In the past months, I have developed quite an extensive knowledge of GDPR from both IT and legal points of view, so let me share my thoughts here. (Full disclosure: I am providing consulting advices on RGPD to companies for a fee).
First, GDPR only applies to Personal Data of EU citizens, meaning data belonging to an individual like his name, his address, his e-mail address. GDPR doesn’t apply to Company data, for example.
Second, GDPR imposes some duties to companies which deal with Personal Data. For example, before collecting Personal Data, you must ask the person for her consent in a plain and understandable way and you must describe to the person the processings you will perform with her data as well as the duration of retention and how the person can request a modification of her data or even the deletion. (Of course, I over simplify because the RGPD is a text of 60,000 words).
Third, the company must maintain a registry of all processes of Personal Data, which persons have access to these data and for which purpose.
Fourth, if you need some data to perform a selling activity, you cannot collect more than you need. For example, you cannot ask the color of the eyes of a person but you need her address and the person cannot refuse to give her consent or else the sales will not occur.
Fifth, in case of violation of the RGPD, a company must communicate to the local regulator as well as inform each individual that there was a data breach, as long as the costs are reasonable (whatever it means, but an e-mail is reasonable while a stamped letter may be considered not reasonable).
So RGPD is, in my opinion, more a matter of reviewing and documenting your processes rather than expecting a software to be stamped RGPD-compliant.
In the case of ERPNEXT, the database is reasonably protected, only the persons who administer the server can access it, correct me if I am wrong. There are transactions which allow the modification or the deletion of customer data, so it is OK. I am not using the shop features of ERPNEXT, so I don’t know if there is a consent box that you must tick when you register your name nor if you can have a simple text next to it to explain what you will do with the Personal Data that you collect.
I hope that I have not made the discussion more confused than before this message. If you need clarifications, please ask!