Words by Paul McQuillan

   on 26/02/2018 09:00:00

imageData is more important than ever - and so how we store and use data is under increasing scrutiny.

In a way, the last 15 years have seen a kind of 'data wild west' where companies could collect, use and store data in any way they like without worrying unduly about the consequences.

But with increasing interconnectedness and analytic power in big data, the value of data has risen dramatically and now companies must show that this is being stored securely and that the ownership of this data resides with the consumer - and not solely with the company who happens to be holding the data.

This is part of the process that has led to GDPR and steps taken by regulation to ensure that Customer data is being stored both securely and in a well governed structure that ensures a Company can respond to a Customer's request to view, amend or completely delete the data held about them.

GDPR is likely the first step here in ensuring that the value of our data is respected and this is not left vulnerable to misuse.

In a way this is not new for the CRM world, as this is mandating that we hold our data in a more customer-centric fashion and place the customer at the heart of how we store their data – but to be compliant we must understand GDPR and the requests this places on us.

To help us here, we have documented some of the key tenants of GDPR below – as this involves compliance, this is an area where doing your own research and working with good trusted Suppliers is crucial, however the following is aimed at being a good summary:

Storing Data

Data Access Requests


We should have a documented map of our data, what we hold, and where this is stored.

Where data is communicated to 3rd Party companies or structures, this should be documented as this is our responsibility to correct inaccuracies or communicates changes.

Our Data Protection Officers should have an awareness of the different points of storage and key suppliers to be fully aware of our storage and any possible implications of our approach.

In this we should be aware of our Data Real Estate as the totality of the data we store on Individuals – this includes both structured data of the fashion we hold in CRM, ERP or other Line of Business Systems + unstructured data we hold in Documents, Spreadsheets and Email Attachments.

As both Structured and Unstructured data constitute the data we hold on individuals and so both should be compliant with GDPR – this makes the use of loosely structured or ad-hoc file shares difficult, as these may store individual data without reference back to individual for a Data Access Request.

Individuals may request a copy of the data we hold on them.

Similarly individuals may also invoke their ‘right to be forgotten’ as way of requesting an organisation delete or remove the data they hold about them.

To handle these Data Access Requests, we should have an Access Request Process in place between our Data Protection Office(s) and our Suppliers to accommodate such requests – and these should be completed within 30 days.

Privacy Notices explain the Legal Basis for storing and processing their data, including our retention period for this data.

This empowers the data subject for:

  • subject access
  • to have inaccuracies corrected
  • to have information erased
  • to prevent direct marketing
  • to prevent automated decision-making and profiling
  • data portability

Many of these points are similar to the earlier Data Protection Act that GDPR effectively replaces – however the right to data portability is new. This is an enhanced form of subject access where we have to provide the data electronically and in a commonly used format.

Many organisations will already provide the data in this way, but if we currently use paper print-outs or an unusual electronic format, now is a good time to revise your procedures and make the necessary changes.

Documented process for Data Breaches and ideally a Security Incident Register between yourself and your suppliers.

Have the relevant contracts in place with IT and Data Suppliers, preferably for a 3 year period for continuity and robustness to our approach.

Have a Data Protection Officer armed with the right tools and knowledge to take responsibility for how your data is protected and stored.

Remember that your security is only as good as your weakest link – and so again, having a good awareness of your Data Real Estate is key in ensuring we have sufficient security and knowledge of potential breach points. 

Limiting the number of systems and touch-points for data storage here will then help us still secure.

Penetration Testing and working with strong Hosting Partners or Cloud Service Providers will help manage the complexity of modern system security and good data storage.

What defines Personal Data? What defines Sensitive Personal Data?

Any information relating to an identified or identifiable natural person – this relates to a series of possible identifiers such as Name, any Online Identifier (such as IP Address) or Locational Data.

