Dynamics 365

Microsoft Dynamics 365 (CRM)GDPR Compliance ManagementSolution Guide

Dynamics 365

Fullscope Solution Guide

The GDPR Compliance Management Solution gives you effective tools to manage your compliance with key

aspects of the General Data Protection Regulation (GDPR) approved by the EU Parliament in April of 2016

and enforceable starting May 25, 2018. These regulations affect all business holding information on citizens

of EU member states, not just companies based in those countries.

The solution extends relevant areas of Microsoft Dynamics 365 for Customer Engagement (formerly

Dynamics CRM) core functionality to facilitate management of consent and data requests in an end to end

process, storing an audit trail of key information and providing real-time reporting on compliance efforts.

Sample Use Cases

1. Contacts begin submitting data requests as

allowed by the GDPR—for example requests

for information or requests for erasure—

the tools in this solution guide the user

through the steps of evaluating, researching,

and finally complying with the request, storing

a record of the actions in case of future audit.

2. The GDPR requires opt-in consent from

contacts in order to retain and process their

data—the tools in the solution can be easily

integrated with outgoing email campaigns

and/or a customer self-service portal to track

both the initial and ongoing efforts to obtain

consent, again keeping a record of contact

interactions.

3. Customers wish to see what data you

store on them—the solution allows

integration with a Microsoft or third party

portal solution. This offers customers self-

service of request creation, allowing some

processes to be fully automated and reduce

the burden of compliance.

Where does this Solution Fit in the Big Picture?

Managing consent and data requests are only one part of complying with the GDPR. There are four major

pieces to the journey:

1. Data and readiness audit—one of the first things you need to do is audit your data and identify where

everything classified as personal data is stored. Microsoft has provided tools to assist, primarily the Azure

Data Catalog, for creating a registry of data sources, categorizing, tagging and so on.

2. Overall compliance strategy and planning—compliance implementation is a complex undertaking

with many discreet steps. Microsoft has released the Compliance Manager to facilitate this, which

supports GDPR as well as other standards and regulations. It is a planning, risk assessment, and reporting

tool to assist with implementing a compliance plan and reporting on progress. The tool identifies 61

customer managed controls which must be implemented and allows statusing, assignment to users, and

documentation tools.

3. Implementing the compliance plan—this is where Fullscope’s GDPR Management Solution enters the

picture with consent and request tracking. The solution provides tools to assist with addressing controls

identified by the Compliance Manager as A.7.1.3, A.7.1.4, A.7.2.4, A.7.1.7, A.7.2.5, A.7.2.8, and A.7.3.9.

4. Training—lastly, but of critical importance is initial and ongoing training of employees on what GDPR

means to them in their respective roles. Fullscope provides both generic GDPR informational content as

well as customized training materials tailored to your specific business needs. Contact your Fullscope

account manager for details.

Installing the Base Solution

The GDPR Compliance Management Solution installs just like any other solution for Microsoft Dynamics

CRM. To install the Solution:

1. Go to Settings > Solutions

2. Click on Import

3. Browse and Select Solution

4. Follow the Import Wizard Instructions

5. With a Successful Import, close the Import Solution Window

6. Open CRM Customizations and add entries to the sitemap as

desired—the key entities are GDPR Consent and GDPR Request.

You may wish to create a GDPR area as pictured below.

7. Save and Publish All Customizations

Solution Components

Dashboards

The GDPR Compliance Management Solution includes two dashboards, one covering consent and the other

requests, for tracking key metrics around volume of requests, compliance, response times, and efforts to

secure consent.

Request Dashboard Consent Dashboard

Key Entity Changes

The solution includes two new entities to track GDPR related activity in a separate area, apart from other

customer service interactions.

GDPR Consent (custom entity)

The GDPR Consent entity tracks the

status of contacts with respect to their

consent for data retention and usage.

