Skip to the content

Data Privacy and Business Central

Privacy and personal data in Dynamics 365 Business Central on Data Protection Day

Thursday, January 28, is European Privacy Day ("Data Protection Day"). An initiative to better inform European citizens about their rights regarding the use of their personal data by companies and public authorities. Most people know that they have a number of rights: the right to access, right to be forgotten (deletion of your data), rectification, data portability and restriction of processing. Everybody knows that individuals have these rights, but are you prepared if these individuals are your customers? And what do you do if they actually make such a request?

Do you process personal data of individuals?

If you use Business Central for business-to-business (B2B), you have relatively little to do with GDPR. At most, you process personal data of contacts or employees. If you also have business-to-consumer (B2C) transactions or only B2C, then you are processing personal data of individuals. These individuals can exercise the rights mentioned above. So what options do you have?

Fortunately, Microsoft Dynamics has provided a number of 'privacy tools':

  1. Privacy blocked
  2. Data classification
  3. Data Privacy Tool

These privacy tools will be further explained below.

  1. Privacy blocked

    On several pages that may contain personal data (contact, customer, supplier, employee) there is an option 'Privacy Blocked'.

    The main concept of this option relates to the 'restriction of processing' right. If an individual requests to change or stop processing their data, you can, as long as the investigation lasts, block them for privacy reasons. It is then no longer possible to use this data (unintentionally) in transactions.

  2. Data classification

    This is a bit more complex. In order to properly process privacy-sensitive data, it is important to classify the data. 

    Per table, you can indicate per field whether the data is confidential, personal, confidential business information or normal. This way you can identify the actual personal data that are subject to the GDPR. This seems like a lot of work, but fortunately Microsoft has built in a useful wizard to help you do this.

  3. Data Privacy Tool

    Finally, with this tool you can create an (Excel) report of the privacy-sensitive data of a particular customer, employee or other data subject.

    If you have correctly completed the data classification, you will not only get the contact card, but also all related transactions where the personal data of this contact appears, such as invoices, orders etc. Because you are able to import the Excel report into BC afterwards, you can correct or delete specific data. This way you comply with your obligation in relation to the GDPR.

Access permissions

In addition to the above-mentioned rights of individuals, it is also important (according to the GDPR) that data is only processed for the purpose for which it was collected. Depending on the sensitivity of the data, it may even be the case that data can only be viewed by employees who are required to do so for their organisational role. Think, for example, of staff data.

Fortunately, with the default authorization functionality (optionally extended with the 2-Control Field Security app) you can manage this.

If you want to know more about GDPR or about the 2-Control’s software, please contact us.


Do you have a question? Get in touch with one of our IT audit professionals. We are pleased to help you.