What does GDPR consent look like in Dynamics?

Following the introduction of the new General Data Protection Regulation (GDPR) in May 2018,  Xpedition is finding that many firms still have questions about what GDPR consent should look like in Dynamics365. Perfectly understandable of course. It is a complex subject and only now, with GDPR in place, is it becoming more apparent what issues are of most concern.

For example, a frequent question that comes up during our seminars and in one-to-one client meetings is the ability, and need, to store consent records within their Dynamics Customer Engagement or CRM platform.

Consent is one of the six lawful basis for processing data, the other five being Contractual, Legal Obligation, Vital Interests, Public task and Legitimate Interest. You may choose to use consent if you determine it to be the most appropriate basis for your processing activity. The GDPR introduces new accountability and transparency requirements that require companies to clearly state and document their lawful basis for processing in order that they can demonstrate compliance in accordance with Articles 5(2) and 24. In addition, companies must also inform data subjects, up front, of their lawful basis for processing personal data, this is often in the form of a privacy policy or a short statement on the method of data capture.

As part of its transparency provisions, the GDPR specifies that firms record the legal basis for processing against the data subject, this is where Dynamics Customer Engagement or your CRM platform can assist. It is entirely possible that each data subject record that you hold could be the object of one or multiple data processing exercises, be it obligatory client data retention, marketing communications and/or compulsory audit retention – there may be many more and these are likely to be different for each company.

Data Processing

Each of these processing types can be represented against the data subject’s record within Dynamics, typically in the form of a single, or multiple relationships to a processing entity. This processing entity can be tailored to meet your exacting requirements though as a bare minimum should consist of:

• Purpose – The purpose for which the data is being processed
• Lawful basis – One of the six lawful basis for data processing
• Preference – Recording when permission has been granted or withdrawn
• Date – The date this processing commenced
• Expiry – The date this record is due for expiry, this is likely to be based on your data retention policies

Additionally, for data processing that uses consent as the legal basis, you should also store the mechanism by which you obtained consent from the data subject. If the consent was obtained via an online form then providing a link to the form, along with form version tracking, is also required. Likewise, if the consent was obtained verbally via telephone or in person, then the mechanism allows you to store a copy of the generic wording or telephone script.
One final factor, often overlooked, is the need to record when consent is withdrawn, or when consent is invalidated by a change of circumstance. This might involve the need to remove or supress data from your systems.

About Xpedition

With technology playing a greater role in assisting firms with their compliance needs, Xpedition ensures clients understand how to use the tools they have at their disposal to empower their business in real terms, and to help them build long and trusted relationships with their clients.
Discover the Intelligent Business Applications helping firms like yours
Xpedition’s experts are passionate about sharing their knowledge, revitalising client experiences and improving operational efficiency.
Contact us today for further information and to discuss your CRM compliance needs.