dynamics Customers: Get budgets allocated to deliver your long-overdue upgrades and enhancements. For Microsoft Dynamics partners: Help new and existing customers on their new upgrade and enhancements projects.