Microsoft Dynamics 365 (CRM) GDPR Compliance Management ... · Dynamics CRM) core functionality to...
Transcript of Microsoft Dynamics 365 (CRM) GDPR Compliance Management ... · Dynamics CRM) core functionality to...
Dynamics 365
Microsoft Dynamics 365 (CRM)GDPR Compliance ManagementSolution Guide
Dynamics 365
Fullscope Solution Guide
The GDPR Compliance Management Solution gives you effective tools to manage your compliance with key
aspects of the General Data Protection Regulation (GDPR) approved by the EU Parliament in April of 2016
and enforceable starting May 25, 2018. These regulations affect all business holding information on citizens
of EU member states, not just companies based in those countries.
The solution extends relevant areas of Microsoft Dynamics 365 for Customer Engagement (formerly
Dynamics CRM) core functionality to facilitate management of consent and data requests in an end to end
process, storing an audit trail of key information and providing real-time reporting on compliance efforts.
1. Contacts begin submitting data requests as
allowed by the GDPR—for example requests
for information or requests for erasure—
the tools in this solution guide the user
through the steps of evaluating, researching,
and finally complying with the request, storing
a record of the actions in case of future audit.
2. The GDPR requires opt-in consent from
contacts in order to retain and process their
data—the tools in the solution can be easily
integrated with outgoing email campaigns
and/or a customer self-service portal to track
both the initial and ongoing efforts to obtain
consent, again keeping a record of contact
interactions.
3. Customers wish to see what data you
store on them—the solution allows
integration with a Microsoft or third party
portal solution. This offers customers self-
service of request creation, allowing some
processes to be fully automated and reduce
the burden of compliance.
Managing consent and data requests are only one part of complying with the GDPR. There are four major
pieces to the journey:
1. Data and readiness audit—one of the first things you need to do is audit your data and identify where
everything classified as personal data is stored. Microsoft has provided tools to assist, primarily the Azure
Data Catalog, for creating a registry of data sources, categorizing, tagging and so on.
2. Overall compliance strategy and planning—compliance implementation is a complex undertaking
with many discreet steps. Microsoft has released the Compliance Manager to facilitate this, which
supports GDPR as well as other standards and regulations. It is a planning, risk assessment, and reporting
tool to assist with implementing a compliance plan and reporting on progress. The tool identifies 61
customer managed controls which must be implemented and allows statusing, assignment to users, and
documentation tools.
3. Implementing the compliance plan—this is where Fullscope’s GDPR Management Solution enters the
picture with consent and request tracking. The solution provides tools to assist with addressing controls
identified by the Compliance Manager as A.7.1.3, A.7.1.4, A.7.2.4, A.7.1.7, A.7.2.5, A.7.2.8, and A.7.3.9.
4. Training—lastly, but of critical importance is initial and ongoing training of employees on what GDPR
means to them in their respective roles. Fullscope provides both generic GDPR informational content as
well as customized training materials tailored to your specific business needs. Contact your Fullscope
account manager for details.
The GDPR Compliance Management Solution installs just like any other solution for Microsoft Dynamics
CRM. To install the Solution:
1. Go to Settings > Solutions
2. Click on Import
3. Browse and Select Solution
4. Follow the Import Wizard Instructions
5. With a Successful Import, close the Import Solution Window
6. Open CRM Customizations and add entries to the sitemap as
desired—the key entities are GDPR Consent and GDPR Request.
You may wish to create a GDPR area as pictured below.
7. Save and Publish All Customizations
Dashboards
The GDPR Compliance Management Solution includes two dashboards, one covering consent and the other
requests, for tracking key metrics around volume of requests, compliance, response times, and efforts to
secure consent.
Request Dashboard Consent Dashboard
Key Entity Changes
The solution includes two new entities to track GDPR related activity in a separate area, apart from other
customer service interactions.
GDPR Consent (custom entity)
The GDPR Consent entity tracks the
status of contacts with respect to their
consent for data retention and usage.
