ERPNext Foundation ERPNext Cloud Chat Blog Discuss Frappé* Donate

Is ERPNext GDPR-Ready?


#1

Hello,

Is there an internal effort to get ERPNext GDPR¹-Ready?

With all our data “in the cloud” with ERPNext, we need to take this into account.
From May 2018 this law will be in effect.

How is the data currently protected?
How are customers seperated from eachother?
How is Data Leaking Prevented?

ERPNext should at some point come out with a statement.

¹ — General Data Protection Regulation (Regulation (EU) 2016/679)

Background information:


#2

Hello, I am also looking out for same information. please help me too.


#3

you mean your data as a cloud user of ERPNext (with access through [youname].erpnext.com)?
So the question would be more of a hosting question rather then a functional ERPNext question, right?


#4

@vrms Correct.

But we should also take into account how ERPNext stores data.
And how anonymous that information is.
Because we store a lot of information about customers (address, telephone number, vat number. purchases, … )
I am no expert on the subject, I just feel a statement should be made as this is the first step (“assess the situation”).


#5

I SHARE THE NEED TO GET THIS ISSUE IDENTIFIED AND CLARIFIED. THIS IS A VERY IMPORTANT STEP IN SECURING THE PRIVACY OF ALL USERS.

Preparing for GDPR compliance by 2018 should be a supported goal.


New category called Compliance
#6

May 2018 is approaching rapidly.

Is there any development concerning the GDPR compliance of ERPNext?


#7

In the past months, I have developed quite an extensive knowledge of GDPR from both IT and legal points of view, so let me share my thoughts here. (Full disclosure: I am providing consulting advices on RGPD to companies for a fee).

First, GDPR only applies to Personal Data of EU citizens, meaning data belonging to an individual like his name, his address, his e-mail address. GDPR doesn’t apply to Company data, for example.

Second, GDPR imposes some duties to companies which deal with Personal Data. For example, before collecting Personal Data, you must ask the person for her consent in a plain and understandable way and you must describe to the person the processings you will perform with her data as well as the duration of retention and how the person can request a modification of her data or even the deletion. (Of course, I over simplify because the RGPD is a text of 60,000 words).

Third, the company must maintain a registry of all processes of Personal Data, which persons have access to these data and for which purpose.

Fourth, if you need some data to perform a selling activity, you cannot collect more than you need. For example, you cannot ask the color of the eyes of a person but you need her address and the person cannot refuse to give her consent or else the sales will not occur.

Fifth, in case of violation of the RGPD, a company must communicate to the local regulator as well as inform each individual that there was a data breach, as long as the costs are reasonable (whatever it means, but an e-mail is reasonable while a stamped letter may be considered not reasonable).

So RGPD is, in my opinion, more a matter of reviewing and documenting your processes rather than expecting a software to be stamped RGPD-compliant.

In the case of ERPNEXT, the database is reasonably protected, only the persons who administer the server can access it, correct me if I am wrong. There are transactions which allow the modification or the deletion of customer data, so it is OK. I am not using the shop features of ERPNEXT, so I don’t know if there is a consent box that you must tick when you register your name nor if you can have a simple text next to it to explain what you will do with the Personal Data that you collect.

I hope that I have not made the discussion more confused than before this message. If you need clarifications, please ask!


#8

Thanks for laying it to rest!


#9

Yes, thank you for explaining this subject from your point of view.

I think it would make sense to write something about it on erpnext.com or erpnext.org as I think more people will struggle with questions about this subject next year.


#10

Interesting suggestion @Bas_de_Reus, let me put in on the agenda of our next France Chapter meeting planned at the end of the month. As @chdecultot is an expert of ERPNext and I know quite well the GDPR, we could write together something that makes sense and which could benefit this community.


#11

Nice idea Stephane !

We will discuss it during our next call.


#12

@chdecultot and @webingold2, is there any update since Nov '17 ? Appreciate if you update your takes on GDPR!

Cheers,


#13

There is also right for user to demand data portability, to transfer data to other erp or crm (see Section 3 Article 20 ), but erpnext is fine in that sense. Data import/export is very simple and exhaustive.

There are more user rights, but from the look of it erpnext complies with them, see at least Section 3.


#14

There are two issues as I see this

  1. How we run our business. Who has access, how the data is regulated, what you do with a data request etc. All these are to do with how we run our business on ERPNext.
  2. Where is the data held.
    ------- If you self host, where is the server? is the hosting company EU based? is it GDPR compliant? If not EU do you need third party data processing agreements
    ------- If you are using the ERPNEXT cloud solution then there could be wider implications. The ERPNEXT adminisitrator has direct access to the data. Where is that data stored? We need ERPNEXT cloud to be either GDPR compliant or agree to sighn our third party data processing agreements. If ERPNEXT cloud will not be GDPR compliant and will not sign these agreements then all their european customers will have to leave and go elsewhere!!

#15

Any news on this?

http://ec.europa.eu/justice/smedataprotect/index_en.htm

It is really a must comply… don’t you think?

Suggestion:

A module gives end-user visibility to the data stored about himself/herself and aims to help site admins follows the guidelines and legislation set by the EU.

Basic GDPR Compliance use cases:

    Form checkboxes (contact + login) - not accepted the form until not checked
    Pop-up alert (GDPR + privacy policy) - on login page +contact page
    Privacy Policy Page - separate from all other (must be separate)

Features:

Checklist for site admin (recommend cookie consent, check if there is privacy policy page etc).
Primary goal is to prevent developers from accessing user data.

Hard coded features /is it important?/:

… Adds data anonimization features so the data will still be available for statistical and history purposes but will not allow to identify a user and the store will comply with the GDPR directive.

... mask all the current data in your database related to the users.

... could be really useful when considering the new GDPR legislation, as all the user data could easily be masked in development/local copies.

Addition features

Allow logged in user to see all raw data stored about himself/herself (user entity).
Allow user to initiate “forget me” action from site admins.
More items and recommendations to checklist.
Make sure user can rectify all data about himself/herself.
Allow user to remove the account (content is not removed+but notified to admin).
Make API for other contrib modules to announce user data store.

Make no mistake

Don't assume that if you've enabled the GDPR , you're done ...
GDPR will apply to any ERPNext site that deals with users, site visitors, etc, who are from the EU (which public site does not do so?) ...

#16

Action is needed with the ERPnext shop:

  1. User needs to actively tick the terms and conditions
  2. In case only a service (not a stock item) is being ordered, do not ask for the shipping address (which currently is mandatory)

#17

This is a great idea, can you make a GitHub post on this? We should plan this in v12


#18

@rmehta

Welcome!

Thank you to taking care of this.
It is a really need in EU.

Please find herewith on github:


#19

I don’t think there are systems for deleting customer data because they are linked with transactions.

After 7 years (UK) we can delete customer invoices etc, but in ERPNEXT we can’t because the customer is linked to the invoice

So we would perhaps have to “modify” each customer so that their name is now not John Smith but rename to be “Deleted GDPR”


#20

Given that the GDPR enforcement became effective May 25th 2018 we would support any solutions that help GDPR compliance getting on a fast track. If the team needs help scoping a solution I can share some resources that our law firm has shared with us and we will financially support this effort as well. Please do not hesitate to connect with myself or @MichaelPinkowski to help keep this project moving.

The reality is that the large companies will always be at the top of the enforcement agenda for governments, but there are parts of this law that allow private citizens and attorneys in the EU to attack companies.

Therefore helping entrepreneurs globally comply with this requirement is prudent as soon as it is reasonable.

Thanks