Archive for the ‘Corporate Perfomance Management’ category

GDPR misses the mark

August 16th, 2018

GDPR took effect in May of this year, at least with regards to enforcement. A few days after the May 25 date, a German court ruled against ICANN, the company that registers domain names on the Internet and manages the global WHOIS database. The case revolves around the information collected when you register a domain. ICANN wants multiple contacts, which they’ve required for decades. However, a company in Germany that is a partner, argued that the additional technical and administrative contacts were not required for fulfilling the business that both ICANN and EPAG (the German registrar) are engaged in.
ICANN Is appealing the ruling, citing the need for clarification of what this means with regard to the law.

There is an interesting argument here to be made about what data is needed for a business purpose. I could see this being argued successfully either way, and not just in court. As a domain holder, does the registrar really need multiple different sets of personal information from me? Arguably, this is a convenience for them, that is based on tradition. However, one could argue the other way. It is a little scary that a court, with no expertise in some industry (Internet domain registration, in this case), will decide whether there is an actual business need. Can a lawyer or judge really understand what data a business needs in their daily activities?

Is it unreasonable to find technical people collecting data, not maliciously, but to anticipate what might be asked of a system, or to avoid rework. Is it wrong to collect everything that might be relevant or useful to save time on future queries?

So now we have the ridiculous situation where more and more transactions can only sensibly be done on line, but only if you agree to provide personal data as part of the terms and conditions. How does that protect anyone? I can understand that large IT companies with heavy investment in cloud data centres are happy to see legislation that makes it impossible for small companies to compete – encryption, additional training and audit costs, huge infrastructure and software protection costs to deal with hypothetical risks to data that is largely in the public domain on Face book and linked in and telephone directories. Governments have new reasons to fine companies. Auditor and lawyers have another source of income. This all drives up costs so how does that benefit the individual?

Why there is not more loud protest and outright rejection of this ridiculous legislation I don’t understand. I doubt even 20% of companies affected comply.

That does not mean that you should not take data protection seriously. The problem with GDPR is that it being applied as a sledgehammer, Companies are trying to enforce complex systems for protection of data to which there is no identified risk, or indeed where there may not even be any data stored.

If an organisation has no central documented overview of the data it holds and processes, it is highly vulnerable to fail in its stewardship of data. The will result in severe damage to that organisation. To protect anything, you have to know where it is, and who needs to use it. With data, you have to know at least its relative importance in terms of its confidentiality, integrity and accessibility. You also need to know why it is retained and how it is used within the organisation and by which role. With this information, you will then have a much clearer idea of the requirements for that data, sufficient to appropriately strengthen the organizational workflows and applications to minimize the risks to that data.

If your organisation is ever caught up in a data breach or other incident that might affect its reputation or even result in legal action, then the exercise of at least having taken information security seriously will provide mitigation for the organisation. Any organisation that takes its stewardship of data seriously and responsibly will take the next step and ensure that all data is held in an appropriate regime that will protect it from malice, disaster, conflict and human failings. They might even save on resources by reorganizing organizational data according to risk rather than by department or activity.

In a recent case not considered under GDPR the potential problems surfaced. In claimants v WM Morrisons Supermarket the High Court found that Morrisons was vicariously liable for deliberate and criminal disclosure by a rogue employee of personal data belonging to his co-workers.

The employee was an internal auditor for Morrisons. In that role he had access to personal data about other employees. However, he felt he had been unfairly disciplined over a conduct issue and as a result became disaffected. A couple of months later Morrisons’ external auditor asked for payroll data for audit purposes and the employee was asked to handle the request. The data at Morrisons’ request was downloaded onto the employee’s work computer. He passed the data to the external auditor but he didn’t delete it from his computer. Some weeks later he uploaded the data onto the internet, under the name of another employee. The individuals whose personal data was wrongly disclosed then sued Morrisons, arguing that Morrison’s was the data controller and so was responsible for the breach. Alternatively, if it was not the data controller that it was vicariously liable for the wrongful actions of the rogue employee.

The High Court accepted that Morrisons was not the data controller at the point at which the individual was loading the data onto the website. Similarly, although the Court accepted that Morrisons should have been more proactive in ensuring that the data on the employee’s computer was deleted as soon as it was no longer needed, this did not actually cause the damage. The Court’s view was that the employee would have sought to circumvent any precaution put in place, given that this was a deliberate breach designed to cause problems for Morrisons.

That left the claim for vicarious liability. Whether an employer is vicariously liable depends on there being a sufficiently close connection between what the employee was employed to do and their wrongful actions. Here, the Court accepted there was a sufficient connection and so Morrisons was vicariously liable. The employee was given access to the data through his work and was deliberately entrusted with the confidential information. Even though he had acted improperly and also used another employee’s name to post the information on the Web, his motive was irrelevant in deciding whether there was vicarious liability.

Given that around 100,000 employees were affected by this data breach, compensation could be significant. Importantly, it is not necessary for the affected employees to show that they have suffered financial loss. Individuals can claim for distress merely from the disclosure of their data. This case has worrying implications for employers. Here the employee’s actions were entirely deliberate, and even though none of the employer’s actions led to the data breach it was still held liable.

Given the employee’s actions were designed to cause problems for Morrisons, by passing liability to the supermarket, the Court’s ruling has in many ways furthered the employee’s wrongful aims.

Unsurprisingly, Morrisons intends to appeal so all employers will be watching carefully to see what happens next.

While not decided under the principles of the GDPR, this case is representative of a new data privacy environment in the workplace, with greater accountability for employers and increased employee rights. More data breach claims may follow, particularly given that it is not necessary for an individual to show loss to claim compensation.

What is clear from the case is that employers will be responsible for the employee data they hold and must apply the strictest possible controls to try to mitigate the risks presented by rogue individuals. Such controls could include: limiting the number of people who have access to personal data for work purposes, ensuring individuals who have such access only have it for a limited period, and that data security measures are in place to flag misuse of the data. Further, the personal consequences of data breaches should be outlined to those who need to have access to colleagues’ personal data for their job.

