With GDPR (General Data Protection Regulation) legislation coming into effect in May this year, all companies who either operate within or offer goods/services to individuals in the EU will be required to comply with GDPR.
So, what does this mean for you as an organisation and a Dynamics NAV user? In simple terms, it means all of us need to review how we hold and use PII (Personally Identifiable Information) and take steps to show that we are adhering to the data protection principles. The steps don’t just apply to data held within your ERP systems but all data, be it paper-based or electronic.
All of us will fall into one of two categories;
1) Data Controller – a person who (either alone or jointly or in common with other persons) determines the purposes for which and the way any personal data is, or will be processed. A Data Controller must be a “person” recognised in law, that is to say:
2) Data Processor – is defined as a person, public authority, agency or other body which processes personal data on behalf of the Data Controller.
An organisation engages a company which provides business services to administer its employee payroll function. The organisation also engages a marketing company to carry out a satisfaction survey of its existing customers. The business services company will need information about the organisation’s employees, and the marketing company will need information about its customers. Both companies will be processing the information on behalf of the organisation, and so they are both data processors. However, they will also be processing personal data about their own employees and, in respect of that personal data, they will be data controllers.
Once you have established whether you are a Data Controller, Data Processor or Both, the first step to GDPR compliance is knowing where all your PII data is!
How can we help?
Identifying what you have and where it is forms the very foundation of GDPR compliance. The Data Inventory Library in our GDPR product, provides a place where we can identify PII data within standard NAV tables. It also allows you to record any customised PII data sources that have been added to your NAV solution.
As well as recording data held within NAV, the Data Inventory Library allows you to record other digital sources, i.e. a spreadsheet with customer data and the place they are held as well as recording any non-digital records you hold, such as customer files and where they are located.
Once you have identified the data sources, you need to identify and record the Data Subjects, these are not the individual records but the type of record. Data Subjects are then grouped by type, i.e. Customer, Vendor, Employee etc. Each Data Subject will also have a Lawful Basis Code assigned to it.
For data stored in Standard Dynamics NAV tables we have the ability to pre-load the Data Inventory Library.
Lawful Basis Codes
Lawful Basis Codes define the reason you are holding that data for processing. Lawful basis reasons are defined by the GDPR. They are as follows;
Rights of Individuals
One of the primary goals of GDPR is to empower individuals to take back control of their personal data. The legislation aims to ensure that individuals have a range of rights regarding their data, these include;
The right to be informed – The individual may request information on how their data is being used by your organisation, the supply of this information must be provided free of charge, must be concise and intelligible as well as being easily accessible.
The right of access – The individual has the right to obtain confirmation of whether personal data is being processed and where it is, access to that data with the following information;
The right of rectification – An individual can ask for data to be rectified where incorrect or where it is incomplete, updated to be complete without an undue delay.
The right to erasure – In this case the individual doesn’t have the absolute right to be forgotten, but an individual does have the right to have their personal data erased and the right to prevent the processing of that data in certain circumstances, those being;
Our GDPR Cloud product provides a centralised place for organisations to log all requests, including their outcome and timings. In addition the product allows searching of your Dynamics NAV system for specific PII data which is then attached to the request.
Under the GDPR Right to erasure, organisations have a duty to erase the personal data that is no longer necessary, due to the data integrity issues that erasing the data would cause in NAV, we are providing the tools to allow this data to be obfuscated once a successful Right to erasure has been validated.
We deliver nHanced GDPR as a cloud based service held securely in Microsoft Azure. This approach minimises the modified objects needed in your existing NAV system, while providing full visibility and the ability to report against the GDPR logs. This product is compatible with NAV 2009 R2 executables and all NAV versions following NAV 2009 R2. It consumes a full concurrent NAV licence at the point at which it requests data.
Over the next few months we will introduce additional features to help you with your GDPR compliance, as well as FREE training (both online as well as classroom based training hosted at our Newbury and Stockport offices) and videos to help you get the most out of the GDPR product.
So, to be fully compliant with GDPR you need to record an inventory of your GDPR relevant data. Your business will hold a lot of information in Dynamics NAV, but it will also have information held in other databases and programs, SharePoint, Excel spreadsheets and in paper files. Ensure that you document what personal data you hold, where it came from, what it is for and who you share it with.