By: Mark Polino
You may have heard the term GDPR bandied about lately. It’s not a swear word abbreviation, nor is it some new cell phone app. GDPR is the new European Union (EU) General Data Protection Regulation that imposes new rules on organizations in the European Union, those that offer goods and services to people in the EU, or that collect and analyze data tied to EU residents, no matter where they are located.
The regulations are in response to data breaches and the misuse of personal information. Specifically, they are focused on information related to personally identifiable data and include:
- user rights to access and correct personal data, including the right to be deleted
- organizational controls on data, including training and audit policies
- transparency policies on how the company collects, uses, and retains data
- significant fines for violations
The last item is a big one. Fines can be up to €20 million or 4% of a company’s revenue, a number sure to get the attention of any CFO. In simple terms, assuming the recent Equifax breach would be only one major violation, 4% of 2016 revenue would be $125 million and reduce net income by more than 15%.
Microsoft is working to ensure their products are GDPR-ready. There is a particular emphasis on the entire line of Dynamics 365 products. For cloud-based solutions, complying with GDPR is a joint requirement between the cloud provider and the user company. Microsoft works to supply the appropriate data protection controls, including security and audit logs, but relying on Microsoft’s controls alone to ensure compliance is not enough. Microsoft’s responsibility here is to secure the data center. GDPR imposes requirements on organization controls, audits, and policies which live firmly with the company using Dynamics 365, not Microsoft.
By way of analogy, banks are responsible for the physical security of their customers’ money. They have strong buildings, time lock safes, guards, etc. But users are also responsible for the security of their own money. All of a bank’s security work is irrelevant if a user is careless with their PIN number. In the same way, organizations own the responsibility to protect their data.
Microsoft provides various levels of audit logs with their Dynamics 365 products, but the onus is on the company to review those logs and address issues. Companies control what data their users can see, change, and export, not Microsoft. Policies and training on how to appropriately secure data also fall squarely on companies using Dynamics 365. Companies that already have good controls in place for financial reporting and other regulatory requirements can apply those same principles to GDPR compliance. In the case of GDPR, segregation of information, access reviews, and testing of controls all apply.
For companies with on-premise solutions, the full requirements of GDPR rest on the organization to secure the perimeter and prevent inappropriate access from both outside and inside the organization.
For many organizations, the tools included with their cloud or on-premise ERP or CRM solution won’t be enough to appropriately secure, monitor, and demonstrate compliance. On the plus side, many of the third-party tools available for financial reporting compliance can assist with the audit and control requirements of GDPR, in addition to supporting good financial controls.
GDPR is primarily about data access and usage. Who has access? Who accessed specific data? Who changed what and when? In a typical accounting system, these are more like the questions typically asked around payroll security, but with GDPR, they are now greatly expanded to additional data.
GDPR isn’t going away, and with initial requirements starting May of 2018, it’s going to be here fast. Organizations don’t like surprises, especially expensive ones, so it’s time to prepare now for GDPR.