It is a separate record rather than

simply fields on the contact form to

track changes over time—a contact

could grant consent and then later

revoke it. This approach records both

incidents so the retention and data

between the consent and revocation is

explained.

The entity itself if simple—it links to the contact records, and also records the name and email separately in

case the contact is later erased.

Consent Status records the consent or revocation of consent, as well as optionally recording statuses such as

pending or no response.

Contact (system entity)

The main contact forms and views have not been modified, but a new form has been added specifically for

GDPR tracking.

This shows the current consent status, whether the data is currently restricted or under objection, and tables

of past consent changes and requests.

GDPR Request (custom entity)

The GDPR Request entity tracks current and past requests contacts have made under the GDPR. There are

five types—information, erasure, portability, objection, and rectification—which gives contacts the right to

have their data deleted, corrected, removed from automated processing, provided to them, or provided to a

third party.

The GDPR Request form is governed by a business process that will guide the user through servicing the

request, first determining validity and, if valid, going through the necessary steps to comply with the request

type in question.

Once the request is resolved, the resolution section of the form allows recording of the resolution details as

well as the time to complete.

Business Process Flow

GDPR Request

The business process flow governing the

GDPR request process is structured

conditionally around six branches, one each

for:

1. Invalid requests

2. Information requests

3. Erasure requests

4. Objections

5. Rectification requests, and

6. Portability requests

This is a framework which can and should be

extended for each implementation to cover

the steps specific to your business.

Workflow

GDPR: Log Consent Changes

To facilitate reporting on the current consent

status of contacts while still retaining a log of

all past states, a workflow pushes key data

from the consent record back to the contact

when one is created or changed, insuring the

fields on the contact remain accurate.

This can be expanded to encompass more

granular consent as needed. (See below.)

GDPR: Invalid Request Notification (sample)

This is a simple, sample workflow to

remonstrate on demand

communication automation, in this

case if a request if determined to be

invalid, automatically send an email

explaining that and incorporating

notes entered on the request form.

This is a sample workflow, to be

adjusted as needed. The approach can

be used for many automated

communication instances—initial

acknowledgement, as stages advance

in the process, etc.

FAQs

Q: Can the solution be installed in a customized, live system?

A: Yes, the solution affects accounts, contacts, and leads, but no changes have been made to the core

system forms, views, or charts. The solution is additive and will not overwrite existing customizations.

Q: Does the solution guarantee GDPR compliance?

A: No software tool can guarantee compliance, the determination of which is ultimately at the discretion of

the appropriate regulatory bodies, and the responsibility for which lies with the employees and management

of each company affected by these regulations. The tools in this solution are designed to assist management

and employees with implementing, carrying out, and monitoring business processes which are conducive to

compliance with the consent and request aspects of the GDPR, as well as storing data related to this for

reporting and audit purposes.

Q: Can I ask for consent for different, specific things?

A: Yes, consent tracking can be universal—a simple yes or no—or as granular as needed by simply adding

additional data points on the GDPR consent record and tying these to the relevant data collection method—

email campaigns, portals, etc.

Q: Can I integrate this solution with my existing email marketing/survey engine/portal?

A: Yes, although every third party solution is different, any such tool which can be integrated with Microsoft

Dynamics 365 for Customer Engagement in general can be used to pull or push data to the GDPR related

entities.

Q: Can I set up a Microsoft customer self-service portal solution with this product?

A: Yes, the Microsoft portal technology supports exposing the GDPR entities for customer self-service.

Dynamics 365

Edgewater Fullscope delivers innovative Microsoft ERP, CRM, BI, web and portal solutions and services on premise or in the cloud to manufacturers, service companies and equipment dealers in North America and Europe. The award winning company enables you to achieve successful business outcomes and is one of the largest resellers of Microsoft Dynamics 365 (formerly Dynamics AX and CRM).

Want to know more?

Schedule a GDPR Solutions assessment at (866) 420-7624 US or (0203) 608 1445 UK

How Edgewater Fullscope is Helping Customers