The General Data Protection Regulation (GDPR) comes into force on May 25, 2018 and represents a significant overhaul of data protection legislation; the accountability principle will mean that businesses will need to examine how they hold and use data and take steps to demonstrate compliance with the data protection principles.
With the release of NAV 2018 Cumulative Update 3 last week, Microsoft has done a first step on making NAV GDPR compliant. This Cumulative Update adds Data Classification to your NAV tables and this is the NAV version you need to deploy as soon as possible in order to be at least “level 0” GDPR compliant.
When installing NAV 2018 CU3 and open properties of a Table’s field, you can see the new DataClassification property:
The DataClassification property can be set on table objects and field controls:
|CustomerContent||Content directly provided/created by admins and users. This is the default when no value has been specified.||
|EndUserIdentificationInformation||(EUII) Data that identifies or could be used to identify the user of a Microsoft service. EUII does not contain Customer content.||
|AccountData||Customer billing information and payment instrument information, including administrator contact information, such as tenant administrator’s name, address, or phone number.||
|EndUsePseudonymousIdentifiers||(EUPI) An identifier created by Microsoft tied to the user of a Microsoft service. When EUPI is combined with other information, such as a mapping table, it identifies the end user. EUPI does not contain information uploaded or created by the customer (Customer content or EUII).||
|OrganizationIdentifiableInformation||(OII) Data that can be used to identify a tenant, generally config or usage data. This data is not linkable to a user and does not contain Customer content.||
|SystemMetadata||Data generated while running the service or program that is not linkable to a user or tenant.||
|ToBeClassified||Content that has not yet been given a classification. This is the initial value when table or field is created.||
Dynamics NAV operates with some standard rules for classification:
- When you add a new field to a table, the field is assigned an initial value of ToBeClassified.
- FlowField and FlowFilter fields are automatically set to the SystemMetadata data classification. This cannot be changed.
- Existing tables and fields (except for FlowFields and FlowFilters) in an application that has been upgraded from a Dynamics NAV version without the DataClassification property, will automatically be assigned the CustomerContent classification.
When you upgrade an application from a Dynamics NAV version that does not contain the DataClassification property, existing tables and fields (except for FlowFields and FlowFilters) will automatically be assigned the CustomerContent classification. You can then access the DataClassification property on these tables and fields, and change the classification as needed. FlowFields and FlowFilters will be assigned the SystemMetadata classification automatically.
You can view the data classification of tables and fields in the Table Metadata Virtual table (ID 2000000136) and Field virtual table (ID 2000000041), respectively. You can also perform a bulk-insert of data classification by executing the Field Data Classification (page 1750).
You can bulk-edit classifications only for fields in CSIDE (the script does not update fields in extensions). To bulk-edit classifications, export the classifications to Excel from the NAV page and then re-import the updated file with the new Powershell package (provided in the DVD image of CU3):
Set-FieldDataClassificationFromExcelFile -ExcelFilePath <YourXLSXGeneratedFile> -SheetName 'Field Data Classification' -RTCFolder <FilePath> -DBName <YourAVDBName> -OutputFolder <OutputFolder>
where FilePath is the full path of the NAV client files (for example C:\Program Files\Microsoft Dynamics NAV\110\RoleTailored Client).
Microsoft is clear regarding the Data Classification topic for GDPR:
You should consider the data classification features offered in Dynamics NAV as the first layer of classification – done by developers (Dynamics NAV and partners) on customizations, add-ons, and extensions.
And what’s next?
Data Classification is in my opinion only the basic requirement in order to define your product to be totally GDPR-compliant. I don’t think this is enough, at least if you want to provide GDPR features to your customers. What we need right now in NAV?
One of the key aims of the GDPR is to empower individuals and give them control over their personal data. For having a good GDPR-compliance, we need to have features to satisfy at least these GDPR articles and topics:
- Personal / sensitive data discovery
- The right to be informed (Articles 12, 13, 14)
- The right of access (Article 15)
- The right to rectification (Article 16)
- The right to erasure (Article 17)
- The right to restrict processing (Articles 18, 19)
- The right to data portability (Article 20)
- Data encryption and destruction (automated)
- GDPR activities logging
What to do in practice? What should the NAV Product Team do? These are my ideas:
- Data Classification (done)
- Providing GDPR-related entity management (like Data Protection Officer card, Administrators or other controllers identification).
- Providing a quick way to retrieve sensitive data in the entire database (for example, if your old contact asks you to retrieve all his sensitive data you have in your system, you need to have a quick way to retrieve them).
- Providing a quick way to rectify sensitive data (for example, change of a contact data: you need to change this data in the entire database and documents).
- Providing a quick and automated way to mask or delete sensitive data (if your old contact asks you to immediately delete all his sensitive data in your database, you need to remove them or cypher them).
- Provide a way to export all sensitive data of an individual in a standard format (CSV or XML) for data portability.
- Providing a centralized way where launching all these GDPR tasks, log them, log GDPR incoming requests and action performed on the database.
As you can imagine, there’s something to implement also as new NAV objects in order to obtain a good result (and a very GDPR compliant product).
We’ll have something similar before the May 25? Or we’ll have to develop all by ourself?
I’ve shared the requests/suggestions to the product team, now having a clear feedback could help everyone of us…