ERP Software Logo1

Microsoft Dynamics vendors provide comparisons and opinions to professionals in the ERP/Accounting software selection process

 
 

BroadPoint Technologies, LLC

The GDPR Journey: Data Discovery and Reporting Compliance Using Dynamics GP


Email | Print

Last year we introduced the General Data Protection Regulation (GDPR), a European Union (EU) law enforceable as of May 2018, and explained how its scope can have a significant impact on your business. At its core, the personal data privacy of any individual residing within the EU is protected by the GDPR. This includes companies that are registered outside the EU’s border but collect, interact with, and manage personal data of individuals living within the EU. As a result, GDPR will require you to assess and update personal privacy policies, implement or strengthen personal data protection controls and breach notification procedures, deploy highly transparent policies, and review your technology footprint and staff training.

Software alone cannot make your organization GDPR compliant. However, a large portion of compliance requires evaluating how your enterprise resource planning (ERP) application controls an individual’s personal data. In this second article of BroadPoint’s GDPR coverage series, you will learn how key features within Dynamics GP can be brought to bear on data discovery and reporting as you navigate your GDPR compliance journey.

GDPR Key Players

Before jumping into Dynamics GP’s functionality, it’s important to know the three primary GDPR players:

  • Data Controller defines your company or you as the controller of data collected through direct employee interaction with “individuals” covered by the GDPR (customers, members, prospects, and vendors) or through a related business solution such as an e-commerce portal.
  • Data Processor is a managed service or hosting provider that will provision, control, and maintain the infrastructure holding and processing the data collected.
  • Data Subject identifies the individual or entity from whom you are collecting data for purposes of conducting a business transaction or event.

Discover: Consider the Dynamics GP Environment

If you have deployed Dynamics GP with the required Microsoft SQL Server internally (“on-prem”), you are, by default, the Data Controller and Data Processor. This environment simplifies your GDPR compliance assessment somewhat. If you have deployed your solution offsite in a hosting or Cloud facility, and you are not in complete control of that environment, you will need to evaluate the Data Processor’s role during your study.

Discover: Identify and Inventory Personal Data

The ability to clearly identify where you store personal data and inventory data fields can serve as a foundation for subsequent tasks and requirements under the GDPR. There are several ways to find personal data in your implementation of Dynamics GP. First, you can identify a transaction through the Dynamics GP user interface and print the record to hard copy or soft copy. This method is less likely to provide a suitable layout per a GDPR standpoint but is an option when you must provide insight into a specific record or transaction as requested by a Data Subject. This also will provide a way to correlate the personal data to the data fields and related tables.

Second, you can export a Data Subject’s information using the Dynamics GP SmartList inquiry capability. SmartList allows specific field and table metadata to be selected and printed—as an Excel-formatted file, for example. This inquiry can be saved and used multiple times when the same Data Subject requests information about records retained in Dynamics GP.

When using Dynamics GP SmartList, most personal data is likely, but not exclusively, residing in one of the following “master” tables:

  • Customer
  • Vendor
  • Contact (when of type Person)
  • Employee
  • Salespeople/Purchaser
  • Resource (when of type Person)
  • User

Additionally, “transaction” tables will hold personal data such as:

  • Customer Sales Quote/Order Invoice and Cash Receipt Transactions
  • Vendor Purchase Orders/Receiving/Invoice and Payment Transactions
  • Employee Human Resource/Payroll Transactions

These listings help to narrow a personal data search, and the exact tables will depend on each Dynamics GP use case. Any additional products, when implemented, introduce supplementary data tables to consider during your assessment. It is your responsibility to ensure that personal and sensitive data are located, inventoried, and classified appropriately to meet your obligations under the GDPR.

Discover: Purge Records

One aspect of your GDPR assessment will include evaluating the length of time you retain records and, more importantly, responding to a Data Subject’s request to erase personal data. You must define how often you purge data from Dynamics GP and whether it will affect the master or transaction records.

As with most ERP solutions, business logic creates the referential integrity of the records. For example, a Dynamics GP user cannot remove a customer record when certain circumstances exist, including unposted, open, or historical records. Unposted and open records imply you are actively working with the customer. In this instance, follow standard operating procedures to define which controls must be in place to restrict access to the personal data.

Although you can’t delete data that supports your financial transactions, if individuals request their personal data be erased, you can mask certain portions of their data. The Dynamics GP user interface makes this possible prior to posting a record but requires a modification to change a record after the fact.

Report: Maintain and report on audit trails

An important aspect of the GDPR is to maintain audit trails and other evidence that demonstrates accountability and compliance with its requirements. In Dynamics GP, you can track and record data changes within the application prior to posting. The data and operations that can be audited in Dynamics GP include:

  • The creation, modification, and deletion of records
  • The addition and deletion of users
  • The assignment of security roles

You can use logging and auditing tools in Dynamics GP to record and track high-level events associated with amending and erasing data, roles, and privileges. For more information, search for Logging Changes in Dynamics GP and Managing Users in Dynamics GP.

- Your journey to GDPR compliance -

Microsoft publishes guides through its Service Trust Portal that demonstrate compliance with global standards and regulations, describe how software protects customer data, and provide guidance on managing Cloud data security and compliance using products such as Dynamics GP. Microsoft is updating its documentation to include detailed information on product functionality and controls, data protection impact assessments, audits, recordkeeping on processing, and information regarding sub-processors.

With this array of resources at your disposal, your organization must develop its own interpretation of how the GDPR applies to your business. Seek legal assistance as you deem appropriate and begin reviewing your privacy and data management practices now.

Contact BroadPoint today for consultation and training as you begin your journey to GDPR compliance.


This blog article is adapted from the Microsoft whitepaper, “Supporting Your EU GDPR Compliance Journey With Microsoft Dynamics GP.” Learn more and find additional resources in the Microsoft Trust Center.

By BroadPoint, a Gold-Certified Microsoft Dynamics Partner

Ask This Expert a Question / Leave a Comment