GDPR Compliance for Frappe Cloud and Frappe School
The blog gives a compact account of the measures taken to accomplish GDPR compliance for the two celebrated verticals of Frappe Technologies, Frappe Cloud and Frappe School.
The General Data Protection Regulation (GDPR)
The General Data Protection Regulation is the strictest data privacy and security law introduced and passed by the European Union. GDPR came into effect on the 25th of May, 2018 and it has, ever since, been the talking point for the open-source community. Be it lawyers, data privacy professionals, or developers, everyone is trying to get an understanding of the wide-reaching implications of this ace privacy legislation. One of the reasons why GDPR is so talked about is because of its wide applicability which surpasses the geographical boundaries. The GDPR applies to the scope of the business activity and the location it is performed at, as opposed to the location of the business’ headquarters. As a result, it becomes conformable to businesses outside of the European Economic Area (EEA) if the data processing activities are such that they facilitate the provision of goods and services to EU citizens or keeping a track of their behavior and choices. This is what makes it a global law in its application. In addition to this, the GDPR also has a reputation of imposing harsh fines to the tune of 20 million euros or 4 percent of the annual global turnover of a company for serious violations and 10 million euros and 2 percent of the annual global turnover of the company, whichever is higher, for less serious violations making it a costly mistake. The financial consequences can amount to hundreds and millions of euros depending on the breach committed. Thus, it becomes clear that the compliance to this law is non-negotiable despite it being a tedious affair considering the law’s scale and complexity.
At Frappe, we believe in building a robust, resilient and top-notch ERP product. As one of the means to that end, we have built our own cloud hosting and deployment platform - Frappe Cloud. Frappe Cloud helps in the execution of scores of ERPNext instances with numerous custom extensions and apps. As of 07th December 2021, Frappe Cloud is GDPR Compliant. To satisfy the compliance requirements of GDPR, we first worked out a list of compliances that were set out by the EU legislation, and prepared a checklist that would help us gauge the level of compliance displayed by Frappe Cloud. The checklist enumerates the requirements, its contents, how to accomplish them, and whether it has been complied with or not as separate columns. This helped us identify our pain points and strategise a course of action to establish conformity with the GDPR essentials relevant to Frappe Cloud.
In addition to Frappe Cloud, Frappe Technologies’ other celebrated vertical, Frappe School is also GDPR compliant. The compliance is effective from the 11th of March, 2022. Just as Frappe Cloud, Frappe School also has the below-mentioned policies and procedures established for ensuring complete congruence with the legislation.
- The limit to which it is applicable or its scope
- A detailed account of the kinds of information collected
- How they are collected and their purposes defined
- Third parties involved
- The rights of the Users, and how they can exercise their rights.
Rights of the User
GDPR compliance requires the display and execution of the data privacy principles, rules and regulations enshrined in it. Thus, keeping a record of processing activities carried out,providing for convenient methods to request access to one’s personally identifiable information, its correction and deletion, having a data request management mechanism and personnels dedicated to carrying out the above activities prescribed by the EU Data Privacy Law becomes relevant.
For the execution of the user rights to erasure, to access and rectify information we have a dedicated email account called firstname.lastname@example.org which provides the User with the requested information on receiving an email to that effect. For our customers in the EU and UK region we have Prighter, our privacy representative and point of contact for such customers.
For exercising User rights, Frappe School Users are provided with the following email address email@example.com where they can mail their requests with the subject line, “ Data Subject Request”.
Most importantly, the policies require to be updated from time to time to ensure that the technical developments are in line and are compliant with the legislation.
As a company that provides cloud storage services, we host data on our servers which makes us Data Controllers. As Data Controllers, we are duty bound to protect the information that is entrusted with us and in order to meet that end, we are now an ISO 27001 and ISO 9001 certified company. The former primarily lays down an Information Security Management System to manage the security of its assets whereas the latter takes quality of product and user satisfaction as its primary area of concern. At Frappe, we have ISO 27001 compliant internal policy documents such as the Data Access Control Policy, Data Backup Policy, Incident Management, Patch Management, Log Management, and Password Management Policies amongst others that contribute to our information security architecture, making it more effective, resilient and sustainable. We also have a Security Vulnerability Reporting Mechanism in place in order to overcome the risks and vulnerabilities faced by Frappe.
Just as important as laying down privacy by design infrastructure, the technical landscape must include a robust and resilient data backup, authentication, and protection mechanism. Protection of internal drives or hard drives and putting checks on their accessibility are essential in the interests of integrity, confidentiality, purpose limitation, data minimisation, and accuracy.