This is becoming farcical – how should a company reply to for example a request for a reference, or a credit check.
If one employee volunteer’s another’s phone number is that really something for which an employer should have liability to pay compensation?
As with other misguided legilslation this will accelerate adoption of Ai and elimination of human workers.

If ever you want proof of the law of unintended consequences this legislation is going to be high on the list.

Dynamics 365 recent news June 2018

June 14th, 2018

Microsoft is rolling out a new Support Center for Dynamics 365. It’s still in Preview (as of June 2018), but if you meet the Prerequisites then, you can check it out now! It’s really simple to navigate when you have the appropriate Office 365 role. After logging into Portal.office.com, just go to https://admin.dynamics.com to see the new support center. Once you’ve submitted a ticket, you can monitor open support issues from the same place, https://admin.dynamics.com

Dynamics 365 Spring 2018 release – updates and resources

On June 1st, Microsoft announced on their official Dynamics 365 Twitter channel (@MSFTDynamics365) that the Dynamics 365 Spring 2018 release notes are updated. Several changes were made to the Field Service, Social Engagement, Talent, Finance and Operations, PowerBI, Microsoft Flow and Data Integration sections of the Spring 2018 release notes.

This follows another series of updates announced on May 1st, so if you’ve read the Spring 2018 update notes upon their first release last April, there is now a lot of new information!

Information and links about the Dynamics 365 Spring 2018 release:
•Dynamics 365 Spring 2018 release page (with on-demand videos to learn more about the Dynamics 365 capabilities)
•Spring ’18 Release Overview page on the Microsoft website (includes link to download the release notes)
•Spring ’18 change history (to check everything that has changed since April)
•Dynamics 365 Spring 2018 release – documentation & readiness (for a few additional resources)
•Watch the Business Applications spring launch event on‑demand – for more information about Dynamics 365 Business Central

In the Microsoft Documents site, you will find information and a number of resources to help you understand how Dynamics supports GDPR and tools for customers to define and support their GDPR obligations.

Visit the site to access the following types of information:
•White papers
•Data Subject Requests
•Compliance Manager
•Webcasts
•Blogs
•eBooks
see https://blogs.microsoft.com/on-the-issues/2018/05/21/microsofts-commitment-to-gdpr-privacy-and-putting-customers-in-control-of-their-own-data/

Customer consent is major aspect of the regulations. It is important that you include relevant information in your marketing objects (like landing pages and email marketing message) that unambiguously informs your audience about the data you collect and the purpose of your processing. Your audience must have the option to give consent freely, make an informed decision, and be able to review, update, or revoke consent at any time.

Dynamics 365 for Marketing:
• Allows you to request, capture, and store consent
•Lets you design your marketing activities to respect the consent given by your audience

see this informative post https://blogs.technet.microsoft.com/lystavlen/2018/06/07/consent-management-in-dynamics-365-for-marketing/

Microsoft delivers new features and improvements to Dynamics 365 (online) through service updates that are periodically delivered to customers. They recommend you update to the latest major version when it becomes available. The update policy defines how customers move from one version to the next. Customers have the option to provide consent prior to updating their organization. Customers also have the choice to either take the updates as they become available or take only one update per year. If a customer chooses to take only one update per year, then this update is mandatory and the customer will be required to take the update during the available dates for that release.

In keeping with this policy, all organizations running version 8.1 (two versions behind the current version) will be upgraded to Dynamics 365 (online), version 9.0.2. The automatic update will take place during your normal maintenance window. So please ensure you plan for testing and any updates you need to make.

At the beginning of the year, Microsoft set out to bridge the gap between Dynamics 365 App for Outlook, the future of Dynamics 365 and Outlook integration, and the legacy Outlook add-in, Dynamics 365 for Outlook. The latest improvements to server-side synchronization and Dynamics 365 App for Outlook in Dynamics 365 (online) version 8.2,enable customers to track emails, appointments, and tasks in Outlook with a special “Tracked to Dynamics 365” Outlook category enabled through server-side synchronization. Assigning the category to an email, appointment, or task in Outlook will track the item to Dynamics 365. Category-based tracking via server-side synchronization is an opt-in experience. This is currently available on Dynamics 365 (online) version 8.2, with support for version 9.0 soon to follow.

Service Update 8 for Microsoft Dynamics 365 8.2.2 (online) is now available. Resolved issues include:
• Recurring Appointment occurrence is not updated correctly when synchronizing with Dynamics 365 for Outlook
• A user should able to Untrack an auto tracked email before email tagger processes the item
• Duplicate Detection triggers when SuppressDuplicateDetection parameter is set to true
• Views saved with Custom Filters do not respond to changes in filter criteria
• Generic SQL Error occurs while trying to perform an Offline Sync with the Dynamics 365 for Outlook
• Unable to filter Orders by Currency
• Associated View icon for Leads does not appear on an Account

The latest update to the Field Service and Project Service Automation solutions for Dynamics 365 version 9.0.x is now available

The Voice of the Customer app provides a new experience in survey and theme designing. The new survey designer provides a simple and intuitive experience to add, remove, and modify survey pages, sections, questions, and answers. see https://blogs.msdn.microsoft.com/crm/2018/05/23/whats-new-in-voice-of-the-customer-version-9-0-1162/

Microsoft Social Engagement 2018 Update 1.5 is now available. Social Engagement now shows attached images and videos in private messages on Facebook and direct messages on Twitter directly in the post list. Resolved issues include:
• Fixed an issue to ensure that private messages in any language are acquired by Social Engagement.
• Fixed an issue where private messages in Indonesian language were discarded due to wrong language mapping.
• Fixed an issue where the ‘Link to Dynamics 365’ filter didn’t have a tooltip, making it impossible in some languages to understand if a post from Social Engagement is or isn’t linked to Dynamics 365.
• Fixed an issue that prevented adding multiple Facebook pages as social profiles.

