GDPR compliance with Dynamics NAV/BC

As you already know, on May 25, 2016, the General Data Protection Regulation (GDPR)which will replace the current legislation in force and which will start to apply May 25, 2018.

One of the main goals of the GDPR is to give people control Your personal information, granting them the right of access and rectification. Also significant are the new rights for individuals, including "right to be forgotten" and the right to data portability.

The GDPR defines personal data as "any information relating to an identified or identifiable person ("data subject"), an identifiable natural person is one who can be identified, directly or indirectly, in particular by means of an identifier such as a name, an identification number, a data location or an online identifier or one or more factors relating to the social, cultural, economic, mental, genetic, physiological, psychological identity of the natural person".

Online identifiers such as IP addresses can currently be classified as personal data, unless they are anonymized.

Table of Contents
  1. What roles do we find?
  2. Who is responsible?
  3. How can Microsoft Dynamics NAV or Microsoft Dynamics 365 Business Central help me prepare for GDPR compliance?
  4. Which versions incorporate this "Data Classification"?
  5. What are the different “data classifications”?
  6. Classification of data into tables and fields
  7. Display of the classification of the current field
  8. Final comments:

What roles do we find?

The company that stores the information in its own facilities, or on rented equipment (hosting, Cloud, etc.) has the role of data controller and must keep records and monitor personal data processing activities. This includes personal data processed within the organization, but also by third parties, named data controllers.

Data controllers can be anything from software-as-a-service providers or third-party integrated services, third-party integrations, cloud functions, etc.

Both data controllers and data processors must be trained to be responsible for the type of data processed, its purpose and the countries and/or third parties to which the information has been released.

The information can only be released to other organizations that comply with the GDPR.

The company must prepare a report proving the authorization granted.

No processing of personal data is permitted without prior authorization. This means that before carrying out any processing it is necessary to obtain authorization, which is granted on the basis of clear and specific information on the type of data and the purposes.

In the case of sensitive personal data, the authorization must be explicit, which underlines the importance of authorization in the processing of sensitive personal data.

Individuals currently have the "right to data portability", the "right to access data" along with the "right to be forgotten" and can revoke their permission whenever they wish. In this case, the data controller must delete the data subject's personal data if they are no longer necessary for the purpose for which they were collected.

In the event of a data breach, the company must be able to notify data protection authorities and affected individuals within 72 hours.

Who is responsible?

In every company the figure of data controllerlike the person who monitors and verifies compliance with regulations in the organization.

The figure of data controller AS the natural or legal person, authority, service or other body that provides the information controller with a service involving the processing of personal data on his behalf..

Among the most innovative measures provided for by the GDPR, the obligation of the owner and the processor to designate a "data protection officer" (DPO, “Data Protection Officer”) to ensure compliance with the regulations.

The "Data Protection Officer" (DPO) is a new figure, specialized in data protection legislation, which is created alongside the figures of the data controller and data processor.

How can Microsoft Dynamics NAV or Microsoft Dynamics 365 Business Central help me prepare for GDPR compliance?

Well, there are several product features that will help us comply with regulations. However, it is important to remember that it only covers data within the app and we will need to check any other sources of personal data we hold in our business.

There is no set way to comply with the GDPR, as every company is different, it is therefore up to each organization to correctly interpret and apply the regulation to its particular case.

In addition to what we already have "as standard" with Microsoft Dynamics NAV/BC (the management of user IDs and passwords, permissions and the accounting principle), the Data classificationwhich will allow us to do everything that the standard requires of us, as we will see later in the article.

Which versions incorporate this "Data Classification"?

Logically, those releases within the support cycle, i.e NAV 2015, NAV 2016, NAV 2017, NAV 2018 and naturally Corporate headquarters.

The change was introduced in the March 2018 Cumulative Update, namely:

  • NAV 2018 (UC 03)
  • NAV 2017 (CU 16)
  • NAV 2016 (CU 29)
  • NAV 2015 (CU 41)

I'll leave you a link to this post on my blog where you have direct access to them.

What are the different “data classifications”?

As I mentioned, a new property has been introduced in tables and fields since March, called Data classificationand whose description is as follows:

Customer Content: Content is created by administrators and users. It is the default value.

  • Example: Customer-generated blob or structured storage data.
  • Example: Client secrets such as passwords, certificates, or storage and encryption keys.

EndUserIndetificationInformation: (EUII) Data that identifies or could be used to identify the user of a Microsoft service. EUII does not contain customer content.

  • Example: Username or display name (DOMAINusername).
  • Example: User principal name (user principal name, type: name@company.domain)
  • Example: User-specific IP address

Account data– Customer billing information and payment instrument information, including administrator contact information, such as your tenant administrator's name, address, or phone number.

  • Example: Tenant administrator contact information (e.g. tenant administrator name, address, email, phone).
  • Example: Customer provisioning information.

EndUsePseudonymousIdentifiers: (EUPI) A Microsoft-created identifier linked to the user of a Microsoft service. When the EUPI is combined with other information, such as a mapping table, it identifies the end user. The EUPI does not contain customer-uploaded or customer-created information (CustomerContent or EUII).

  • For example: User GUID, PUID, or SID.
  • Example: Session ID.

Organizationally identifiable information: (OII) Data that can be used to identify a tenant, typically configuration or usage data. This information cannot be linked to a user and does not contain Customer content.

  • Example: Tenant ID (not GUID)
  • Example: Domain name in email address (xxx@company.domino) or other information specific to the tenant's domain.

System metadata: Data generated during service or program execution that cannot be linked to a user or tenant.

  • Example: database table names, column names, entity names.

Classification of data into tables and fields

Tables and field controls include the property Data classification which we can use to label data with any of the classifications described above.

Microsoft Dynamics NAV/BC operates with some standard rules for classification:

  • When a new field is added to a table, that field is assigned an initial value ToBeClassified (awaiting classification).
  • The type fields Flow field Yes Flow filter are automatically set to the data classification value System metadata. This cannot be changed.
  • Existing tables and fields (except FlowFields and FlowFilters) in an application that has been updated from a version that does not contain the property Data classificationwill automatically be assigned the classification value Customer Content.

Microsoft provides this DataClassification property only as an aid. AND your responsibility classify data appropriately and comply with applicable laws and regulations. Microsoft is not responsible for any claims relating to data classification.

Display of the classification of the current field

To see the data classification of all fields we can do the following:

  • From the Dynamics NAV development environment, we will do this Tools and we select Show field data classification.
  • From the client, we search and open the page Classification of field data.
  • We can create a Page that has its origin in the virtual table Field (ID 2000000041) and open it on the client.

To view the data classification of all tables, we can create a page that has the virtual table Table metadata (ID 2000000136) as the source and open it on the client.

Finally, he comments that in both Dynamics NAV and Business Central we have a worksheet to manage and classify data from a centralized location. Regard Data classification worksheet.

We can also perform a massive update of our data thanks to specific PowerShell cmdlets.

Final comments:

I trust that this short summary has been clarifying for you, I have tried to bring together in this article the most relevant rules and measures that Microsoft has made available to us within Microsoft Dynamics NAV and Business Central, but the most important thing is what you should keep in mind is that the the responsibility is yours.

A hug and see you soon!!

Miguel LLorca (@mllorcag)

External Link: Dynamics NAV GDPR White Paper

If you want to read other articles similar to GDPR compliance with Dynamics NAV/BC you can visit the category Power Apps.

Leave a Reply

Your email address will not be published. Required fields are marked *

Your score: Useful

Go up