How do things stand with GDPR and Odoo? ?
Odoo and the General Data Protection Regulation
Is your Odoo ERP impacted by the new GDPR rules ?
What is the GDPR ?
On April 27, 2016, the European Parliament promulgated a new regulation about protection of physicals persons and respect to the processing of their personal data.
This law is now in place in all countries of the European Union since May 25 2018 and so will be enforceable to all companies dealing with personal data.
What is the position of Odoo on this regulation ? Is your company impacted by these new provisions ? Chances are that yes !
What is a personal data ?
How do you know if you are processing personal data, and wich data are personal or not ? ?
In order to understand the extent of the changes made following the introduction of this new regulation, it’s necessary to define this term to be sure to realize how serious your company is impacted, so as to evaluate the actions to achieve.
What we mean by personal data is any information relating to a natural person identified or who can be identified, directly or indirectly.
This definition is all the more important because it gives you a real scope of this news regulation. We speak about personal identification elements (name, surname, address…) but professional elements too (e-mail, professional address ). So there is a good chance your business is concerned.
Is covered by this new regulation: data collected both numerically and in paper format, whether for the establishment of a contract (work, Customer), or the etablishment of a newsletter aimed at individuals, collecting their billing Information…
How to comply with the GDPR ? Subteno IT gives you the answers to the most frequently asked questions.
Odoo processes personal data
Different Odoo modules are able to do this
Odoo is able to do a lot of things today. Many modules are « ready to use » and recover personal data to work. Direct mail, website, contacts, price quotation ... A lot of data is already collected and stored by Odoo ! It is then your responsibility to secure this data, and also to identify them.
Please find below the step by step actions to take :
Subteno IT Guide - Odoo Compliance
Step 1 : Identify all the personal data collected and processed by your company (in digital or paper format)
Step 2 : Limit the data you recover to the bare minimum necessary for the purpose of your treatment. For example, if you intend to send a newsletter and ask for the person's first and last name in addition to his email address, you should review this part to ask for only his email address, because his first and last name are not necessary for the purpose of your treatment (Send a newsletter).
Step 3 : Be transparent about the data you collect. You should mention, where you can, a mention detailing the purpose of the processing that you will operate following the collection of personal data. This may, for example, appear in your legal notice.
Step 4 : Establish registry cards, in which you will record all the treatments performed on the personal data that you collect and / or process on Odoo. You can find a model here : https://www.cnil.fr/fr/cartographier-vos-traitements-de-donnees-personnelles
Step 5 : Set appropriate access rights for each user of your Odoo (if your Odoo is multi-user). The definition of adapted rights is the first step towards securing data. Each person should have access only to what they are supposed to see or change.
Step 6 : Determine which of the personal data you could identify in Step 1 are so-called "sensitive" data, which represent a high risk of harm to the person, even if the degree of likelihood does not seem to be high. Following this, for each of the data raised, it is necessary to carry out an impact analysis.
Step 7 : If you are hosting your Odoo instance yourself, remember to notify your system administrator of this new law, and your need to secure the data hosted on your server.
Step 8: Document each of your compliance actions !
Note : The purpose of this guide is to help you get your odoo compliant with the GDPR. It is your responsibility to make sure that all your company is in accordance with those new rules. Do not hesitate to check with the competent authority of your country for your activity.
Odoo has created an article about GDPR available at this address : https://www.odoo.com/fr_FR/gdpr
Main objective to comply white GDPR
In order to comply with GDPR, your company must be able to prove that all necessary means at its disposal (technical and organizational) have been implemented to secure the personal data of individuals.
Mapping of the treatments and putting in place actions
The first step in securing data
As a first step, it is necessary to map the various data collected by your company, and determine how they are processed. In order to carry out this step in a complete way, it is necessary to set up a processing register. Turn to the competent authority in terms of personal data of the country in which you operate of you have any questions. For an activity based in France, an example is available on the CNIL website:
The purpose of this step is to obtain a global view of all the data that your company is processing, in order to subsequently develop the measures that will secure this data.
In a second step, you will have to put in place the necessary actions to secure the data that you have identified. It is very important to prioritize these actions
according to the degree of probability of having assessed for the risks (the chances of a given risk being realized), as well as their level of severity.
Organization and internal processes
Set in place of the documentation
Document your actions
Remember, it is necessary to document each of the actions you will take to comply with the new laws of the GDPR. These new provisions will undoubtedly bring a lot of changes within your company.