Microsoft Inspire is next month! It will be held in Las Vegas, Nevada, from July 15th to July 19th.

Cyber attacks doubled in 2017 – expect 2018 to be worse.

January 27th, 2018

Cyber attacks on businesses nearly doubled in the past year. A new report, the Cyber Incident & Breach Trends Report, released by the Online Trust Alliance (OTA) found 156,700 cyber incidents last year, compared to 82,000 in 2016. The OTA is a Internet Society initiative designed to improve online trust.

The organization believes that since a majority of cybersecurity attacks are never reported, the number of cyber incidents last year could actually be closer to 350,000. “Surprising no one, 2017 marked another ‘worst year ever’ in data breaches and cyber incidents around the world,” said Jeff Wilbur, director of the OTA initiative at the Internet Society. “This year’s big increase in cyberattacks can be attributed to the skyrocketing instances of ransomware and the bold new methods of criminals using this attack.”

The OTA claimed that most of the incidents could have been prevented easily – 93 percent of breaches could have been avoided by regularly updating software, blocking fake emails, and training people to recognize phishing attacks.

52 % of security incidents were the result of an actual attack.
15 % resulted from a lack of security software,
11 % were caused by credit card skimming,
11% resulted from companies not having controls to prevent employees’ negligent or malicious actions,
8 % were the result of phishing scams.

Electron is a node.js, V8, and Chromium framework created for the development of cross-platform desktop apps with JavaScript, HTML, and CSS, The Electron framework is popular and widely used by a range of desktop app services. Skype, Signal, Slack, Shopify, and Surf are among the users, A critical vulnerability affecting Electron desktop apps has recently been disclosed.

Regular patching has always been a best practice and neglecting it is a known cause of many breaches.

In 2017 the Equifax breach brought home that message

In 2018 a patching strategy needs to be integral to your processes because of the Spectre and Meltdown vulnerabilities reported (see our earlier posts) when it was highlighted that nearly every computer chip manufactured in the last 20 years was found to contain fundamental security flaws.

VAT key steps – Synergy Software Systems, Dubai.

January 8th, 2018

- Maintain regular accounting books and records

Account maintenance is now mandatory under UAE VAT Law and it facilitates the correct receipt and payment of cash and other transactions entered by a company. Audited accounts will be needed so don’t wait till year end to find an auditor that suits your business.

2- Make changes to the core processes and accounting departments

It is important to change your core processes and adapt your accounting departments to achieve tax compliance. For SMEs, with limited transactions, the task is easier as the transition is less likely to require significant systematic change or they might use an external bookkeeper or tax agent.

3- Train staff, especially financial management

Employees need proper insight around GCC-wide initiatives to implement VAT across the region and how companies should prepare. Help them de-mystify VAT by providing on the job training and a framework to raise and clarify queries. Avoid disputes with trading partners and ensure staff have the relevant information and training to resolve issues that arise.

4- Review your contracts and the contracts and conditions agreed with dealers

Many businesses negotiated contracts at a time VAT was not payable but running across the implementation dates. It is time to now bring contracts into step with the UAE’s economic context.

- Consider accounting software for bookkeeping

Electronic reporting systems are increasingly being used by tax authorities. The ability to produce the required audit file details on demand will be difficult without a system. Companies that use electronic invoicing are likely to improve the timing of VAT recovery on costs.

6- Adhere to VAT deadlines

Register your company to avoid a fine as severe as AED 20,000. The Federal Tax Authority (FTA) has already been extend the deadline to the 1st January and if you don’t complete VAT registrations you will also have to stop sales till you get your tax registration certificate (TRC).

Note initial returns are due 28 January 2018 so time is running out.

7- Study UAE tax legislation

The implementation of taxes in the UAE came with a whole new set of procedures. we recommend to study and get familiar with the different laws in place including the UAE VAT Law and to discuss with your auditor, tax agent and software provider.

8- Keep an eye out for new information

There have been a slew of clarifications in the last month and some details are still not finalised e.g. with regard to free zones, or which companies will report monthly and which quarterly.

SQL Server 2014 SP2 CU9

January 2nd, 2018

On December 18, 2017, Microsoft released SQL Server 2014 SP2 CU9, which is Build 12.05563.0.
This CU has seven public hotfixes, most of which are for the SQL Engine of SQL performance -critical for taks like mrp. inventory close, consolidation etc.

Since SQL Server 2014 SP1 and earlier are no longer “supported service packs”, there is no corresponding CU for the SP1 or RTM branches of SQL Server 2014.

As always, make an effort to stay current on cumulative updates

Dynamics Ax 2012 and SQL version compatibility – Synergy Software Systems your Dubai Dynamics Partner

December 27th, 2017

There are no plans to support Microsoft SQL Server 2017 with AX 2012 R3.

Management Reporter 2012 is also currently not compatible with Microsoft SQL Server 2017. When you try to install Management Reporter 2012 on SQL Server 2017, you receive this error:

The database deployment failed. Additional information: Microsoft.SqlServer.Dac.DacServicesException: Could not deploy package. —> Microsoft.Data.Tools.Schema.Sql.Deployment.DeploymentFailedException: Unable to connect to target server.

Management Reporter for Ax 2012 is supported with a minimum of SQL Server 2012 Standard Edition
We recommend you should be on SQL 2016 at least sp1, for both Dynamics Ax 2012 and for MR 2012.

SQL version – when should you upgrade – ask your Dynamics U.A.E. Partner, Synergy Software Systems

December 23rd, 2017

SQL Server for many years on a two-year release cycle. SQL Server 2017 arrived less than 18 months after SQL Server 2016 became available.

Since 2005 each release of SQL Server brings exciting new features and improvements to existing capabilities. Many organizations are running instances that are several versions of SQL Server behind.

To keep up with the latest SQL Server versions is a challenge, but risks losing mainstream support and missing out on beneficial features. Often database administrators must support multiple versions at once, and consultants face an even greater range of versions across their customers.

