Dynamics 365 Finance GDPR Compliance

Microsoft always tends to take an additional step when introducing security measures into its corporate software products. Yet the introduction of a new legislative norm in the European Union aimed at ensuring maximum security of their citizens’ personal data – GDPR (General Data Protection Regulation) – raised some additional concerns. In this article, we are going to highlight the measures and tools that Microsoft has created to provide users with the ability to establish Dynamics 365 GDPR compliance, in particular, as well as the overall security of user data in general.

This post serves as an extension to our series of posts dedicated to MS Dynamics Security.

To see the previous posts, click below:

• Microsoft Dynamics 365 Finance Cloud Security
• Role-Based Security in MS Dynamics 365

Why Is the Reliability of Cloud Data Storage Critical Today?

Cloud services have become so popular that they attract a lot of attention from cybercriminals. Between January 1, 2005, and April 18, 2018, there were 8,854 recorded breaches on cloud data storage services. In fact, data from more than 4 billion user accounts were exposed in the first half of 2019 only. Is it any wonder that user confidence in cloud services has been in decline recently?

Therefore, when in 2016 the heads of the European Union announced the upcoming update in the regulations regarding access to sensitive user data (see this video for more details on GDPR), Microsoft immediately began to prepare, strengthening existing perimeter security mechanisms of the Azure cloud platform and making the platform’s services and software products GDPR compliant.

Below we will talk about the specifics of the security mechanics in Azure (a key component to most of Microsoft’s business solutions, including Dynamics 365) and how Microsoft GDPR policies apply to these.

Microsoft Azure Security as the Foundation for Dynamics 365 Finance and Operations GDPR Compliance

All solutions from the Microsoft Dynamics 365 package may be directly integrated with Microsoft Azure cloud services, as well as with the Microsoft Cyber Defense Operations Centre, which is responsible for network security and threat control.

Any responsible entrepreneur desires to have maximum confidence in the reliability and security of the services they use and expect them to comply with all GDPR requirements. Below we will try to debunk the main doubts regarding Dynamics 365 compliance.

Data transfer safety and encryption

Microsoft infrastructure uses TLS/SSL-protected protocols to send information in any direction and all stored data is encrypted with the help of a wide range of algorithms, up to AES-256. Thus, even if an attacker intercepts a transfer or gains access to storage devices in the data center (which is unlikely, given the incredibly stringent on-site security measures), the intercepted data will be impenetrable and thus, unusable.

SSL/TLS user certificates used to establish secure channels to Azure resources are encrypted by virtue of the AES-256 algorithm and stored in the Microsoft Azure Key Vault equipped with FIPS 140-2 standard level 2 cryptographic modules.

Also, Azure VPN Gateway allows for configuring the connection to your resources through IPsec tunnels and distributing them into virtual networks with varying topology, infrastructure elements, and access levels.

User access rights delimitation

For authorization of a specific user into Azure, two-step authentication can be used (a login/password combination, confirmed from a trusted device or by biometric data).

To help enforce the Dynamics 365 Operations GDPR, administrators of the deployed corporate package can assign access rights to various groups and specific users, giving them access only to the specific data and services needed for their work tasks.

We must also note that in full compliance with GDPR for Dynamics 365, access rights to sensitive information – objects, reports, documents, database fields, etc. – which allow other users to uniquely identify a person or company, may be further limited.

Stored data ownership

Despite your data formally being stored on Microsoft’s physical servers, only employees of your company who have the appropriate access rights may retrieve it.

Microsoft data centers are regularly audited for compliance with ISO 27001 and ISO 27018: 2019.

Due to this, Microsoft customers have:

• Confidence in the maximum possible safety of their data;
• Knowledge of the physical position of the data center in which their data is stored;
• Assurance that their information will not be used for marketing purposes or transferred to third parties (except when access to such data is required to solve any problems, made possible by the direct consent of the client);
• Assurance that government bodies can obtain access to corporate information only with court order upon the mandatory prior notification of the client;
• The ability to view, correct, export, and delete any personal or otherwise sensitive data;

Thus, the only actual owner of the data stored in the cloud is the customer. If at any time, they decide to change from the Microsoft platform to any other, they can be sure that Microsoft will not use their information for any purpose.

Security standards

Microsoft Dynamics 365 GDPR compliance is ensured owing to the strictly enforced end-to-end security policies, in particular, accordance with numerous industrial standards and legislations, such as:

• PDPA;
• CCSL;
• FERPA;
• HIPAA;
• MTCS;
• SOC 1 & SOC 2;
• WCAG 2.0.

Microsoft Dynamics 365 GDPR Compliance Features

Following the GDPR, corporations that serve European companies and citizens are required, upon request, to provide copies of their data, as well as inform requesters of the likelihood of third parties processing this data. This should be done by each entity which employs personal data companies that operate in the framework of their business activities.

In turn, Microsoft cloud services (along with administrative access tools) authorize owners of corporations working with Microsoft Dynamics 365 solutions to safely handle their own personal data. In particular, they get the opportunity to search, adjust, restrict, delete, and export sensitive information (of course, upon the direct consent from the entity). All these operations can be carried out within the Azure cloud platform.

Functions that enable Dynamics 365 Finance and Operations GDPR compliance:

• Search functions that allow for discovering GDPR-relevant data in your storage:
  • Quick search;
  • Advanced search;
  • Relevance search;
  • Person search;
  • Wide filtering capabilities;
• Data management capabilities:
  • Custom privacy notifications;
  • System for requesting and applying personal data processing agreements;
  • Asset Classification property of table fields’ metadata (allows for designating fields that contain sensitive data);
  • Correcting tools;
  • Tools for exporting or migrating data;
• Security functions:
  • Wide capabilities to delimit the access to sensitive data by your employees;
  • Sensitive data access auditing and reporting.

Summary

The safety of commercial information has been a key element and reference point in many types of business since the appearance of commerce itself. Therefore, it is natural that companies try to provide maximum protection for their customers. This goal is fully achievable with Microsoft Dynamics 365.

If you want to enhance your business processes with the help of Microsoft Dynamics 365 for Finance and Operations ERP and/or customize its modules to meet the specific needs of your business, get in touch with us today! Likewise, feel free to reach out if you have any questions regarding Dynamics AX – our industry experts are always ready to help.