The General Data Protection Regulation will apply in the UK from 25 May 2018. This will not be affected by the UK’s decision to leave the EU.
The GDPR reflects technological changes in how data is gathered and used. It gives a far more detailed definition of personal data and introduces significant new requirements particularly relating to children’s data and the rights of individuals. Organisations need to be thinking now about how they are going to meet the new regulations and may need to seek further advice on what data they should be storing.
When looking at the question of how to store that data, one of the key things all organisations will require is a quality CRM system to securely manage data.
Microsoft Dynamics 365 can help you to comply
The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority within 72 hours. And in some cases, to the individuals affected.
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must also notify those concerned directly.
Failure to notify a breach when required to do so can result in a significant fine up to €10m or 2% of your global turnover.
In light of the timescales and severity of punishment for failing to meet those timescales it is important to have robust breach detection, investigation and internal reporting procedures in place.
Microsoft Dynamics 365 can help by providing data in a format that can be easily exported and used to provide the required overview data.
Privacy by Design
The GDPR calls for the inclusion of data protection from the onset of the designing of systems rather than as an addition. Data controllers should hold and process only the data absolutely necessary for the completion of its duties (data minimisation). Access to personal data should be limited to those needing to carry out the processing.
The comprehensive security model within Microsoft Dynamics 365 allows you to secure data and allow the correct level of access to records that is required for each individual or team.
The GDPR introduces the principle of accountability. A key requirement is that data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. This also requires the maintenance of relevant documentation of processing activities.
Microsoft ensure this is met through the following:
· Unique user IDs and log-ons to access the system
· Ability to force re-authentication and/or auto log-off after set periods of time
· Security roles that can be used to limit access to specific data
· Hosting your system through a Microsoft UK data centre if required
· Providing daily backups to prevent accidental loss or destruction of data
· Audit history logging
· Activity scheduling can be used to prompt review/deletion of unused personal data
· Reporting functionality
· Ability to extract statistical data without the personal data for reporting/dissemination
The GDPR ensures individuals certain rights including:
· the right to be informed;
· the right of access;
· the right to rectification;
· the right to erasure;
· the right to restrict processing;
· the right to data portability;
· the right to object; and
· the right not to be subject to automated decision-making including profiling.
Microsoft Dynamics 365 can help you meet these rights. In particular in respect of the following:
Right of Access
The GDPR has removed the right to charge a £10 fee for providing access to this data. It has also reduced the time to provide this information to “without delay and at the latest within one month of receipt”. That means that organisations need to ensure it is as quick and easy as possible for them to comply.
The GDPR also introduces a new best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information.
Right to Rectification
The GDPR entitles individuals to have personal data rectified if it is inaccurate or incomplete. You must usually respond to such a request within one month.
Right to Erasure
The broad principle is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. The rules about when you are required to erase personal data are quite complex and vary according to the lawful basis on which you are processing the data and is subject to various exemptions.
Right to Restrict Processing
Individuals have a right under the GDPR to block or suppress processing of personal data. When processing is restricted you can store the personal data but not process it further. You can retain just enough information about the individual to ensure that the restriction is respected in future.
Where data has been disclosed to third parties you must also inform them of any rectification/erasure/restriction where possible. You must also inform the individuals about the third parties to whom their data has been disclosed where appropriate.
Microsoft Dynamics 365 helps meet this requirement using:
· Clear contact records that can be easily edited, updated and deleted
· storing all data about a contact against a unique contact record for ease of identification
· This can include data about what has been done with that contact ie where that data has been used/sent etc
· Universal search returning all records by key word for ease of updating/deletion
· Ability to flag records e.g. to prevent processing
· Marketing permission fields (Allow bulk email, phone call, etc)
· Portal functionality to allow external contacts to update their own details and marketing permissions
· database level encryption
Right to Data Portability
The GDPR entitles individuals to obtain and reuse their personal data for their own purposes across different services in certain circumstances. If required you must provide the personal data, free of charge, in a structured, commonly used and machine-readable form such as csv. You must usually respond without undue delay, and within one month.
Microsoft Dynamics 365 can help by exporting data quickly and easily into a variety of formats
Under the GDPR you must identify a lawful basis for processing personal data and document this. If that lawful basis is to be consent this has an impact on individual’s rights for example to have their data deleted.
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action, a positive opt-in, consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions. You must provide simple ways for people to withdraw consent.
Microsoft Dynamics 365 can help with this by
· Clear contact record that can be easily edited, updated and deleted
· Ability to store consent record against a contact
· Marketing preference fields that can be set to only permit allowed contact
· Activity scheduling to prompt requests for updated consent or automatic deletion of records
For more information on how ixRM can help you with a new and compliant system contact us or request a free trial of Microsoft Dynamics 365
More information on preparing for the GDPR is available on the ICO website.