It is a separate record rather than
simply fields on the contact form to
track changes over time—a contact
could grant consent and then later
revoke it. This approach records both
incidents so the retention and data
between the consent and revocation is
explained.
The entity itself if simple—it links to the contact records, and also records the name and email separately in
case the contact is later erased.
Consent Status records the consent or revocation of consent, as well as optionally recording statuses such as
pending or no response.
Contact (system entity)
The main contact forms and views have not been modified, but a new form has been added specifically for
GDPR tracking.
This shows the current consent status, whether the data is currently restricted or under objection, and tables
of past consent changes and requests.
GDPR Request (custom entity)
The GDPR Request entity tracks current and past requests contacts have made under the GDPR. There are
five types—information, erasure, portability, objection, and rectification—which gives contacts the right to
have their data deleted, corrected, removed from automated processing, provided to them, or provided to a
third party.
The GDPR Request form is governed by a business process that will guide the user through servicing the
request, first determining validity and, if valid, going through the necessary steps to comply with the request
type in question.
Once the request is resolved, the resolution section of the form allows recording of the resolution details as
well as the time to complete.
Business Process Flow
GDPR Request
The business process flow governing the
GDPR request process is structured
conditionally around six branches, one each
for:
1. Invalid requests
2. Information requests
3. Erasure requests
4. Objections
5. Rectification requests, and
6. Portability requests
This is a framework which can and should be
extended for each implementation to cover
the steps specific to your business.
Workflow
GDPR: Log Consent Changes
To facilitate reporting on the current consent
status of contacts while still retaining a log of
all past states, a workflow pushes key data
from the consent record back to the contact
when one is created or changed, insuring the
fields on the contact remain accurate.
This can be expanded to encompass more
granular consent as needed. (See below.)
GDPR: Invalid Request Notification (sample)
This is a simple, sample workflow to
remonstrate on demand
communication automation, in this
case if a request if determined to be
invalid, automatically send an email
explaining that and incorporating
notes entered on the request form.
This is a sample workflow, to be
adjusted as needed. The approach can
be used for many automated
communication instances—initial
acknowledgement, as stages advance
in the process, etc.
Q: Can the solution be installed in a customized, live system?
A: Yes, the solution affects accounts, contacts, and leads, but no changes have been made to the core
system forms, views, or charts. The solution is additive and will not overwrite existing customizations.
Q: Does the solution guarantee GDPR compliance?
A: No software tool can guarantee compliance, the determination of which is ultimately at the discretion of
the appropriate regulatory bodies, and the responsibility for which lies with the employees and management
of each company affected by these regulations. The tools in this solution are designed to assist management
and employees with implementing, carrying out, and monitoring business processes which are conducive to
compliance with the consent and request aspects of the GDPR, as well as storing data related to this for
reporting and audit purposes.
Q: Can I ask for consent for different, specific things?
A: Yes, consent tracking can be universal—a simple yes or no—or as granular as needed by simply adding
additional data points on the GDPR consent record and tying these to the relevant data collection method—
email campaigns, portals, etc.
Q: Can I integrate this solution with my existing email marketing/survey engine/portal?
A: Yes, although every third party solution is different, any such tool which can be integrated with Microsoft
Dynamics 365 for Customer Engagement in general can be used to pull or push data to the GDPR related
entities.
Q: Can I set up a Microsoft customer self-service portal solution with this product?
A: Yes, the Microsoft portal technology supports exposing the GDPR entities for customer self-service.
Dynamics 365
Edgewater Fullscope delivers innovative Microsoft ERP, CRM, BI, web and portal solutions and services on premise or in the cloud to manufacturers, service companies and equipment dealers in North America and Europe. The award winning company enables you to achieve successful business outcomes and is one of the largest resellers of Microsoft Dynamics 365 (formerly Dynamics AX and CRM).
Want to know more?
Schedule a GDPR Solutions assessment at (866) 420-7624 US or (0203) 608 1445 UK
How Edgewater Fullscope is Helping Customers