How GDPR Affects Your Microsoft Business Applications, Part One
GDPR: You’ve heard the four-letter word before. But do you know what the Regulation entails when it comes to your nonprofit’s data practices?
The purpose of this blog series is to provide you with a basic understanding of the GDPR and show you how your Microsoft business applications, such as Dynamics GP, can help you comply with GDPR guidelines.
This first article in the series will boost your awareness of the GDPR as you undergo an internal evaluation of its impact. We conclude with a multi-step approach suggested to enhance your data protection capabilities while complying with the Regulation’s standards.
GDPR: An overview
GDPR, which stands for General Data Protection Regulation, was established to protect and enable the privacy rights of individuals. It prescribes strict requirements governing how organizations manage and protect personal data while respecting individual choice. It imposes new rules on organizations established in the European Union (EU) and on organizations – wherever they are located – that offer goods and services to people in the EU or that monitor the behavior of people that takes place in the EU.
Among the key elements of the GDPR are the following:
Enhanced personal privacy rights -
Provides better data protection for individuals within the EU by ensuring they have the right to access their personal data, correct inaccuracies in that data, have their personal data erased upon request, object to the processing of their personal data, and move their personal data.
Increased duty for protecting personal data –
Reinforces accountability of companies and public organizations that process personal data, providing increased clarity of responsibility in ensuring compliance.
Mandatory personal data breach reporting –
Requires companies to report personal data breaches to their supervisory authorities without undue delay.
Significant penalties for non-compliance –
applies steep sanctions, including substantial fines, that are applicable whether an organization has intentionally or inadvertently failed to comply.
Key GDPR compliance roles and definitions
There are specific roles defined by the GDPR that are important to keep in mind as you look at your compliance efforts.
Data Subject –
An individual whose personal data is in the possession of the organization
The representative of the organization who is in control of the business applications, processors, processes, and procedures related to the data subject
Either the direct employee of the organization’s, or a sub-contracted resource who will have access to the data subject’s personal information
In addition to understanding the above roles, you will need to differentiate between personal and sensitive data and how each type is created, processed, managed, and stored.
Personal data includes any direct or indirect information related to a subject. Direct data could be the subject’s name, address, or company relationship; indirect data connects another individual back to the subject.
Sensitive data are special categories of personal data that are afforded enhanced protections and generally requires a subject’s explicit consent where these data are to be processed. Examples include name, identification number, location information, and online identifier (such as email address or device ID).
Beginning the journey to GDPR compliance
As you might anticipate, the GDPR can have a significant impact on your business. We recommended that you begin your journey to GDPR compliance by focusing on four key steps:
Identify what personal data you have and where it resides.
Govern how personal data is used and accessed.
Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches.
Execute on data requests, report data breaches, and keep required documentation.
The above process may illuminate necessary changes to be made within your organization. These modifications could include:
Updating personal privacy policies
Implementing or strengthening personal data protection controls and breach notification procedures
Employing highly transparent policies
Designing new SOP
Investing in IT and training
The remaining blog articles in this series will explore the approaches, recommended practices, and techniques involved in the above steps, to support your ongoing GDPR compliance journey. In the meantime, we recommend you review your privacy and data management practices to prepare yourself for the journey ahead.
This blog article is adapted from the Microsoft whitepaper, “Supporting Your EU GDPR Compliance Journey With Microsoft Dynamics GP.” Learn more and find additional resources in the Microsoft Trust Center.
BroadPoint is an award-winning business and technology consulting firm dedicated to helping nonprofits and commercial companies solve complex business problems. Since 2001, our team of passionate, seasoned consultants has been focused on one thing: helping our clients meet their goals by designing and implementing great technology solutions.
As one of the top Microsoft Gold-Certified ERP and CRM partners in the U.S., we have hundreds of clients across the country that trust our team of experienced CPAs, MBAs, PMI-certified project managers, technology experts and service professionals. CONTACT BROADPOINT >>