The General Data Protection Regulation (GDPR) is a crucial new regulation especially for companies that have EU users or deal with EU companies. This regulation went into effect starting on May 25th 2018. Microsoft has released a number of features in D365FO to help companies become GDPR compliant.

Person Search Report

The Person Search report may be the most useful feature added by Microsoft for GDPR, this feature is located at System Administration -> Inquiries -> Person Search Report. It allows you to take any piece of PII and search for it in D365FO.

You can search by ID using any of the following:

  • Party ID
  • User ID
  • Email
  • Contact ID
  • Personnel Number
  • Applicant
  • Customer Account
  • Vendor Account
  • Prospect

Or you can search by name using any of the following:

  • Search Name
  • Contact Numer/Address
  • First Name
  • Middle Name
  • Last Name
  • Last Name Prefix

Or you can search by address information using any of the following:

  • Street
  • Street Number
  • City
  • Country/Region
  • State
  • County

So there are a lot of options to search by!

Once you input the data you would like to search for, the results will look something like below. For this example, I used the name search for ‘brad’.

You can see the search returned all objects that referred to anybody with the name ‘brad’. It also returned related information about the user including Party ID, Email, and default Company.

Asset Classification on Table Fields

Starting with Platform Update 8, an additional metadata field was added to all table fields. This additional allows for classifying what type of data existed within a particular table field, it was called ‘Asset Classification’.

There are a number of classifications you can use for this, including:

  • Customer content – Data collected and managed by the controller (some of which can be personal data).
  • End User Identifiable Information (EUII) – A natural value used to identify a user of the service.
  • End User Pseudonymous Information (EUPI) – A generated value used to identify the user of the service.
  • Organizational Identifiable Information (OII) – A value used to identify the organization using the service.
  • System metadata – A value that describes the software or used by the software, typically generated by the software.
  • Object metadata – A value that describes the software or used by the software, but can be provided by the tenant or user of the software.
  • Account data – A value provided by or used by the tenant to identify the billing information or identify the software used by the tenant.
  • Support data – Information used to provide customer support.

Classifying the type of data a particular table field will contain allows you to quickly determine which tables/fields include potential personal identifiable information (PII) and is subject to GDPR.

Roles with Sensitive Access

Starting with Platform Update 16, you can now designate roles that have access to potentially sensitive information and then can see when users log in that are assigned those roles.

The first thing to do is to configure which roles have access to sensitive data by going to System Administration -> Inquiries -> User Log -> Role Settings tab). In the below example I have set up the ‘Accounts Receivable Manager’ role as having access to sensitive data.

Now when I go to the User Log report (located at System Administration -> Inquiries -> User Log) I am able to see when users logged in that are assigned that particular role.

Reference Documents

Reference Documents for Finding and Managing Personal Data

If you have access to Customer Source, you can view these data reference documents. These documents include two sets of reference data: page data discovery tables and data inventory tables. The page data discovery tables allow you to report on the following within D365FO:

  • Roles and the pages in Finance and Operations (and Talent and Retail) that may contain personal data related to that role.

  • Business actions that involve a role and the pages that are used to complete the action.

  • Documentation that relates to the pages or business actions, as well as links to that documentation.

The data inventory tables provide a comprehensive list of entities and pages where they exist within D365FO.

References:

Guide to the GDPR for D365FO

Asset Classifications

Manage Access to Sensitive Data

Resources for Responding to a GDPR Data Request

Person Search Report

Extend the Person Search Report