Quick guide

  1. Write all the GDPR requests in a list
  2. Process the request by printing / exporting data or deleting / blocking / encrypting data
  3. Edit a specific setup for tables containing personal data

Subscription

Some features of the Custom Defined Fields app require a subscription:

FREE version: possibility of searching in "Vendor" and "Purchase Invoice" tables

PRO version: possibility of searching in all DB tables 

See Eos Solutions website for more details. 

Introduction

The General Data Protection Regulation not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

It took effect starting from May 25th 2018.

What constitutes personal data? Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors, meaning 'clouds' will not be exempt from GDPR enforcement.

Data subject rights

  1. Breach Notification: Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.

  2. Right to Access: (Gdpr ToolSet or manual reports) is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.

  3. Right to be Forgotten: (Gdpr ToolSet or manual deletion) also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

  4. Data Portability: (GdprToolSet or Excel export) the right for a data subject to receive the personal data concerning them.

  5. Privacy by Design: (Nav Standard) (Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing

  6. Data Protection Officers: a DPO is mandatory wherever the data processing is carried out by a public authority or a company (controller or processor) whose core activities consist of processing operations which require regular and systematic monitoring of data subjects. Companies passing certain thresholds should be mandated to appoint a DPO, yet they differ on the exact metric. Finally, a DPO should be mandatory for all enterprises that process 'Special categories' of data, including information such as health data or religious and political beliefs.

GDPR Toolset app

Thanks to the GDPR Toolset app you can manage:

  • Data discovery in NAV

  • Data reporting (The right to be informed-Articles 12, 13, 14)

  • Data exporting (Csv) (The right to data portability-Article 20)

  • Data erasure (The right to be forgotten)

  • Data rectification (The right to rectification-Article 16)

  • Master data blocking (The right to restrict processing-Article 18)

  • GDPR request Log (Records of processing activities-Article 30)

GDPR Requests List

Go to GDPR Requests in order to write the request (e.g. a customer wants information about her/his data in the Company database). Press New:

Field Description
Entry No. number of the request
Type

choose the desired option:

  • Information (somebody wants information about her/his data in the Company database)
  • Portability (somebody, e.g. a customer, asks for data export))
  • Adjust (somebody asks for data adjustment)
  • Delete (somebody asks for data erasure)
  • Block (somebody asks for data block)
  • Encrypt (somebody asks for data encryption)
Status  status of the request (Initial/Pending/Completed)
Request Description insert a description of the request
Search String insert what you are searching for
user ID
these fields contain the user name and the date of the research. They are automatically filled in by the system
Created On
Total Matches number of matching results

 

By clicking on Process->Execute the system will show all the matches discovered, depending on the fields marked as containing personal information in the GDPR setup. 

Click on Card:

Select the lines to be processed, click on Report and choose the desired action (Print/Export File or Delete/Block/Encrypt).

By clicking Open Record you can adjust data if it is necessary.

Finally you need to change the Request Status with "Completed". Date and user ID are automatically written by the system.


N.B.

They are IRREVERSIBLE instructions. Once you write "Completed" you cannot reverse the Status.

 

Setup

In GDPR Setup you need to fill the setup for each table which contains personal data:

 

Suggest Initial Setup the system suggests tables in order to create a setup
Import / Export GDPR Setup It is possible to import a previous setup or export a setup (Excel file) by clicking on Import/Export GDPR Setup 
Import Data it is possible to import all previous data (setup + research) in case of migration from NAV to BC
Suggest Related table the system suggests setup for other tables (e.g. custom tables)

 

By clicking on New it is possible to create a new table setup:

Fill in the table ID and then, by clicking on Suggest Fields, the system will show a field list containing personal data.

Select, click OK and the system will import the fields in the setup page.

For each field you can choose whether to encrypt or delete data.