Consent – the data subject whom the personal data is about has consented to the processing

Contractual – processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract

Legal obligation – processing is necessary for compliance with a legal obligation

Vital interests – processing is necessary to protect the vital interests of the data subject or another person

Public tasks – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the business

Legitimate interests – processing is necessary for purposes of legitimate interests pursued by the business or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

(a) Racial or ethnic origin of the data subject;

(b) Political opinions;

(c) Religious beliefs or other beliefs of a similar nature;

(d) Membership of a trade union;

(e) Genetic or Biometric Data

(f) Physical or mental health or conditions.

(g) Sexual life or orientation

Previously data on prior criminal convictions was considered sensitive personal data, whereas under GDPR this is tagged separately and treated with a higher protection controls.

Explicit consent – the data subject whom the sensitive personal data is about has given explicit consent to the processing (unless reliance on consent is prohibited by EU or Member State law)

Employment, Social Security or Social Protection Laws – processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement providing for appropriate safeguards for the fundamental rights and the interests of the data subject

Vital Interests – processing is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent

NFP – processing is carried out by a not-for-profit with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent

Public – processing relates to personal data manifestly made public by the data subject

Legal Matters – processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

Public Tasks – processing is necessary for reasons of substantial public interest, on the basis of EU or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

Medical Purposes – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or Member State law or pursuant to a contract with a health professional (provided that professional is subject to the obligation of professional secrecy under EU or Member State law) or by another person also subject to an obligation of secrecy under EU or Member State law

Public Health – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy or

Archiving, Research or Statistical Purposes – processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes based on EU or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

As a follow-up article to this information, we can also look at how Dynamics 365, SharePoint and supporting Apps can help meet these points for GDPR Compliance.

Further Reading

GDPR is a hot topic at present (to say the least!), and so there is a wealth of information available to us.

The most useful if lengthy read is the original legal document itself:

Share this Article

Search Articles

Filter Articles

CRM Tech DocMan

Recent Articles

HOW TO: Integrate SQL Users into Dataverse Teams HOW TO: Prepare to go LIVE on Linked-In! Creating a Homepage Canvas App HOW TO: Virtual Entities in Dynamics 365 Release Wave 2 New Feature: The Columns Button HOW TO: Search a date field in Microsoft Dynamics The Relevance Search COMING SOON to Power Apps Portals HOW TO: Manage Your Dynamics 365 Database Size (Video Included) Dynamics 365 Marketing vs ClickDimensions It’s time to pause, reflect and acknowledge a new era of inclusivity and collaboration. Part 2 - How to get the most from a Technology Expert – Asset Management Hub Property & Asset Management Hub Part 1 – Balancing CRM and Asset Management Scopes - Asset Management Hub Creating a Multi-Lingual PowerApps Portal How to Set Up a Microsoft Teams Site Using DocDrive365 Microsoft Teams - Adding a Microsoft Teams URL to a Dynamics Appointment Dynamics 365 Marketing – Customer Voice Survey Not Appearing In Emails? Using SQL Management Studio to connect to the Dynamics DB Calling a Power Platform AI Builder Model via oData How to use DocDrive365 to integrate permissions between Business Units in Dynamics with Sites in SharePoint Getting started with the Power Platform AI Builder. Power Apps Portal Information Hub DocDrive365 Security: Day One - Getting Started with Dynamics to SharePoint Permissions Part 5 - Power Apps Portals: How To Connect Azure B2C With Linked-In Part 4 – Power Apps Portals: Styling Azure B2C for Power Apps Portals
Contact Us

Want expert advice or a demo?

Get in touch now and see how we can help your business grow.

  • Name
  • Email Address
  • Phone Number

Understanding Your Challenges

Our strong understanding of CRM and emerging technologies within the Microsoft environment means we deliver the right solutions for you.

Proven Real-World Solutions

As a leader in the field of Dynamics solutions, our pedigree developing and delivering real-world solutions is unsurpassed.

Long Term Support

We provide support beyond our design, implementation and 'go-live' delivery using Sprints and continual updates to our AppSource apps.

CRMCS | Design by Thinktank Marketing | Citrus-Lime Limited

To improve your experience today and in the future, this site uses cookies. Read our full Privacy Policy & Cookie information here I Understand