Right to be forgotten

On May 25th, 2018, the General Data Protection Regulation (GDPR or in Dutch AVG Algemene Verordening Gegevensbescherming) came into effect in the EU, opening a new era of data protection and privacy for everyone. It aims to harmonize and modernize existing privacy legislation and to give individuals more control on their personal data. In principle the legislation is a good thing. It enforces security and privacy behavior to protect sensible and other data, which Therp was implementing long before the regulation anyway. At the same time it's not always clear how far do you have to go and new questions to answer are raised.

Some Therp customers handle sensitive personal data. For example results from employee assessements and tests or data releated to refugees. The new GDPR doesn't allow confidential documents to be sent by email. A portal with a secure connection towards such documents in the customers database, is a solution, meaning of course sensible information exists in the Odoo database. So we need additional restrictions for users of the database to safeguard this information and make sure the database is only accessible for users who have reason to access it (need to know).

With the GDPR every person of course has the right to be forgotten, also known as the right to erasure. And so it happens that people request to be completely removed, not only their name, birthday, contact-data and possible documents with sensible data like test results, but basically every trace they existed at all in Odoo.

This means they want their possible mails, accounts, help-issues, messages in the chatter, work-relations and everything else deleted too. On first sight that doesn't look too complicated, but if you know how Odoo is organized, and for that matter most of the other advanced software for business processes, you know it's not only a cumbersome and time-consuming task, but deleting information is not always possible. Some data you have to keep to maintain consistency or because of the law, like data related to finance. Anonymizing the data is the only solution in such cases.

Manually you can delete attachments, maybe in different menu's, and anonimize most of the personal data of the person in question, which then will carry through many places in the Odoo database. As administrator you can delete mails and login-accounts. Manual methods however are slow to find and cleanse the data. It's also error prone to decide for every request which data to delete and which data to retain.  Some data can't be changed via the user interface because the system won't allow you to (for above mentioned reasons). It's doable if one has to do it now and then. But in the case one has to do it often an automated and intelligent data management module can help. So hopefully we have such a tool soon.

Another aspect of the GDPR is that every data-processor, also Therp, has to sign an agreement with all customers and subcontractors explaining how Therp will comply to the new regulations. This contract is currently in concept and is already reviewed by an expert. Coming August Therp will provide it's example contract.

Odoo Nairobi course