Data protection and compliance for Dynamics 365
How to address data protection and compliance requirements for Dynamics 365 — GDPR, HIPAA, SOX, industry regulations, and the operational practices.
Dynamics 365 holds customer data, employee data, financial data — all subject to varied data protection and compliance regulations. Failing to address these isn't just legal risk; it's brand and operational risk. Data protection and compliance in Dynamics 365 requires intentional design, ongoing operational discipline, and audit-ready documentation.
Key regulations.
- GDPR (EU) — broad personal data protection.
- CCPA / CPRA (California) — US state privacy.
- HIPAA (US healthcare) — PHI protection.
- PCI-DSS — credit card data.
- SOX (US financial) — controls over financial systems.
- GLBA (US financial services) — customer financial info.
- PIPEDA (Canada) — personal information.
- APP (Australia) — Australian privacy principles.
- Country-specific — many more.
Each has specific requirements; multi-jurisdiction operations face all of them.
Microsoft's role and customer's role.
- Microsoft — operates the cloud platform; provides technical capabilities; meets infrastructure-level compliance.
- Customer — configures, uses, governs data; meets organisational-level compliance.
This shared responsibility model is fundamental. Microsoft can't comply on your behalf.
Microsoft compliance certifications.
- ISO 27001, 27017, 27018 — security and cloud.
- SOC 1, 2, 3 — assurance.
- HIPAA BAA — health data.
- GDPR DPA — data protection.
- FedRAMP — US government.
- CSA STAR — cloud security.
Foundational; verify Microsoft's certifications cover your regulatory obligations.
Customer responsibilities.
- Data classification.
- Access controls.
- Consent management.
- Retention policies.
- Right to access / erasure responses.
- Breach response.
- Documentation.
- Training.
- Vendor management.
Each requires programme, not just configuration.
GDPR specifics for Dynamics.
- Lawful basis documented for processing personal data.
- Consent management — where consent is the basis.
- DPIA (Data Protection Impact Assessment) for high-risk processing.
- Records of processing activities (ROPA).
- DPO (Data Protection Officer) if required.
- Right to access — subject access requests.
- Right to erasure — delete on valid request.
- Right to portability — provide data in machine-readable form.
- Breach notification — 72-hour to authorities.
Each obligation has operational implication; Dynamics supports but doesn't automate everything.
Data subject access requests (DSARs). Operational process:
- Receive request.
- Verify identity.
- Find all data about the subject across systems.
- Compile.
- Provide within regulated timeframe.
For multi-system landscapes (Dynamics + external systems), DSAR is complex. Microsoft provides Privacy Compliance Manager tools.
Right to erasure. Similar complexity:
- Find data.
- Delete or anonymise.
- Cascade across systems.
- Document.
- Respect exemptions (legal hold, etc.).
Without process, requests overwhelm.
HIPAA specifics.
- BAA with Microsoft.
- Minimum necessary principle — access only what's needed.
- Audit logs for PHI access.
- Encryption at rest and in transit.
- Breach response with specific notifications.
- Workforce training.
For healthcare deployments, HIPAA is non-negotiable.
PCI-DSS.
- Credit card data must NEVER be stored in Dynamics.
- Use tokenisation via payment processors (Stripe, etc.).
- Tokens stored, not card numbers.
- PCI scope minimised.
For B2B services with card-on-file, tokenisation is the only acceptable pattern.
Data classification. As covered in [[data-classification-for-dynamics-365]]:
- Public / Internal / Confidential / Restricted.
- Personal data tagged.
- Drives downstream controls.
Access controls.
- Role-based access — security roles in Dataverse.
- Field-level security — restrict sensitive fields.
- Hierarchical security — manager-direct-report.
- Conditional access — based on device, location.
- MFA enforcement.
Layered defense; one mechanism alone insufficient.
Audit logging.
- Dataverse audit — record changes.
- Security audit — login attempts.
- API audit — programmatic access.
- Retention period — per regulation requirements.
Auditors verify logs exist; absence is finding.
Encryption.
- At rest — Microsoft default + optional customer-managed keys.
- In transit — TLS standard.
- Specific fields — for highest sensitivity.
Default encryption sufficient for most; regulated industries may need CMK.
Data residency.
- Where data is physically stored.
- Where data may be processed.
- Cross-border restrictions for some jurisdictions.
Microsoft offers regional deployments; select per requirements.
Vendor management.
- ISV apps process customer data.
- Vendor compliance assessed.
- Contracts include data handling terms.
Third-party risk part of compliance picture.
Breach response.
- Detection — monitoring for anomalies.
- Containment.
- Assessment — what was affected.
- Notification — to regulators and affected.
- Remediation.
- Documentation.
Plan before breach; rehearse occasionally.
Records retention.
- Per regulation requirements.
- Per business need.
- Automated deletion of out-of-retention.
- Legal hold capability.
Records retention is required compliance; ad-hoc cleanup insufficient.
Common pitfalls.
- Compliance as one-time project. Compliance is ongoing.
- Documentation lags reality. Inspectors find gaps.
- No training. Staff create breaches.
- Vendor management informal. Third parties bypass controls.
- No audit log review. Logs exist; nobody looks.
- Right-to-erasure can't fulfil. Data scattered across un-mapped systems.
Operational rhythm.
- Daily — security monitoring.
- Weekly — DSAR queue.
- Monthly — access reviews.
- Quarterly — compliance posture.
- Annual — audit, training refresh, policy review.
Strategic positioning. Data protection and compliance is foundational, not optional. For regulated industries, it's existential — non-compliance threatens the licence to operate. For all organisations, it's brand and trust.
For decision-makers:
- Treat compliance as ongoing programme.
- Invest in dedicated capability (DPO, privacy officer).
- Use Microsoft tools (Purview, Compliance Manager).
- Document everything.
- Train continuously.
- Audit regularly.
The investment is meaningful; the cost of non-compliance — fines, breach damage, reputation — is far greater. Build compliance into the system design, not bolted on later.
Related guides
- Dynamics 365 and Conditional AccessHow Conditional Access protects Dynamics 365 — policy patterns, MFA, device compliance, location-based controls, and the Zero Trust patterns.
- Dynamics 365 and Microsoft DefenderHow Microsoft Defender protects Dynamics 365 environments — Defender for Cloud, Defender for Cloud Apps, Defender for Identity, and threat detection patterns.
- Dynamics 365 and Microsoft PurviewHow Microsoft Purview integrates with Dynamics 365 for unified data governance — sensitivity labels, data loss prevention, audit, retention, and the compliance integration.
- Accessibility in Dynamics 365 appsHow Dynamics 365 supports accessibility — keyboard navigation, screen readers, colour contrast, ARIA, and the requirements for compliance with WCAG, Section 508, and EN 301 549.
- Data residency and compliance in Dynamics 365Where Dynamics 365 data lives, how compliance certifications stack up, GDPR and country-specific rules, and the customer's responsibilities.