Microsoft has not committed to any specific release cadence for ersions of SQL Server. Many clients it seems are still running SQL Server 2008 R2. One reason why companies are hesitant to make the move off 2008 R2 is because of the change to per core licensing. The effort to test and to upgrade is discouraging, but it is best to do this on a planned basis than a reaction to a crisis..

It was a painful experience to upgrade from SQL Server 2000, but the compatibility gap between versions is much narrower once past 2005. To make upgrading easier, provides a tool called The Upgrade Advisor for each new version that will spot issues and provide a chance to resolve them before starting the upgrade process. Virtualization also makes setting up testing environments much simpler and quicker.

With each new version there are enhancements to T-SQL, improved availability and disaster recovery functionality, more security options, and additional ways to get better performance. 2016 service pack 1, was a game change – many previously Enterprise only features were ported down to more affordable editions.

Another consideration is support. It doesn’t take long to reach the end of mainstream support. SQL Server 2008 R2, for example, has been out of mainstream support since 2014. While it’s still in extended support, which will ensure security hotfixes, other support features are available only on a paid basis.

When you look at erp upgrades it makes sense to also review your SQL upgrade plans.

G.C.C VAT transitional arrangements

December 17th, 2017

A​bout ​two​ ​weeks​ ​ago,​ ​H.E.​ ​Khaled​ ​Al​ ​Bustani,​ ​Director​ ​General​ ​of​ ​the​ ​Federal​ ​Tax​ ​Authority
(“FTA”),​ ​announced​ ​on​ ​the​ ​radio​ ​that​ ​the​ ​UAE​ ​will​ ​treat​ ​movements​ ​of​ ​goods​ ​between​ ​UAE​ ​and​ ​the
Kingdom​ ​of​ ​Saudi​ ​Arabia​ ​(“KSA”)​ ​as​ ​“Non-GCC”​ ​Exports​ ​(ie.​ ​when​ ​goods​ ​are​ ​shipped​ ​from​ ​the​ ​UAE​ ​to
KSA)​ ​and​ ​“non-GCC”​ ​Imports​ ​(i.e.​ ​when​ ​goods​ ​are​ ​shipped​ ​to​ ​the​ ​UAE​ ​from​ ​KSA).​ ​

This​ ​means that a ​transitional​ ​period​ ​will apply until​ ​an​ ​Electronic​ ​Service​ ​System​ ​is​ ​introduced​ ​and​ ​both
UAE​ ​and​ ​KSA​ ​consider​ ​each​ ​other​ ​as​ ​“VAT​ ​Implementing​ ​States”. It seems likely that will be both when the full G.C.C has introduced VAT and the electronic reporting system is established across the region.

U.A.E. VAT registration time is running out……..

December 17th, 2017

Companies in the UAE that have not got their tax registration number (TRN) yet will have to procure it within the next 14 days.

Companies who have not completed their VAT registration within the dates prescribed by the Federal Tax Authority (FTA) will have to pay a fine worth Dh20,000 and also stop sales until they get the TRN or tax registration certificate (TRC).

U.A.E. VAT rates

December 9th, 2017

The Federal Tax Authority (FTA) has announced the supplies that will be subject to Value Added Tax (VAT) as of January 1, 2018.Selected supplies in sectors such as transportation, real estate and financial services will be completely exempt from VAT, whereas certain government activities will be outside the scope of the tax system (and, therefore, not subject to tax). These include activities that are solely carried out by the government with no competition with the private sector, activities carried out by non-profit organisations.

The UAE Cabinet is expected to issue a decision to identify the government bodies and non-profit organisations that are not subject to VAT.

VAT treatment on select industries:
Education
Private and public school education (excluding higher education) and related goods and services provided by education institution 0%
Higher education provided by institution owned by government or 50% funded by government, and related goods and services 0%
Education provided by private higher educational institutions, and related goods and services 5%
Nursery education and pre-school education 0%
School uniforms 5%
Stationery 5%
Electronic equipment (tablets, laptops, etc.) 5%
Renting of school grounds for events 5%
After school activities for extra fee 5%
After school activities supplied by teachers and not for extra charge 0%
School trips where purpose is educational and within curriculum 0%
School trips for recreation or not within curriculum 5%

Healthcare:

Preventive healthcare services including vaccinations 0%
Healthcare services aimed at treatment of humans including medical services and dental services 0%
Other healthcare services that are not for treatment and are not preventive (e.g. elective, cosmetic, etc) 5%
Medicines and medical equipment as listed in Cabinet Decision 0%
Medicines and medical equipment not listed in Cabinet Decision 5%
Other medical supplies 5%

Oil and Gas:

Crude oil and natural gas 0%
Other oil and gas products including petrol at the pump 5%

Transportation:

Domestic passenger transportation (including flights within UAE) Exempt
International transportation of passengers and goods (including intra-GCC) 0%
Supply of a means of transport (air, sea and land) for the commercial transportation of goods and passengers (over 10 people) 0%
Supply of goods and services relating to these means of transport and to the transportation of goods and passengers 0%

Real Estate:

Sale and rent of commercial buildings (not residential buildings) 5%
First sale/rent of residential building after completion of construction or conversion 0%
First sale of charitable building 0%
Sale/rent of residential buildings subsequent to first supply Exempt
Hotels, motels and serviced accommodation 5%
Bare land Exempt
Land (not bare land) 5%
UAE citizen building own home 5% (recoverable)

Financial Services:

Margin based products (products not having an explicit fee, commission, rebate, discount or similar) Exempt
Products with an explicit fee, commission, rebate, discount or similar 5%
Interest on forms of lending (including loans, credit cards, finance leasing) Exempt
Issue, allotment or transfer of an equity or debt security Exempt

Insurance and Re-insurance:

Insurance and reinsurance (including health, motor, property, etc) 5%
Life insurance and life reinsurance Exempt

Food and Beverages: 5% VAT rate

Telecommunications and electronic services:

Wired and wireless telecommunications and electronic services: 5% VAT rate
Telecommunications and electronic services:
– Sovereign activities which are not in competition with the private sector undertaken by designated government bodies Considered outside VAT system
– Activities that are not sovereign or are in competition with the private sector VAT rate dependent on good/service ignoring provider

Not for Profit Organizations:

Activities of foreign governments, international organisations, diplomatic bodies and missions acting as such (if not in business in the UAE) Considered outside VAT system
Charitable activities undertaken by societies and associations of public welfare which are listed by Cabinet Decision Considered outside VAT system
Activities of other not for profit organizations (not listed in Cabinet Decision) which are not business activities Considered outside VAT system
Business activities undertaken by the above organizations VAT rate dependent on good/service ignoring provider

Free zones:

Supplies of goods between businesses in designated zones Considered outside VAT system
Supplies of services between businesses in designated zones VAT rate dependent on service ignoring location
Supplies of goods and services in non-designated zones VAT rate dependent on good/service ignoring location
Supplies of goods and services from mainland to designated zones or designated zones to mainland VAT rate dependent on good/service ignoring location

Other:

Export of goods and services to outside the GCC implementing states 0%
Activities undertaken by employees in the course of their employment, including salaries Considered outside VAT system
Supplies between members of a single tax group Considered outside VAT system
Any supplies of services or goods not mentioned above (includes any items sold in the UAE or service provided) 5%
Second hand goods (e.g. used cars sold by retailers), antiques and collectors’ items 5% of the profit margin

The UAE and Saudi Arabia are the two GCC member countries which will implement Value Added Tax (VAT) Reform from 1st January 2018 whereas the remaining member countries will implement over the coming years.

According to the UAE tax officials, it is anticipated that the new tax reform will help to generate nearly Dh12 billion (around 0.8 percent of GDP) revenue in the initial year after the introduction of the VAT. It might increase to Dh20 billion (around 1.2 percent of GDP) in the succeeding year (2019).

VAT registration U.A.E. – act now deadlines are imminent

October 17th, 2017

The UAE Federal Tax Authority (FTA) online portal is open 24/7 to allow for taxpayers to register for VAT purposes. The FTA has also determined the deadlines for the application for VAT registration based on business turnover.
For larger companies VAT registration is required by 31 October 2017, and such businesses should
immediately consider the timeline requirement given their turnover profile and the other registration
requirements.
Businesses that are required to register for VAT will need to set up an online account on the FTA website and complete the VAT registration form.

The FTA has announced that a phased registration approach has been introduced. In particular, those businesses that meet these criteria must comply with the relevant application dates for registration:
● Businesses with an annual turnover exceeding AED 150 million must apply for registration by
31 October 2017
● Businesses with an annual turnover exceeding AED 10 million must apply for registration by 30 November 2017

● Remaining businesses with an annual turnover exceed the mandatory registration threshold
(expected to be AED 375,000) must apply for registration by 4 December 2017
Prior to the fulfilment of the VAT registration form, the FTA provides a “Getting Started Guide” that shares essential information that businesses should be aware of. This includes information on the registration criteria, registration of a VAT group, and necessity to register if only zero-rated supplies are made.

Additional details clarifying the VAT registration mechanism are found in the VAT registration guide, a document posted on FTA online portal under the “Advice” tab. This document captures the
calculation of turnover for VAT purposes, a walk-through of VAT registration through the FTA
registration portal, registration of a VAT group and types of books and records required to be held by a
taxpayer to ensure accurate tax compliance.

We strongly advise for businesses to visit the FTA website to initiate their VAT registration application by
their applicable deadline after having considered the guidance provided by the FTA and other advice
as required (for instance VAT Grouping).
Businesses should allow time to compile the required information for the VAT registration.

VAT in the U.A.E. – time to act.

October 16th, 2017


VAT, as a general consumption tax, will apply to the majority of transactions in goods and services. A limited number of reliefs may be granted.

As a result, the cost of living is likely to increase slightly, but this will vary depending on an individual’s lifestyle and spending behaviour. If an individual spends mainly on those things which are relieved from VAT, he is unlikely to see any significant increase.

The government will include rules that require businesses to be clear about how much VAT an individual is required to pay for each transaction. Based on this information, individuals can decide whether to buy something.

Implication of VAT on businesses

Businesses will be responsible for carefully documenting their business income, costs and associated VAT charges. Businesses that meet the minimum annual turnover requirement (as evidenced by their financial records) will be required to register for VAT. Businesses that do not think that they should be VAT registered should maintain their financial records in any event, in case the ministry needs to establish whether they should be registered. The FTA does have the power to conduct audits on taxable persons and subsequently impose penal measures on those that are not compliant with the law.

A business must register if the total value of their taxable supplies made within the UAE exceeds the mandatory registration threshold over the previous 12 month period, or they anticipate making taxable supplies with a value exceeding the mandatory registration threshold in the next 30 days.

The mandatory registration threshold is AED 375,000.

A business may also apply to register if they do not meet the mandatory registration criteria and the total value of their taxable supplies or taxable expenditure in the previous 12 months exceeds the voluntary registration threshold, or they anticipate that the total value of their taxable supplies or taxable expenditure will exceed the voluntary registration threshold in the next 30 days.

The voluntary registration threshold is AED 187,500.

For the purposes of understanding whether a registration obligation exists, a taxable supply refers to a supply of goods or services, made by a business in the U.A.E., that may be taxed at a rate of either 5%, or 0%. Imports are also taken into consideration for this purpose, when a supply of such goods or services would be taxable when made within the U.A.E.

VAT registration require some official documents. Before submission of an application some important documents must be completed. Businesses will get VAT registration in the form of a VAT certificate, with the help of official documents. Every VAT certificate will have a specific identification number. The identification number will be essential for all the tasks to be carried out for VAT in UAE.

