Just also realised the GDPR part is missing. We were trying to add Facebook login (FB developer feature that is integrated in ERPNext) and you can’t do it without a Privacy Policy page and GDPR functions. Facebook simply refuses it. ERPNext guide page on this is outdated.
Hello Steve,
Thanks for your expression of interest. Will be great if you could list the missing feature in ERPNext to fulfil GDPR requirement in this Github Issue.
https://github.com/frappe/erpnext/issues/13936
Based on the efforts estimation, we could connect again for the implementation plans, if you are still open. Please let us know.
It seems that this Issue “To make ERPNext for GDPR ready” has already the needed things listed.
Notify, that in EU market if a company is not complying the GDPR it can get enormous fines, 4% of the company turnover and even up to 20 million euro (about 22,8 million dollars). That’s why this is extremely important. We have also listed this in the bounty of correcting the webstore / shopping cart flow that we made today.
This is really dissapointing that it has not been implemented yet. We are all not in compliance with GDPR and now risk massive fines
This from May 2018
Thanks for the resource and advice. We agree with your suggestion to consult a legal entity over this.
Regards,
Prateeksha Singh
Good that this has been put back on the agenda…I have little insight in the number of paying (Frappe Cloud) customers from the EU…That may explain the sluggish adaptation…
This looks like a great list. Speaking for @Steve_Simonson, we are anxious to see this get developed. I will look for an outside resource that could let us know if we are missing anything.
Possibly, but not an excuse. It is not about the cloud users, but the information the cloud users put on the system. Even if there are NO companies using the cloud version that are EU based, if even one of those companies put one customer on that system with EU residency then ERPNExt must be GDPR compliant.
This is true. This is actually crucial for ERPNext. The EU authorities may come after ERPNext as well. The easiest solution of course is to get asap e.g. a selection box for a webstore client “I have read the terms and privacy policy” and then all webstore owners can make their own privacy policies by themselves. But of course we are not only talking about webstores here.
Related to this GDPR question, what comes to generally for shopping cart and checkout in which also this GDPR should be taken care of, we have formed a group to develop matters forward.
You are welcome to join / follow:
Last year, we had a meeting in Germany with our IT-lawyer and Frame. We gave @Basawaraj_Savalagi & @Ketan all information necessary to become GDPR ready. We also emphasized the importance of this topic for the EU market and the risks (e.g. fees) of not being compliant.
Has anyone managed to implement GDPR functionality? We are wanting to include cookies consent to be GDPR compliant at the moment.
Also have concerns regarding the way customer information is stored on ERP.
In addition to this I’ve actually just realised that the Frappe website doesn’t ask for consent…
Looks like @rmeyer was part of a team that built this
Could you kindly fill us in on the status of the project and whether v13 is supported.
TIA!
Hi @adam26d,
in this app we created some DocTypes for structured documentation of the data you collect, including data categories, purpose of collecting, and storage duration. However this was just an experiment. As far as i know it’s not used in production anywhere. It was developed on v11, if I remember correctly.
Anyone is welcome to port it to newer versions, continue development, or hire us to do it.
GDPR compliance such as Personal Data Download & Personal Data Deletions are now available under frappe app please check below link for reference
https://docs.erpnext.com/docs/v13/user/manual/en/setting-up/personal-data-download
https://docs.erpnext.com/docs/v13/user/manual/en/setting-up/personal-data-deletion
With regards to GDPR, one technique is to place an Anonymize checkbox to the DocType definition. For those fields with checked Anonymize, the reports and lists may show asterisks instead of the actual data. For permissions, you may have a permission level like GDPR or privacy-access which will show the actual data for those with this authority level.
How to delete user? Everything you need to know about the "Right to be forgotten" - GDPR.eu
Any workaround for this?
An idea for deleting a user is to rename it with random strings like deleted_01 in all personal fields.
Thoughts?
Does anyone here know what is missing from Frappe/ERPNext to be fully GDPR compliant?