This article introduces several strategies for configuring Microsoft Dynamics NAV and SQL Server to comply with the European Union's General Data Protection Regulation.
Originally published in H1 2018 BCUG/NAVUG Magazine
The General Data Protection Regulation (GDPR) deadline is approaching...it’s only a few days away! I want to talk about GDPR strategies for Microsoft Dynamics NAV and SQL Server. GDPR gives individuals greater control over their personal data and imposes many new obligations on organizations that collect, handle, or analyze personal data.
Why GDPR is Necessary in EU
The new regulation on data protection wanted by the EU will become fully applicable on May 25, 2018, and, unlike the so-called “Cookie Law” of 2014, requires companies to develop careful and timely adjustment plans. In fact, some of the innovations introduced envisage the implementation of careful planning both from the point of view of the company organization and from the point of view of technological investments. The EU’s aim is to strengthen the protection of the personal data of EU citizens in the face of the much more tangible risks of a rapidly evolving digital world (think of social media, the Internet of Things, the management of big data, and so on).
Main Concepts/Rules of GDPR
New technologies and information globalization require a global protection of information; information sharing is now global, and data must be protected. To define immediately applicable clear rules for all members of the EU is necessary.
GDPR decided to introduce these main concepts:
- Principle of accountability, Privacy by Design and By Default, and Introduction of the Data Protection Officer (DPO). GDPR is only for business, not for domestic and personal use.
- What processing of personal data should I handle?
• Online Contact Forms, Newsletters, Cookies, Shopping Carts, Emails, etc.
• On-Premises Video Surveillance, Payrolls, Curricula, External Consulting, etc.
Three Main Pillars Will Change
The new elements introduced by the new regulation on data protection are numerous, but let’s identify the three fundamental pillars on the protection of users’ privacy and data collection:
- The right to erasure. The user has the right to obtain the cancellation of their personal data. It basically is the possibility for the user to withdraw consent to the processing of his data. What changes for you? In this case, you will have to completely delete the data you have stored.
- The right to data portability. This point of the GDPR guarantees the user the possibility to download their data and transfer it elsewhere. In other words, the data subject will have the right to receive the data previously provided to a data controller and to obtain that data be transmitted to another data controller.
- The right of access. After May 25, 2018, you will have to be completely transparent about why and how you will use the personal data of the Users you are collecting. With the introduction of the registration of treatment activities, you will have to specify the purposes for which you are proceeding with the processing of data, the categories of personal data and data subjects, and the technical and organizational security measures that you have adopted.
About Data Breaches
It will also be necessary to have a procedure to inform Users of any data breaches. In this regard, our recommendations are two: Make sure that the message reaches the User as soon as possible and keep them informed about the plug-ins to which you can rely to make sure to comply with this passage of the regulation.
For a Good GDPR Compliance
One of the key aims of GDPR is to empower individuals and give them control over their personal data. For having a good GDPR compliance, we need to have features to satisfy at least these GDPR articles and topics:
- Personal/sensitive data discovery
- The right to be informed (Articles 12, 13, 14)
- The right of access (Article 15)
- The right to rectification (Article 16)
- The right to erasure (Article 17)
- The right to restrict processing (Articles 18, 19)
- The right to data portability (Article 20)
- Data encryption and destruction (automated)
- GDPR activities logging
For those who do not comply with the regulations, there are salary sanctions. Furthermore, the
monitoring of compliance with the regulations set by GDPR will be very rigorous: Each member state will have a competent authority that will manage GDPR compliance through web audits and will have the possibility to issue penalties on its own. The text of GDPR reverses the perspective of privacy: The regulation, in fact, is based on the duties and accountability of the owner of the processing of personal data, while the previous legislation was based on the rights of the data subject.
GDPR: A Data Perspective
Both Microsoft Dynamics NAV and SQL Server will support GDPR, with different modes, depending on the product. The Microsoft Dynamics NAV User will prefer to manage everything from Microsoft Dynamics NAV, but it may be useful to be able to use both systems in order to secure even the non-Microsoft Dynamics NAV databases. What should I protect? What data are we referring to?
- Name and surname
- Numbers and identification codes (Tax ID number, health card number, etc.)
- Email address
- Nicknames used online
- Information relating to the physical, physiological, or genetic sphere
- Medical information
- Information on the geographical location
- Bank information
- Income
- Cultural and religious profile
- IP addresses, cookies
And any other information that can help us to identify, directly or indirectly, an individual.
What are the databases and applications that are present in the company and that can contain personal data?
- ERP, payroll management, sales force automation, CRM, email, e-commerce portal (B2C, B2B)
- Excel sheets on file system (this is often forgotten)
- Other databases built with personal database systems (Microsoft Access and others)
Main Processes (for Data)
Discover and Classify
Locate and classify all systems that store data; take an inventory of personal and sensitive data. Identify the data access requirements of Users and applications. Identify potential risks.
We must be ready to answer questions such as:
Which servers and/or databases contain personal data? Which fields or records in my tables contain this data? Where does the data go once they leave the database? Who has access to, and what data elements, in my system? Do I need to keep this information all this time? Which elements and configurations of my database management system (DBMS) can be achieved?
Object Map (Data Flow)
Create a summary map of the identified objects and the logical relationships that bind them (data flow).
Present data based on a matrix that has dimensions: Data category and sensitivity level. Create
a map that displays potential access to the various identified resources. Collecting and classifying this information brings us the indirect benefit of limiting the subsequent management activities only to the context identified.
Personal Data Identification
To identify personal data interrogate metadata (sys.columns) and analyze column names to identify personal information (date of birth, first name, fiscal code, ID etc.). Columns that contain personal data can be “tagged” using extended properties located at different levels of the SQL Server object structure, using full-text search to search for keywords in text fields.
Data Masking
Data masking limits the exposure of sensitive data by masking it to Users or unauthorized applications. The DBA can select columns within tables that contain information to be protected and masked as well as defining which Users have privileges to access the information in clear text.
Data protection is performed by the database engine and runs “on the fly” with minimal performance impact. The data within the tables remains clear. The application does not need to be modified in any way to exploit this functionality.
Row Level Security
Row level security limits access to rows in a database table based on the privileges assigned to the User running the query. A query potentially returns a different set of data depending on who performs it. The impact at the application level is minimal, and no changes are necessary.
Data Warehouse and Business Intelligence Perspective
In data analysis systems, we need accurate information about the person (name, surname, fiscal code); the data is evaluated in an aggregated way. However, we are interested in information on age, gender, and geographical location. We can use techniques to filter (when possible) information, or we can use techniques for data masking.
GDPR for Microsoft Dynamics NAV
Regarding GDPR compliance for Microsoft Dynamics NAV, Microsoft has posted information in its blog. In practice, GDPR-compliant functionality will be released in the next CU (starting from the CU3 of Microsoft Dynamics NAV 2018) and will include technical and functional changes useful for the purpose. The documentation will also be updated as the CU is released.
From Microsoft: Microsoft is dedicated to helping our Partners and Customers meet the requirements of GDPR. By May 2018, Microsoft Dynamics NAV 2018, Microsoft Dynamics NAV 2017, Microsoft Dynamics NAV 2016, and Microsoft Dynamics NAV 2015 will be updated with tools to help you get GDPR-compliant. The March cumulative updates have been made available and provide the first round of updates for you.
The Microsoft proposal is to provide the solution, the documentation, and then to pass the management to the Partner who will take care of the implementation.