The process for VAT registration and fee submission will be done online. Following documents are required for the registration of VAT in UAE.
1. Copy of Trade License
2. Passport copy of the owner/partners who owns the license
3. Copy of Emirates ID of the owner/partners who owns the license
4. Memorandum of Association (MOA)
5. Contact Details of company (complete address & P.O Box)
6. Concerned person contact details
7. Email of the concerned person
8. Copy of all bank accounts and statements including IBAN
9. Owner has any other entities?
10. Income statement for the last 12 months
11. Expected revenue and expense for the next 30 days after VAT implementation
12. Are they exporting, or importing?
13. Are they dealing with any custom department? If yes. What is the custom code?
14. Are they doing business with any other G.C.C. country? (Country name)
15. If these are representing more than one entity, whether they want one tax group number for allof the entities, or separate tax numbers for each entity.
16.Experience of business (Owners or directors involved in any previous businesses before for the last 5 years?)

The submission of the documents will be done when you have registered online.
After online VAT registration and fees payments, you will be allowed to submit the documents. After the verification of the documents and completion of the process, a VAT certificate will be provided.

VAT will be charged at 0% in respect of the following main categories of supplies:

Exports of goods and services to outside the GCC States that implement VAT
International transportation, and related supplies
Supplies of certain sea, air and land means of transportation (such as aircrafts and ships)
Certain investment grade precious metals (e.g. gold, silver, of 99% purity)
Newly constructed residential properties, that are supplied for the first time within 3 years of their construction
Supply of certain education services, and supply of relevant goods and services
Supply of certain Healthcare services, and supply of relevant goods and services

The following categories of supplies will be exempt from VAT:

the supply of some financial services
Residential properties
Bare land
Local passenger transport

Registered businesses and traders will charge VAT to all of their customers at the prevailing rate and incur VAT on goods/services that they buy from suppliers. The difference between these sums is reclaimed or paid to the government.

VAT-registered businesses generally:
• must charge VAT on taxable goods or services they supply
• may reclaim any VAT they have paid on business-related goods or services
• keep a range of business records which will allow the government to check that they have got things right.

VAT-registered businesses must report the amount of VAT they have charged and the amount of VAT they have paid to the government on a regular basis. It will be a formal submission and it is likely that the reporting will be done online.

If they have charged more VAT than they have paid, they have to pay the difference to the government. If they have paid more VAT than they have charged, they can reclaim the difference.

Please note there will be a year end rush on consulting services we have already received over 100 inquiries for software consulting support so don’t leave it too late.

Security security security

September 26th, 2017

You never know when some item that queries or alters data in SQL Server will cause issues.

Bruce Schneier recently commented on FaceID and Bluetooth security, the latter of which has a vulnerability issue. I was amazed to see his piece on infrared camera hacking. A POC on using light to jump air gaps is truly frightening. It seems that truly anywhere that we are processing data, we need to be thinking (see https://arstechnica.com/information-technology/2017/09/attackers-can-use-surveillance-cameras-to-grab-data-from-air-gapped-networks/)

Airborne attacks, unfortunately, provide a number of opportunities for the attacker. First, spreading through the air renders the attack much more contagious, and allows it to spread with minimum effort. Second, it allows the attack to bypass current security measures and remain undetected, as traditional methods do not protect from airborne threats. Airborne attacks can also allow hackers to penetrate secure internal networks which are “air gapped,” meaning they are disconnected from any other network for protection. This can endanger industrial systems, government agencies, and critical infrastructure. With BlueBorne, attackers can gain full control right from the start. Moreover, Bluetooth offers a wider attacker surface than WiFi, almost entirely unexplored by the research community and hence contains far more vulnerabilities

Finally, unlike traditional malware or attacks, the user does not have to click on a link or download a questionable file. No action by the user is necessary to enable the attack.

Fully patched Windows and iOS systems are protected

– the Equifax breach for example must worry everyone who has ever had credit in the USA. (Hackers broke into Equifax’s computer systems in March, which is two months earlier than the company had previously disclosed, according to a Wall Street Journal report.)

The Securities and Exchange Commission said Wednesday that a cyber breach of a filing system it uses may have provided the basis for some illegal trading in 2016. In a statement posted on the SEC’s website, Chairman Jay Clayton said a review of the agency’s cybersecurity risk profile determined that the previously detected “incident” was caused by “a software vulnerability” in its EDGAR filing system (which processes over 1.7 million electronic filings in any given year.) The agency also discovered instances in which its personnel used private, unsecured email accounts to transmit confidential information.

So let me suggest take a good look at your systems and be honest – do you feel safe?

Microsoft has released Microsoft 365, a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely. Watch Satya introduce it.

What about your websites?
Although acts of vandalism such as defacing corporate websites are still commonplace, hackers prefer to gain access to the sensitive data residing on the database server and then to sell the data.

The costs of not giving due attention to your web security are extensive and apart form direct financial burden and inconvenience also risks:
• Loss of customer confidence, trust and reputation with the consequent harm to brand equity
• Negative impact on revenues and profits arising e.g. from falsified transactions, or from
employee downtime
• Website downtime – is in effect the closure of one of the most important sales and marketing channels
especially for an e-business
• Legal battles and related implications from Web application attacks and poor security
measures including fines and damages to be paid to victims.

Web Security Weaknesses
Hackers will attempt to gain access to your database server through any way they can e.g. out of date protocols on a router. Two main targets are :
• Web and database servers.
• Web applications.

Information about such exploits are readily available on the Internet, and many have been reported on this blog previously.

Web Security Scanning
So no surprise that Web security should contain two important components: web and database server security, and web application security.

Addressing web application security is as critical as addressing server security.

Firewalls and similar intrusion detection mechanisms provide little defense against full-scale web
attacks.
Since your website needs to be public, security mechanisms allow public web traffic to
communicate with your web and databases servers (i.e. over port 80).

