GDPR - general information?

KeptyKepty Member Posts: 54
Hello,
Does anyone have any information about GDPR in NAV? I hope that Microsoft prepare some solution for NAV2013+ but how about the older versions? Our company has few clients with NAV 5.0 or 2009. Do you have any information about GDPR requirements related to NAV?

Thanks,
Tomáš
Tomáš Kapitán

Best Answers

  • navprogmgrnavprogmgr Member Posts: 2
    Answer ✓
    We found this company navgdpr.com
    Looks like they're offering a GDPR toolset that plugs into all versions of Dynamics NAV
  • KeptyKepty Member Posts: 54
    Answer ✓
    Microsoft is preparing some solution for GDPR (NAV2015+), but the whitepapers are not published yet.
    Tomáš Kapitán

Answers

  • xStepaxStepa Member Posts: 106
    As far as I know - NO universal solution from MS ... each partner has to come with his own solution that fits to his customer neeeds.
    Regards
    xStepa
  • KeptyKepty Member Posts: 54
    I hope that it is not true... GDPR requires to store users, who read customer information (customer profiling information, etc...), but NAV has no way how to store this information... What do you think about NAV2018 together with GDPR?

    And how about Right to erasure (or Right to be forgotten)?
    Tomáš Kapitán
  • xStepaxStepa Member Posts: 106
    edited 2017-08-13
    Who knows ... Maybe there will be some solution from local MS (like EET).

    Right to be forgotten - simple anonymization of some fields on Customer/Contact card ;)
    Worse would be the access logging/managing ...
    Regards
    xStepa
  • navprogmgrnavprogmgr Member Posts: 2
    Answer ✓
    We found this company navgdpr.com
    Looks like they're offering a GDPR toolset that plugs into all versions of Dynamics NAV
  • Slawek_GuzekSlawek_Guzek Member Posts: 1,690
    edited 2017-10-31
    navprogmgr wrote: »
    We found this company navgdpr.com
    Looks like they're offering a GDPR toolset that plugs into all versions of Dynamics NAV
    It would be much, much closer to the truth if you would post: "I am working at navgdpr.com and advertise myself here"
    Slawek Guzek
    Dynamics NAV, MS SQL Server, Wherescape RED;
    PRINCE2 Practitioner - License GR657010572SG
    GDPR Certified Data Protection Officer - PECB License DPCDPO1025070-2018-03
  • navprogmgrnavprogmgr Member Posts: 2
    @Slawek_Guzek: Absolutely right; I was attempting to be subtle about the fact. However, I'm proud to announce we offer a cost effective, functional rich, solution to the new GDPR legislation
  • ZupfilerZupfiler Member Posts: 1
    edited 2017-11-01
    Microsoft just aren't offering anything as yet for GDPR- I think they will see this as an incentive for companies to upgrade. Well done navprogmgr for providing a solution.
  • KeptyKepty Member Posts: 54
    Answer ✓
    Microsoft is preparing some solution for GDPR (NAV2015+), but the whitepapers are not published yet.
    Tomáš Kapitán
  • Slawek_GuzekSlawek_Guzek Member Posts: 1,690
    edited 2018-02-11
    The trouble with GDPR is that does not say what exactly companies need to do, and what is much more important, with what data. A one universal solution, the "silver bullet" simply does not exist. No program or module can make you compliant I'm afraid, for a simple reason - GDPR is not about securing your ERP system.

    I am not saying leave it wide open for anybody, but do not focus on NAV, or any other particular software alone. There is much more to do that tinkering NAV to make it 'compliant'.

    It is not a software or system or network which needs to be compliant - it is the organization.

    I've seen some MS presentations and webinars regarding the GDPR and to me, it looked much like the cloud selling exercise. The message, although not said directly was, in short: 'move all of your data, documents, and systems into Microsoft Cloud and it all will be fine'.

    I can see some usefulness of the tools presented by MS so far, I cannot see how the MS proposition would make anybody GDPR compliant. For the exact reason, I have given above - the GDPR is not only about securing any software or IT system

