Last year we introduced the General Data Protection Regulation (GDPR), a European Union (EU) law enforceable as of May 2018,
Software alone cannot make your organization GDPR compliant. However, a large portion of compliance requires evaluating how your enterprise resource planning (ERP) application controls an individual’s personal data. In this second article of
GDPR Key Players
Before jumping into Dynamics GP’s functionality, it’s important to know the three primary GDPR players:
- Data Controller defines your company or you as the controller of data collected through direct employee interaction with “individuals” covered by the GDPR (customers, members, prospects, and vendors) or through a related business solution such as an e-commerce portal.
- Data Processor is a managed service or hosting provider that will provision, control, and maintain the infrastructure holding and processing the data collected.
- Data Subject identifies the individual or entity from whom you are collecting data for purposes of conducting a business transaction or event.
Discover: Consider the Dynamics GP Environment
If you have deployed Dynamics GP with the required Microsoft SQL Server internally (“on-prem”), you are, by default, the Data Controller and Data Processor. This environment simplifies your GDPR compliance assessment somewhat. If you have deployed your solution offsite in a hosting or Cloud facility, and you are not in complete control of that environment, you will need to evaluate the Data Processor’s role during your study.
Discover: Identify and Inventory Personal Data
The ability to clearly identify where you store personal data and inventory data fields can serve as a foundation for subsequent tasks and requirements under the GDPR. There are several ways to find personal data in your implementation of Dynamics GP. First, you can identify a transaction through the Dynamics GP user interface and print the record to hard copy or soft copy. This method is less likely to provide a suitable layout per a GDPR standpoint but is an option when you must provide insight into a specific record or transaction as requested by a Data Subject. This also will provide a way to correlate the personal data to the data fields and related tables.
Second, you can export a Data Subject’s information using the Dynamics GP SmartList inquiry capability. SmartList allows specific field and table metadata to be selected and printed—as an Excel-formatted file, for example. This inquiry can be saved and used multiple times when the same Data Subject requests information about records retained in Dynamics GP.
When using Dynamics GP SmartList, most personal data is likely, but not exclusively, residing in one of the following “master” tables:
- Contact (when of type Person)
- Resource (when of type Person)
Additionally, “transaction” tables will hold personal data such as:
- Customer Sales Quote/Order Invoice and Cash Receipt Transactions
- Vendor Purchase Orders/Receiving/Invoice and Payment Transactions
- Employee Human Resource/Payroll Transactions
These listings help to narrow a personal data search, and the exact tables will depend on each Dynamics GP use case. Any additional products, when implemented, introduce supplementary data tables to consider during your assessment. It is your responsibility to ensure that personal and sensitive data are located, inventoried, and classified appropriately to meet your obligations under the GDPR.
Discover: Purge Records
One aspect of your GDPR assessment will include evaluating the length of time you retain records and, more importantly, responding to a Data Subject’s request to erase personal data. You must define how often you purge data from Dynamics GP and whether it will affect the master or transaction records.
As with most ERP solutions, business logic creates the referential integrity of the records. For example, a Dynamics GP user cannot remove a customer record when certain circumstances exist, including unposted, open, or historical records. Unposted and open records imply you are actively working with the customer. In this instance, follow standard operating procedures to define which controls must be in place to restrict access to the personal data.
Although you can’t delete data that supports your financial transactions, if individuals request their personal data be erased, you can mask certain portions of their data. The Dynamics GP user interface makes this possible prior to posting a record but requires a modification to change a record after the fact.
Report: Maintain and report on audit trails
An important aspect of the GDPR is to maintain audit trails and other evidence that demonstrates accountability and compliance with its requirements. In Dynamics GP, you can track and record data changes within the application prior to posting. The data and operations that can be audited in Dynamics GP include:
- The creation, modification, and deletion of records
- The addition and deletion of users
- The assignment of security roles
You can use logging and auditing tools in Dynamics GP to record and track high-level events associated with amending and erasing data, roles, and privileges. For more information, search for Logging Changes in Dynamics GP and Managing Users in Dynamics GP.
Microsoft publishes guides through its
With this array of resources at your disposal, your organization must develop its own interpretation of how the GDPR applies to your business. Seek legal assistance as you deem appropriate and begin reviewing your privacy and data management practices now.
This blog article is adapted from the Microsoft whitepaper, “Supporting Your EU GDPR Compliance Journey With Microsoft Dynamics GP.” Learn more and find additional resources in the