It is of paramount importance to scan the security of these web assets on the network for possible vulnerabilities. For example, modern database systems (e.g. Microsoft SQL Server, Oracle and MySQL) may be
accessed through specific ports and so anyone can attempt direct connections to the databases to try and bypass the security mechanisms used by the operating system. These ports remain open to allow communication with legitimate traffic and therefore constitute a major vulnerability.

Other weaknesses relate to the database application itself and the use of weak or default passwords by
administrators. Vendors patch their products regularly, and equally regularly find new ways of
attack.

75% of cyber attacks target weaknesses within web applications rather than directly at the
servers. Hackers launch web application attacks on port 80 . Web applications are more open to uncovered vulnerabilities since these are generally custom-built and therefore pass through a lesser degree of
testing than off-the-shelf software.

Some hackers, for example, maliciously inject code within vulnerable web applications to trick users
and redirect them towards phishing sites. This technique is called Cross-Site Scripting (XSS) and may
be used even though the web and database servers contain no vulnerability themselves.

Hence, any web security audit must answer the questions “which elements of our network
infrastructure are open to hack attacks?”,
“which parts of a website are open to hack attacks?”, and “what data can we throw at an application to cause it to perform something it shouldn’t do?”

Ask us about Acunetix and Web Security
Acunetix ensures web site security by automatically checking for SQL Injection, Cross Site Scripting,
and other vulnerabilities. It checks password strength on authentication pages and automatically
audits shopping carts, forms, dynamic content and other web applications. As the scan is being
completed, the software produces detailed reports that pinpoint where vulnerabilities exist

Management reporter 2012 CU16 recent hotfixes

September 10th, 2017

Hotfix 3813390 can be downloaded here:

https://mbs.microsoft.com/Files/customer/MgmtReporter/Downloads/Servicepacks/ManagementReporter2012-CU16-Hotfix-3813390-en-us-update.exe

This hotfix addresses the issue where user security may be removed during Company to Company mapping when there is a SQLException.
If a SQLException occurs during the AX 2012 Companies to Company integration task, such as SQL server being offline, then users may be removed from the security groups in Management Reporter Security and from reporting tree definitions.
Once the cause of the SQL exception is corrected, the data mart integration task will complete, and users will once again be synchronized from Dynamics AX and added to Management Reporter Security, except they will have new user IDs.
The users with new IDs are then not added to the groups/trees that they were in previously.
This issue is logged as bug 3813390. Hotfix 3813390 prevents this issue from occurring.


Hotfix 3815274 is an optional hotfix that can be applied to CU16.
It can be loaded to revert a CU16 change with reporting tree rollups.
The hotfix will allow children nodes to be rolled up to a parent that contains a Dimension filter.
Before making any changes, be sure to have a backup of the MRServiceHost.settings.config file.
You can then do the following:
1. Open the Management Reporter Configuration Console.
You will need to be logged in as a user that has the Administrator role in MR, when starting the console.
2.Stop both the Process Service and the Application Service.
3.Navigate to “C:\Program Files\Microsoft Dynamics ERP\Management Reporter\2.1\Server\Services\MRServiceHost.settings.config”
4.Edit the config file in Notepad and then add the following line.
This will change the functionality such that dimension filters on summary tree units will be ignored (pre-CU15 functionality):

This new line should be added before the

1.Save your changes and close Notepad.
2.In the Management Reporter Configuration Console, start the Process Service and the Application Service.
Once the services are restarted, re-generate your reports for the changes to be applied.

Hotfix 3815274 can be downloaded here:

https://mbs.microsoft.com/files/customer/MgmtReporter/Downloads/ProductReleases/ManagementReporter2012-CU16-Hotfix-3815274-en-us-update.exe

GDPR Affects All European Businesses – What about the G.C.C. and U.A.E.?

August 19th, 2017

See our previous article on this topic for why your company may be affected if you are a branch of a European company, or have branches in Europe, or trade with a European company.

From May 25, 2018, companies with business operations inside the European Union must follow the General Data Protection Regulations (GDPR) to safeguard how they process personal data “wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.”

The penalties set for breaches of GDPR are up to 4% of a company’s annual global turnover.
For large companies like Microsoft that have operations within the EU, making sure that IT systems do not contravene GDPR is critical. As we saw on August 3, even the largest software operations like Office 365 can have a data breach.

Many applications can store data that might come under the scope of GDPR. the regulation has a considerable influence over how tenants deal with personal data. The definition of personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
GDPR goes on to define processing of personal data to be “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

That means that individuals have the right to ask companies to tell them what of their personal data a company holds, and to correct errors in their personal data, or to erase that data completely.

Companies therefore need to:
- review and know what personal data they hold,
- make sure that they obtain consents from people to store that data,
– protect the data,
- and notify authorities when data breaches occur.

On first reading, this might sound like what companies do – or at least try to do – today. The difference lies in the strength of the regulation and the weight of the penalties should anything go wrong.

GDPR deserves your attention.

The definitions used by GDPR are broad. To move from the theoretical to the real world an organization first needs to understand what personal data it currently holds for its business operations, and where they use the data within software applications.

It is easy to hold personal information outside of business applications like finance and erp and crm e.g. inside Office 365 applications, including:
• Annual reviews written about employees stored in a SharePoint or OneDrive for Business site.
• A list of applicants for a position in an Excel worksheet attached to an email message.
• Tables holding data (names, employee numbers, hire dates, salaries) about employees in SharePoint sites.
• Outlook contacts, and emails. Skype business,
• Social media sites
• Loyalty programmes
• T@A systems
• E commerce sites
• Mobile apps e.g. What’s App

Other examples might include contract documentation, project files that includes someone’s personal information, and so on.

What backups do you have of the customer’s data?
What business data do your staff hold on BYOD devices e.g. in What’s App?

