Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.7K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 301 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 993 SQL General
- 384 SQL Performance
- 34 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 259 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
GDPR - general information?
Kepty
Member Posts: 54
Hello,
Does anyone have any information about GDPR in NAV? I hope that Microsoft prepare some solution for NAV2013+ but how about the older versions? Our company has few clients with NAV 5.0 or 2009. Do you have any information about GDPR requirements related to NAV?
Thanks,
Tomáš
Does anyone have any information about GDPR in NAV? I hope that Microsoft prepare some solution for NAV2013+ but how about the older versions? Our company has few clients with NAV 5.0 or 2009. Do you have any information about GDPR requirements related to NAV?
Thanks,
Tomáš
Tomáš Kapitán
0
Best Answers
-
navprogmgr
Member Posts: 2
We found this company navgdpr.com
Looks like they're offering a GDPR toolset that plugs into all versions of Dynamics NAV4 -
Kepty
Member Posts: 54
Microsoft is preparing some solution for GDPR (NAV2015+), but the whitepapers are not published yet.Tomáš Kapitán0
Answers
xStepa
And how about Right to erasure (or Right to be forgotten)?
Right to be forgotten - simple anonymization of some fields on Customer/Contact card
Worse would be the access logging/managing ...
xStepa
Looks like they're offering a GDPR toolset that plugs into all versions of Dynamics NAV
Dynamics NAV, MS SQL Server, Wherescape RED;
PRINCE2 Practitioner - License GR657010572SG
GDPR Certified Data Protection Officer - PECB License DPCDPO1025070-2018-03
I am not saying leave it wide open for anybody, but do not focus on NAV, or any other particular software alone. There is much more to do that tinkering NAV to make it 'compliant'.
It is not a software or system or network which needs to be compliant - it is the organization.
I've seen some MS presentations and webinars regarding the GDPR and to me, it looked much like the cloud selling exercise. The message, although not said directly was, in short: 'move all of your data, documents, and systems into Microsoft Cloud and it all will be fine'.
I can see some usefulness of the tools presented by MS so far, I cannot see how the MS proposition would make anybody GDPR compliant. For the exact reason, I have given above - the GDPR is not only about securing any software or IT system
For example; If you look at it closer one of the goals of GDPR is to make sure the systems are designed from the ground and deployed with customer's data privacy in mind. If you look at NAV there is very precise permission control system in place. Question is how did you use it? Some companies grant very wide access, in extreme cases giving SUPER for everybody to avoid problems. On the other side, there are control freak companies who will limit access to an absolute minimum, for absolutely everybody, even for their database administrators. The same system - yet two potentially and very likely two different outcomes should the s..t happen and a company is under investigation for allegations of breaching the data protection laws, even the current one in place.
Dynamics NAV, MS SQL Server, Wherescape RED;
PRINCE2 Practitioner - License GR657010572SG
GDPR Certified Data Protection Officer - PECB License DPCDPO1025070-2018-03
I have to disagree. User Rights were our first thought as well, as in, "goddamn now I have to figure out in 7 companies what everybody is doing and only let them do that" but then realized something:
We are talking about READ access to stuff like customer address? Well, Order Processing needs that. Accounting needs that, they issue invoices, too. Warehouse needs that, they book delivery notes.
So basically off the users need that. So we just basically have to write that down and problem solved. It actually even makes sense: if any member of an organization is completely isolated from customers... that is not a good sign? You are supposed to be customer-oriented, not product-oriented these days? And isn't it the whole point of CRM to share customer information all over the organization?
Now WRITE access to customers could be limited... and has to be, else you end up with duplicates when the less clueful people don't find one and enter them again.
But my opinion is that that is not relevant. GDPR is not about someone accidentally entering the wrong customer address or e-mail address. It is about someone stealing it, selling it to a spammer company and then your inbox is full of ads of magic pills that promise to make certain body parts grow bigger overnight. And that is READ access, not WRITE.
So I think that's not really the issue. Most of it is acting upon requests from customers: delete, change, encrypt...
Firstly, it is not only about your customers. Vendors, subcontractors, if they are sole traders or civil partnerships for example, they are also subject to GDPR rules, as well as your employers.
Secondly, you could argue if a person dealing with purchases, or member of HR, really **needs** to have access to any Customer data. Personally - doubt it.
This is possible solution. If anything happened you will be able to show that you have done some analysis, that you have considered privacy laws. It doesn't make you compliant with GDPR, but on the other hand there is not a single thing, piece of software or solution which does.
Oh, but it is, about that too. One of the principles is the data accuracy - Article 4 clause 1(d). :
Now imagine your Data Protection Authority is a lawyer who deeply believes that primary and the most important purpose of laws is to obey them, down to the dot....
Nope, again. It is about 'loosing' the data, by any mean, not necessary limited to stealing or selling it. It is also about misusing the personal data too. The impact does not have to be a full inbox of certain medicament offers from a spammer. Just look at UK's Cambridge Analytica recent case.
If your employee send a list of invoices to wrong address it does count as a data breach. If someone send email to many customers and put all addresses in To: field, so the recipients can see each other emails, that's the data breach example too.
Thinking in 'narrow' categories regarding the application and potential impact is not going to help. At the end of the day it will not be you, or your company CEO, who decides if you are compliant or not, or if you were negligent or not. The officer investigating your case may have different view than you or your bosses on those matters.
Dynamics NAV, MS SQL Server, Wherescape RED;
PRINCE2 Practitioner - License GR657010572SG
GDPR Certified Data Protection Officer - PECB License DPCDPO1025070-2018-03