GDPR sets the European legal framework for the collection and processing of personal information.
Fun fact: GDPR fines totalled $63 million in its first year, 2018!
Thomas Saliou our security expert gives helpful tips to companies using Odoo ERP about GDPR compliance.
Who must comply with the GDPR?
The answer is everyone!
The answer is everyone!
-Not only big companies, but also SMEs operating in the EU.
-This also applies to organizations outside the EU that offer goods or services to individuals in the EU.
-This also applies to organizations outside the EU that offer goods or services to individuals in the EU.
-The only exception is the governments.
Underline the following information, to avoid sky scraping fines.
Document the types of personal data you collect
Document the types of personal data you collect
1. A record of processing activities must be maintained.
2. Pay attention when collecting information and identify the type of data that is stored in Odoo.
3. If you do not have time & personell that can dedicate time to this, invite a data-protection specialist to perform an audit, to completely avoid legal risks.
Minimize the data collection
-Avoid collecting data that is not necessary.
-This way you reduce the responsibilities you have towards securing that data.
ALSO
Using Privacy Impact Assessment will help you identify and assess privacy risk in the process of collecting, keeping and disseminating personal data.
Establish and provide policies to customers
User awareness
-The user must be aware that his data is being collected.
-Most importantly he needs to know what his information is being used for.
Consent
-Consent must be obtained to lawfully process personal data.
-Request for consent must be recognizable.
-Use clear and plain language.
-Provide a privacy policy and terms of use.
Right to be forgotten
-Individuals have the right to ask you to erase their information from your system.
-Your duty is to respond to the request in a period of 1 month.
Report data breach
You must notify the authorities within 72 hours, If your organization is a victim of data leakage.
Remember! Implementing the GDPR compliance is not an option, but a legal requirement.