GDPR and your data – The Latecomers Guide (Part 4)

GDPR and your data

The new GDPR legislation will have a significant impact on firms of all sizes. Don’t leave it too late to start preparing. One of the first things you need to do is to assess your processes and what security you have in place to protect personal data. In the first two posts in this series, we looked at what is GDPR and who is affected. In the third post, we started to look at ways in which you can protect data in your Microsoft Dynamics 365 database. In this final post in this four-part series, we will look at further ways to ensure protection as part of your GDPR preparation.

Exporting Data

Do you know right now who has access to export data from databases in your organisation? Microsoft and other vendors provide access to really cool features such as the export to excel (and Excel online) but these features also contain risks. There are risks of data theft and risks of data breach by allowing inappropriate access to data. It’s easy to think that there is no harm in allowing someone to export some data to create a simple pivot chart but what happens to the data afterwards? Are your users taking laptops home with a desktop full of excel sheets of personal data that they forgot to delete? It is important to have strict policies about who can export data and what the procedure is to delete that data again in an appropriate manner. In Microsoft Dynamics 365 the security permission that allows “export to excel” is contained in the Business Management tab of the security role. This can be toggled on or off.


GDPR compels organisations to have explicit and informed consent from the data subject (individual) to store and process their data. If you want to send direct marketing content to your contact database then you must get consent from the individual. This means a “Freely given” consent without coercion, incentives or a penalty for refusal. You cannot use a pre-ticked sign up box and it must be very clear as to what they are opting in for. Furthermore, organisations must then keep records of this consent that can be produced if requested.
If you are using a marketing automation tool such as ClickDimensions with Microsoft Dynamics 365 you can set up a double opt-in process that doesn’t add people to your marketing list until they sign up first at your website, then confirm that they have signed up by clicking a link in an email.

How long does consent last within GDPR

This is a bit of a grey area and is often said to “be for the time being”. Which isn’t really very helpful. Especially when you consider that consent is also considered by the law to “decay over time”. For GDPR compliance you don’t have to necessarily ask all your contacts to re-give consent however you must have a record of them giving you consent in the first place.
It is suggested that organisations review the following:
• review the length of time you keep personal data;
• consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
• securely delete information that is no longer needed for this purpose or these purposes; and
• update, archive or securely delete information if it goes out of date.


Microsoft Dynamics 365 online is a Microsoft cloud platform. This means that your data is sitting in Microsoft database servers outside of your organisation. That might cause you to be alarmed but don’t worry because the data is encrypted (think of this as a way of scrambling the data so that it becomes totally unreadable to anyone or anything who doesn’t have the right code to unlock and see the data) This means that as you add a record to your CRM database in the cloud the data is security protected on its way to and once inside the Microsoft SQL Server Database. This happens automatically and you don’t need to do anything to enable it. For those organisations who want to self-manage the encryption, it is possible to change the default encryption key in Microsoft Dynamics 365 to one of your own. Although this is a very powerful feature and if not managed correctly has the power to lock your data permanently if not done right so only consider this is if you have a good reason and you know what you are doing.


In this post, we have looked at some of the things that can be done in Microsoft Dynamics 365 to
protect data, but protecting the data is only one part of the GDPR scope. When preparing for GDPR Microsoft have recommended the following four steps as a guide.

1. Discover—Identify what personal data you have and where it resides.
2. Manage—Determine how personal data is used and accessed.
3. Protect—Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches.
4. Report— Execute on data requests, report data breaches, and keep required documentation.

If you want to read more about GDPR and carry out a basic assessment of your readiness Microsoft has a website dedicated to the subject.
help with establishing your GDPR maturity or you need help to find out more about using some of the features within Microsoft Dynamics 365 to secure your data contact us now to find out about how Rocket CRM can help Link to a landing page


Rocket CRM is a Microsoft Dynamics 365 Partner. Organisations are responsible for ensuring their own GDPR compliance. Any organisation that is unclear on GDPR is advised to consult legal and compliance teams for guidance.

share with your friends