Data Governance Helps
Fortunately, the work done inside Office 365 in the areas of data governance and compliance help tenants to satisfy the requirements of GDPR. These features include:
• Classification labels and policies to mark content that holds personal data.
• Auto-label policies to find and classify personal data as defined by GDPR. Retention processing can then remove items stamped with the GDPR label from mailboxes and sites after a defined period, perhaps after going through a manual disposition process.
• Content searches to find personal data marked as coming under the scope of GDPR.
• Alert policies to detect actions that might be violations of the GDPR such as someone downloading multiple documents over a brief period from a SharePoint site that holds confidential documentation.
• Searches of the Office 365 audit log to discover and report potential GDPR issues.
• Azure Information Protection labels to encrypt documents and spreadsheets holding personal data by applying RMS templates so that unauthorized parties cannot read the documents even if they leak outside the organization.

Technology that exists today within Office 365 that can help with GDPR.

Classification Labels
Create a classification label to mark personal data coming under the scope of GDPR and then apply that label to relevant content. When you have Office 365 E5 licenses, create an auto-label policy to stamp the label on content in Exchange, SharePoint, and OneDrive for Business found because documents and messages hold sensitive data types known to Office 365.

GDPR sensitive data types

Select from the set of sensitive data types available in Office 365.
The set is growing steadily as Microsoft adds new definitions.
At the time of writing, 82 types are available, 31 of which are obvious candidates to use in a policy because those are for sensitive data types such as country-specific identity cards or passports.

Figure 1: Selecting personal data types for an auto-label policy (image credit: Tony Redmond)

GDPR Policy

The screenshot in Figure 2 shows a set of sensitive data types selected for the policy. The policy applies a label called “GDPR personal data” to any content found in the selected locations that matches any of the 31 data types.

Auto-apply policies can cover all Exchange mailboxes and SharePoint and OneDrive for Business sites in a tenant – or a selected sub-set of these locations.


Figure 2: The full set of personal data types for a GDPR policy (image credit: Tony Redmond)

Use classification labels to mark GDPR content so that you can search for this content using the ComplianceTag keyword (for instance, ComplianceTag:”GDPR personal data”).

Caveats:
It may take 1-2 week before auto-label policies apply to all locations.
An auto-label policy will not overwrite a label that already exists on an item.

A problem is that classification labels only cover some of Office 365. Some examples of popular applications where you cannot yet use labels are:
• Teams.
• Planner.
• Yammer.

Microsoft plans to expand the Office 365 data governance framework to other locations (applications) over time.
Master data management
What about all the applications running on SQL or other databases?
Master Data Management MDM is a feature of SQL since SQL 2012. However, when you have many data sources then you are relay into an ETL process and even with MDM tools the work is still significant.

If you have extensive requirements then ask us about Profisee our specialist, productized MDM solution built on top of SQL MDM that allows you to do much of the work by configuration.

Right of Erasure
Finding GDPR data is only part of the problem. Article 17 of GDPR (the “right of erasure”), says: “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.” In other words, someone has the right to demand that an organization should erase any of their personal data that exists within the company’s records.

Content searches can find information about someone using their name, employee number, or other identifiers as search keywords, but erasing the information is something that probably also needs manual processing to ensure that the tenant removes the right data, and only that data.

You can find and remove documents and other items that hold someone’s name or other identifier belonging to them by using tools such as Exchange’s v Search-Mailbox cmdlet, or Office 365 content searches.
What if the the data ahs to be retained because the company needs to keep items for regulatory or legal purposes, can you then go ahead and remove the items?
The purpose of placing content on-hold is to ensure that no-one, including administrators, can remove that information from Exchange or SharePoint.

The GDPR requirement to erase data on request means that administrators might have to release holds placed on Exchange, SharePoint, and OneDrive for Business locations to remove the specified data. Once you release a hold, you weaken the argument that held data is immutable. The danger exists that background processes or users can then either remove or edit previously-held data and so undermine a company’s data governance strategy.

The strict reading of GDPR is that organizations must process requests to erase personal data upon request.
What if the company needs to keep some of the data to satisfy regulations governing financial transactions, taxation, employment claims, or other interactions? This is a dilemma for IT. Lawyers will undoubtedly have to interpret requests and understand the consequences before making decisions and it is likely that judges will have to decide some test cases in different jurisdictions before full clarity exists.

Hybrid is even More Difficult

Microsoft is working to help Office 365 tenants with GDPR. However, I don’t see the same effort going to help on-premises customers. Some documentation exists to deal with certain circumstances (like how to remove messages held in Recoverable Items), but it seems that on-premises customers have to figure out a lot things for themselves.

This is understandable. Each on-premises deployment differs slightly and exists inside specific IT environments. Compared to the certainty of Office 365, developing software for on-premises deployment must accommodate the vertical and company specific requirements with integrations and bespoke developments.

On-premises software is more flexible, but it is also more complicated.
Solutions to help on-premises customers deal with GDPR are more of a challenge than Microsoft or other software vendors wants to take on especially given the industry focus of moving everything to the cloud.

Solutions like auto-label policies are unavailable for on-premises servers. Those running on-premises SharePoint and Exchange systems must find their own ways to help the businesses that they serve deal with personal data in a manner that respects GDPR. Easier said than done and needs to start sooner than later.

SharePoint Online GitHub Hub

If you work with SharePoint Online, you might be interested in the SharePoint GDPR Activity Hub. At present, work is only starting, but it is a nway to share information and code with similarly-liked people.

ISV Initiatives

There many ISV-sponsored white papers on GDPR and how their technology can help companies cope with the new regulations. There is no doubt that these white papers are valuable, if only for the introduction and commentary by experts that the papers usually feature. But before you resort to an expensive investment, ask yourself whether the functionality available in Office 365 or SQL is enough.

Technology Only Part of the Solution

GDPR will effect Office 365 because it will make any organization operating in the European Union aware of new responsibilities to protect personal data. Deploy Office 365 features to support users in their work, but do not expect Office 365 to be a silver bullet for GDPR. Technology seldom solves problems on its own. The nature of regulations like GDPR is that training and preparation are as important if not more important than technology to ensure that users recognize and properly deal with personal data in their day-to-day activities.