    For example; If you look at it closer one of the goals of GDPR is to make sure the systems are designed from the ground and deployed with customer's data privacy in mind. If you look at NAV there is very precise permission control system in place. Question is how did you use it? Some companies grant very wide access, in extreme cases giving SUPER for everybody to avoid problems. On the other side, there are control freak companies who will limit access to an absolute minimum, for absolutely everybody, even for their database administrators. The same system - yet two potentially and very likely two different outcomes should the s..t happen and a company is under investigation for allegations of breaching the data protection laws, even the current one in place.
    Slawek Guzek
    Dynamics NAV, MS SQL Server, Wherescape RED;
    PRINCE2 Practitioner - License GR657010572SG
    GDPR Certified Data Protection Officer - PECB License DPCDPO1025070-2018-03
  • Miklos_HollenderMiklos_Hollender Member Posts: 1,598
    Some companies grant very wide access, in extreme cases giving SUPER for everybody to avoid problems. On the other side, there are control freak companies who will limit access to an absolute minimum, for absolutely everybody, even for their database administrators. The same system - yet two potentially and very likely two different outcomes should the s..t happen and a company is under investigation for allegations of breaching the data protection laws, even the current one in place.

    I have to disagree. User Rights were our first thought as well, as in, "goddamn now I have to figure out in 7 companies what everybody is doing and only let them do that" but then realized something:

    We are talking about READ access to stuff like customer address? Well, Order Processing needs that. Accounting needs that, they issue invoices, too. Warehouse needs that, they book delivery notes.

    So basically off the users need that. So we just basically have to write that down and problem solved. It actually even makes sense: if any member of an organization is completely isolated from customers... that is not a good sign? You are supposed to be customer-oriented, not product-oriented these days? And isn't it the whole point of CRM to share customer information all over the organization?

    Now WRITE access to customers could be limited... and has to be, else you end up with duplicates when the less clueful people don't find one and enter them again.

    But my opinion is that that is not relevant. GDPR is not about someone accidentally entering the wrong customer address or e-mail address. It is about someone stealing it, selling it to a spammer company and then your inbox is full of ads of magic pills that promise to make certain body parts grow bigger overnight. And that is READ access, not WRITE.

    So I think that's not really the issue. Most of it is acting upon requests from customers: delete, change, encrypt...

  • Slawek_GuzekSlawek_Guzek Member Posts: 1,690
    edited 2018-03-29
    .. now I have to figure out in 7 companies what everybody is doing.."
    This is exactly what the DPIA (Data Protection Impact Analysis) is all about. To determine where is your data (ALL, not only the one stored electronically - paper based archives do count in), who has access to it, how it is used and what for. And where it is getting send.

    We are talking about READ access to stuff like customer address? Well, Order Processing needs that. Accounting needs that, they issue invoices, too. Warehouse needs that, they book delivery notes.

    So basically off the users need that....
    Firstly, it is not only about your customers. Vendors, subcontractors, if they are sole traders or civil partnerships for example, they are also subject to GDPR rules, as well as your employers.

    Secondly, you could argue if a person dealing with purchases, or member of HR, really **needs** to have access to any Customer data. Personally - doubt it.

    So we just basically have to write that down and problem solved.
    This is possible solution. If anything happened you will be able to show that you have done some analysis, that you have considered privacy laws. It doesn't make you compliant with GDPR, but on the other hand there is not a single thing, piece of software or solution which does.

    Now WRITE access to customers could be limited... and has to be, else you end up with duplicates when the less clueful people don't find one and enter them again.

    But my opinion is that that is not relevant. GDPR is not about someone accidentally entering the wrong customer address or e-mail address.
    Oh, but it is, about that too. One of the principles is the data accuracy - Article 4 clause 1(d). :
    ...Member States shall provide for personal data to be ... accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that
    are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
    Now imagine your Data Protection Authority is a lawyer who deeply believes that primary and the most important purpose of laws is to obey them, down to the dot....


    It is about someone stealing it, selling it to a spammer company and then your inbox is full of ads of magic pills that promise to make certain body parts grow bigger overnigh
    Nope, again. It is about 'loosing' the data, by any mean, not necessary limited to stealing or selling it. It is also about misusing the personal data too. The impact does not have to be a full inbox of certain medicament offers from a spammer. Just look at UK's Cambridge Analytica recent case.

    If your employee send a list of invoices to wrong address it does count as a data breach. If someone send email to many customers and put all addresses in To: field, so the recipients can see each other emails, that's the data breach example too.


    Thinking in 'narrow' categories regarding the application and potential impact is not going to help. At the end of the day it will not be you, or your company CEO, who decides if you are compliant or not, or if you were negligent or not. The officer investigating your case may have different view than you or your bosses on those matters.

    Slawek Guzek
    Dynamics NAV, MS SQL Server, Wherescape RED;
    PRINCE2 Practitioner - License GR657010572SG
    GDPR Certified Data Protection Officer - PECB License DPCDPO1025070-2018-03
Sign In or Register to comment.