Guide Lines on Identifying PI Data in Dynamics 365 to Comply with GDPR

By | October 8, 2018

The General Data Protection Regulation (GDPR) by the European Union is designed to protect the personal information of the EU citizens, which means every organization around the globe who have their customers who are citizens of the EU must comply to this law.

As per this law, an organization should not hold any personal information (PI) of any customer residing in EU without their consent or for more than 13 months if the customer is not active.

Now, where does this leave us, the Dynamics CRM users? As we are very much aware that Dynamics CRM is the most used customer relationship management across the globe. How should the organizations using Dynamics CRM comply with the new GDPR rule.

Well, to comply to GDPR it is very important to identify the personal information (PI) present in an organization. And here in this blog, we shall focus on this very aspect on how to identify the PI data present in your CRM.

As we just discussed the GDPR law is to protect customer’s personal information, in Dynamics CRM the Account  and the Contact entity fall under the Customer category thus it makes sense if we try to identify the attributes which would hold the PI but that’s not the only way one can enter customer information in Dynamics CRM is it!  Well in an ideal scenario we do start by creating a Lead and in the due course of time based on the communication and feedback from the potential customers we either qualify or disqualify the lead.

In case we are disqualifying the lead the process flow stops over there and thus in this case the PI will be limited to that lead itself but in case we are able to qualify the lead then it means we were able to close the deal and we have a new customer in our list but that’s not only it in fact it also means that we have created an Opportunity, a Contact and probably even an Account with the PI data entered while creating a lead. So now we have Account, Contact, Lead and Opportunity entity in CRM where we should look for the PI data.

But are these four the only entities that we need to be concerned about when searching for the PI data? I don’t think so. Remember a few moments ago we discussed how the Lead gets qualified or disqualified. Yes, based on the communication and feedback from the potential customer. In Dynamics CRM the communication is possible using the activity entities i.e. the Email, Phone Call, Letter, Fax, Service Activity, Appointments etc… And thus it is quite a possibility of there being PI residing inside either of these entity records. Als,o we do need to consider the Notes entity as there can be scenarios where the notes hold some agreements signed by the customer or the user might have added some details in the notes with reference to the customer details which may prove to be a PI.

Having said that, we also need to need to understand that Dynamics CRM was designed to track every action in case the user wishes and for doing that we have the Auditing feature. One can enable auditing not only at the entity level but also at the field level. So now in case, you have auditing enabled in either of these entities we discussed till now and you have auditing enabled on the fields of these entities which actually hold the PI data then you shall find the PI in Audit logs as well.

Well till now whatever entities we discussed which should be taken into consideration to identify the customer’s personal Information, were all Out Of Box (OOB) entities however there’s very much possibility of there being custom entities in your CRM which might hold customer’s PI as well based on what purpose it solves in your business process. In such cases, one will need to consider their custom entities as well.

Along with all these, in case there’s an external system where the organization stores their customer’s info or there could be a possibility that an organization as their protocol keep daily backups by exporting CRM data in excel sheets, in either case these data do fall under the customer’s PI and must be considered as well.

So till now, we discussed where we should look when we are trying to identify the Customer’s personal Information but to do that I think we need to understand what qualifies as a personal information as well. So any data which can be traced back to you falls under the category of Personal Information (PI) or Personal Identifiable Information (PII). So the details such as Phone Number, Bank Account Number, Email Address, any government provided Unique Identification Number, House Address, and Office Address does fall under the PI/PII and needs to be looked for when identifying personal information.

Well to finally summarize our discussion as Dynamics CRM users we should probably look into following components for customer’s personal information. Having said that we would also need to understand that these components are very much susceptible to change based on one’s organizational goals and needs.

Entities

  • Account
  • Contact
  • Lead
  • Opportunity
  • Notes

Activity Entities

  • Email
  • Phone Call
  • Letter
  • Fax
  • Service Activity
  • Appointments

Custom Entities

Attributes

  • Email Id
  • Phone Number
  • Bank Account Number
  • Any Unique ID
  • Home Address
  • Office Address

Audit Logs

Hope this helps!

InoLink-QuickBooks-Integration-with-Microsoft-Dynamics-365-Dynamics-CRM