To make ERPNext for GDPR ready

[krnkris]

To fulfil the requirement of GDPR for ERPNext.

http://ec.europa.eu/justice/smedataprotect/index_en.htm3

It is really a must comply… don’t you think?

Suggestion:

A module gives end-user visibility to the data stored about himself/herself and aims to help site admins follows the guidelines and legislation set by the EU.

Basic GDPR Compliance use cases:

• [ ] Form checkboxes (contact + login) - not accepted the form until not checked
• [ ] Pop-up alert (GDPR + privacy policy) - on login page +contact page
• [ ] Privacy Policy Page - separate from all other (must be separate)

Features:

• [ ] Checklist for site admin (recommend cookie consent, check if there is privacy policy page etc). The primary goal is to prevent developers from accessing user data.

Hard coded features /is it important?/:

• [ ] Adds data anonimization features so the data will still be available for statistical and history purposes but will not allow to identify a user and the store will comply with the GDPR directive.

• [ ] mask all the current data in your database related to the users.

• [ ] could be really useful when considering the new GDPR legislation, as all the user data could easily be masked in development/local copies.

Addition features

• [x] Allow logged in user to see all raw data stored about himself/herself (user entity).
• [x] Allow user to initiate “forget me” action from site admins.
• [ ] More items and recommendations to checklist.
• [ ] Make sure user can rectify all data about himself/herself.
• [ ] Allow user to remove the account (content is not removed+but notified to admin).
• [ ] Make API for other contrib modules to announce user data store.

Make no mistake

Don't assume that if you've enabled the GDPR , you're done ... GDPR will apply to any ERPNext site that deals with users, site visitors, etc, who are from the EU (which public site does not do so?) ...

Please refer to this discussion:

https://discuss.erpnext.com/t/is-erpnext-gdpr-ready/23103

[actXc]

look at matomo, they understood GDPR https://matomo.org/docs/gdpr/ same at moodle https://docs.moodle.org/34/en/GDPR or even at odoo.com: https://docs.moodle.org/34/en/GDPR

GDPR will not go away and users in Europe will not start to use this software without visible GDPR-activities.

[krnkris]

@actXc

Thanks for the share.

BTW Oddo page is: https://www.odoo.com/gdpr

[aleksas]

Birthday reminders have to be off by default, since birthday is private information.

[actXc]

If you want to store date of birth together with the name e.g., it needs to be explained why. If you service is to send out birthday reminders, why not store it? With the users confirmation to use the data for the specific reason, there might be no problem with storing and using birthday data.

[generare]

Just also realised the GDPR part. We were trying to add Facebook login (FB developer feature that is integrated in ERPNext) and you can't do it without a Privacy Policy page and GDPR functions. Facebook refuses it. ERPNext guide page on this is outdated.