The General Data Protection Regulation (GDPR) comes into effect on 25th May 2018, yet many decision-makers and business leaders are still unsure of what GDPR is and what they should do to prepare for it. We’ve created this guide for Microsoft Dynamics NAV users to understand exactly what is and isn’t covered in their solution.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a new EU law for the protection of personal data. It replaces the current Data Protection Act 1998 in the UK. The GDPR applies to “personal data”, which includes any information relating to an identifiable person. There is no distinction between a person’s private, public or work roles. Personal data can include names, email addresses, social media posts, locations, bank details, IP addresses and cookies. The GDPR aims to unify all EU member states’ approaches to data regulation and ensure that all data protection laws are equally applied across the EU. One key aim of GDPR is to empower individuals and give them control over their personal data. This will protect EU citizens from organisations irresponsibly using personal data by governing how they manage and protect it and ensuring they respect individual choice—no matter where data is sent, processed or stored.

For UK businesses, Brexit does not mean a quick getaway from the GDPR. Firstly, the GDPR affects any business that collects and stores data on EU residents and is not reliant on the business itself being based within the EU—if you collect data on EU residents, you must comply. Secondly, by the time Britain leaves the EU on 29th March 2019, the GDPR will already be in place. Theresa May has confirmed that ‘existing EU laws in force in the UK will be converted into full UK laws’.

Under the GDPR, EU residents will have the right to access readily-available information in plain language about:

  • How their personal data is used
  • Access to their personal data
  • Having their personal data deleted or corrected
  • Restricting or objecting to the processing of their personal data, such as for marketing or profiling purposes

Businesses can be fined up to €20m or 4% of annual global turnover, whichever is greater, for failure to meet the requirements of the GDPR. It is crucial to think about how you need to enhance your data protection processes to comply with the GDPR.

What is Microsoft doing to help with the GDPR?

Microsoft is taking a number of measures to help organisations safeguard personal data in compliance with the GDPR. They are building a more secure environment for all Microsoft products with investments in additional features and functionality. Microsoft outlines GDPR compliance in 4 key stages:

  • Discover—Identify what personal data you have and where it is stored.
  • Manage—Govern how personal data is used an accessed.
  • Protect—Establish security controls to prevent, detect and respond to vulnerabilities and data breaches.
  • Report—Execute on data requests, report data breaches and keep required documentation.

Microsoft has also produced several resources to educate business leaders and help them prepare for the new regulation. A free GDPR compliance assessment is available for businesses to visualise their progress so far as well as online demos showcasing GDPR scenarios.

Which Microsoft solutions are GDPR compliant?

Microsoft has announced that any Microsoft Dynamics NAV solutions in mainstream support will be updated with tools to aid GDPR compliance, including:

  • Dynamics NAV 2015
  • Dynamics NAV 2016
  • Dynamics NAV 2017
  • Dynamics NAV 2018

As older unsupported versions won’t be updated, it is advised to upgrade to a newer version where possible.

Additionally, Microsoft has updated many of the Dynamics 365 applications with tools to aid the process of becoming GDPR compliant. There are several white papers and compliance guides on the Microsoft Service Trust Portal which detail these features and how they can help you to comply with the GDPR.

What can Microsoft Dynamics NAV users do to prepare for the GDPR?

There are a number of features in Microsoft Dynamics NAV to help you comply with the GDPR. However, it is important to remember that this only covers data held inside NAV and you will need to audit any other sources of personal data within your business separately. There is no set way to become GDPR compliant as every organisation is so different. It’s up to individual businesses to interpret the GDPR for their own unique business processes.

Data Classification

In recent updates of supported Microsoft Dynamics NAV solutions, Microsoft added a Data Classification property on tables and fields. Data Classification allows you to set tags with specific classifications for data with different sensitivities and quickly filter data based on its sensitivity level. You can export data to Excel for external review, then re-import it back into NAV once it has been assessed and approved. This provides an easier and more efficient way to locate different categories of data as well as adding a layer of protection for sensitive data. This feature is a big step towards making your Dynamics NAV solution GDPR compliant.

User IDs and passwords

As an administrator, you can create user IDs and passwords to limit access to data in Microsoft Dynamics NAV to selected individuals. Since your NAV database is on an SQL Server, the Dynamics NAV security system and SQL Server security system work together to help ensure that only authorised users can gain access to the database. NAV uses a safe, encrypted connection to the data centre, ensuring security is not compromised from outside your organisation.

Permissions

The Microsoft Dynamics NAV security system allows you to control which objects or tables a user can access within the database. You can specify the type of access that each user has to these objects and tables, down to whether they are able to read, insert, modify, delete or execute data. You can also give and take away permissions in real time, ensuring that users only access the sensitive information required for their role at the time they need it.

Accountability Principle

The accountability principle makes it easy to prove that your business complies with GDPR regulations. It requires proof that you implement appropriate technical and organisational measures, including the implementation of appropriate data protection policies. Luckily, many of the points on the checklist happen to be part of NAV’s basic specification. Therefore, by having implemented an up to date version of NAV, your business automatically complies with many of the stipulations of the GPDR.

Further reading

Microsoft Dynamics NAV GDPR white paper

Microsoft Dynamics 365 and the GDPR

Contact us today if you require any further information on ensuring your Microsoft Dynamics NAV solution is GDPR compliant. Alternatively, if you’re using an older, no longer supported version of NAV, contact us to find out how our Fixed Price NAV Upgrade service could save you a substantial chunk of your upgrade budget.