GDPR and Microsoft Dynamics 365: Understand your responsibilities

You may have heard the term GDPR bandied about lately. It's not a swear word abbreviation, nor is it some new cell phone app. GDPR is the new European Union (EU) General Data Protection Regulation that imposes new rules on organizations in the European Union, those that offer goods and services to people in the EU, or that collect and analyze data tied to EU residents, no matter where they are located.

The regulations are in response to data breaches and the misuse of personal information. Specifically, they are focused on information related to personally identifiable data and include:

• user rights to access and correct personal data, including the right to be deleted
• organizational controls on data, including training and audit policies
• transparency policies on how the company collects, uses, and retains data
• significant fines for violations

The last item is a big one. Fines can be up to €20 million or 4% of a company's revenue, a number sure to get the attention of any CFO. In simple terms, assuming the recent Equifax breach would be only one major violation, 4% of 2016 revenue would be $125 million and reduce net income by more than 15%.

Microsoft is working to ensure their products are GDPR-ready. There is a particular emphasis on the entire line of Dynamics 365 products. For cloud-based solutions, complying with GDPR is a joint requirement between the cloud provider and the user company. Microsoft works to supply the appropriate data protection controls, including security and audit logs, but relying on Microsoft's controls alone to ensure compliance is not enough. Microsoft's responsibility here is to secure the data center. GDPR imposes requirements on organization controls, audits, and policies which live firmly with the company using ...