GDPR – What will the changes mean to you?

GDPR will bring the biggest change to Data Protection in twenty years.

As a Microsoft Dynamics NAV/Business Central/365 supplier we have paid close attention to this regulation, and how it is likely to affect our customers.

Internally our ISO 27001 certification give us a solid foundation as the regulation comes into force.

While no singular action will make you compliant with GDPR – it will require your organisation a whole to be mindful and action the directives. We have developed a GDPR tool to enhance our NAV system to automate some of the requirements.

At TES we try to be environmentally conscious, printed out the GDPR includes 99 articles and 173 preliminary comments. This blog aims to answer the complex question ‘what will the GDPR mean to me?’

Firstly,  change.  The GDPR will bring change, and an opportunity to commence some serious data hygiene. Bringing data hygiene to the forefront of your organisations minds will pay dividends in the long term success. With continued data leaks, hacking and the loss trust of the public with data. Now is the time to take advantage of this requirement and really clean up your data house.

>> Register for our GDPR Tool webinar here <<

Below are extracts regarding directives that our GDPR tool will support you with compliance. 

1.     Right to erasure ‘right to be forgotten’.

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and you as the controller shall have to erase personal data where one of the following grounds applies:

a.     the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b.     the data subject withdraws consent on which the processing is based according to point (a) of Article 6 (1), or point (a) of Article 9 (2), and where there is no other legal ground for the processing;

c.     the data subject objects to the processing pursuant to Article 21 (1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2);

d.     the personal data have been unlawfully processed;

e.     the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

f.       the personal data have been collected in relation to the offer of information society services referred to in Article 8 (1)

This maybe a timely process, and you will need resource to be able to meet this requirement as it states there must not be ‘undue delay.’ You will also be required to evidence a process in which you are able to meet this requirement. Our GDPR tool will not only provide a function of anonymising it, but the framework it sits in will validate your compliance.

>> Register for our GDPR Tool webinar here <<

1.     Right to object.

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6 (1), including profiling based on those provisions.The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

a.     Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

b.     Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

c.     At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

d.     In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

e.     Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Following on from the previous directive this reinforces the GDPR and it’s ambitions of giving data control back to the individual. If they object to your organisation holding their data, direct marketing, or profiling. Our GDPR function will pull their data from your system and delete it, in turn complying with their right to object.

Another directive we feel we need to make our customers aware of:

Responsibility of the controller directive : 

1.     Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. 2Those measures shall be reviewed and updated where necessary.

2.     Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

3.     Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.

There are amendments in your Microsoft Dynamics NAV system to enhance your compliance with this directive. A demonstration of this will be made in our GDPR Tool Webinar. The change log will produce an audit trail which demonstrates who and when they changed their data. There are also security enhancements to safeguard your data and ensure only people who need access have it.  

>> Register for our GDPR Tool webinar here<<

Data Portability.

‘Data subjects’ can demand a copy of the data held on them (‘data portability’), ask for information to be corrected (‘right to rectification’) and also request it to be deleted (‘right to be forgotten’) our GDPR tool provides the reports and functions to do all of these jobs.

The GDPR states ‘Data protection is by design and default’. Your NAV system can be configured in a variety of manners which meets the requirements of this directive. The features include a wide range of technical measures to ensure there is a appropriate organisational measure to protect data when it is processed. Coupled with the security benefits in the cloud Microsoft Dynamics NAV, TES and our GDPR Tool is a strong and secure foundation to commence your GDPR compliance.

Our GDPR Tool will be showcased by Dr Chris Wilson on Thursday the 19th of April at 14:00 – 14:30 if you would like to register click here.