GDPR, Dynamics NAV and how Microsoft is going to help with compliance

When the General Data Protection Regulation (GDPR) comes into force on the 25^th of May, everything – and nothing – will change. For the first time businesses will face truly punitive fines for failing to uphold their legal and moral duty to protect personal data belonging to their customers.

The panic caused by GDPR is best evidenced by the amount of re-registration emails currently pouring into your inbox. No one wants to be accused of not having secured permission before sending another newsletter or sales email. Much of the attention given to GDPR compliance has been in terms of preventing data loss and theft. CTOs have been beefing up security, and employees have been undergoing awareness training to stop criminals stealing data. But arguably, there is a more important exercise that needs to be done in readiness for GDPR compliance – discovering and classifying the data your business already holds.

Microsoft updates Dynamics NAV to assist with GDPR compliance

The latest update to the Dynamics NAV platform has been designed with exactly this task in mind. Once installed you will see that every table and field within the database has a new property called DataClassification. As the name suggests, the DataClassification tag allows you to classify the data type being stored in the field/table. There are seven possible values for the tag (you can find the full list on MSDN), which can then be used to define how that information is handled. In terms of tagging personal data, the most important values will be CustomerContent, EndUserIdentificationInformation and AccountData, each of which denote the kinds of personal data that the GDPR is concerned with. By default, all fields and tables will be tagged as CustomerContent once the latest Dynamics NAV updates have been applied.

Why does tagging matter?

Tagging fields and tables will not in itself make personal data any more secure – but it does provide a mechanism to begin implementing data handling rules that will. The tags can be used to control access to specific data types for instance, limiting permissions to only those users who actually need to see those details for instance. The DataClassification property is also available for use by your custom apps and extensions. In this way you can build GDPR-compliant services that respect privacy and prevent data being exposed inappropriately.

Pulling data out of Dynamics NAV

Another often over-looked factor of GDPR-compliance is the individual’s right to access the personal data your business stores. Your business must provide individuals with a full copy of their data upon submission of a “portability” request. Obviously the tagging process will help to locate this information (at least as far as Dynamics NAV is concerned), making it much easier to fulfil a request. However, the latest NAV updates also make the process of exporting data simpler too. Using the DataClassification property, the system will collate all the relevant records and data, and export them in a single Excel file. The file can then be converted into XML or CSV for maximum compatibility – and to ensure portability between systems.

It’s not too late to seek advice

The GDPR comes into force in a matter of weeks – but there is still time to get assistance with compliance. For more help and advice on securing Microsoft Dynamics NAV, or making use of the DataClassification property and export routines, please get in touch.