GDPR (General Data Protection Regulation) is a set of rules and regulations in EU intending to provide more privacy for all individuals within the European Union and the European Economic Area. It applies to all organizations holding and processing EU resident’s personal data, regardless of geographic location.
GDPR maybe not agreeable by many who believe it'll break the internet, but it's about making the user in control of their data. It will force the software and data service providers to build their solution on privacy-oriented design.
Types of privacy data that GDPR protects
Identity information: name, address, ID numbers
Web data like IP address, Geolocation, cookies, RFID tags
Health, medical records, and genetic data
Racial/ Ethnic data
GDPR: Better rights management
- Right to consent
- Right to get notified
- Right to be forgotten
- Right to view personal data
- Right to delete own data
- Right to data portability
- Right to data protection
- Right to the restriction of processing
GDPR and open source
GDPR for the solution or the enterprise services.
Most of the open source solution we have listed here are originated from the European Union, and they have enterprise cloud services for the product. Those companies/organizations have listed their GDPR compliance pages mainly for their enterprise services, which they will be held responsible for it, not the open source solution itself, as its the user responsibility to get his own GDPR compliance on his installation. However, we have listed them here as an example and guide to anyone who is interested to run his business on one of these services to follow their footsteps.
Open source GDPR-ready projects
1- Magento eCommerce
Magento eCommerce is an open source self-hosted eCommerce solution, (The community edition). It has enterprise edition and enterprise services, Its the WordPress of the eCommerce world as it has a rich ecosystem to serve thousands of online eCommerce stores.
Magento has a page dedicated for GDPR that includes notification about Magento's Aata Processing Agreement, declaring that Magento is Privacy Shield self-certified " which is the European Commission-approved mechanism that enables the transfer of personal data from the European Union and Switzerland to the United States.", detailed FAQs (Frequently Asked Questions) about Magento and GDPR, and list of resources to help Magento's customers (MERCHANTS) who use Magento to comply with GDPR.
EspoCRM is widely used open source CRM (Customer-relationship Management) solution, It's used in the USA, Europe, in many sectors like banking, real estate, education, healthcare, manufacturing, and insurance.
EspoCRM was one of the first open source solution providers to comply with GDPR. Mainly because most of their customers are located in EU.
SuiteCRM is an open source CRM (Customer-relationship Management) solution, It has enterprise features to target different sectors as healthcare, retail, tourism, manufacturing, and finance.
SuiteCRM is very popular inside and outside the EU, as it has active developers/ users communities, thousands of customers around the world.
SuiteCRM' GDPR page has a detailed list of how SuiteCRM complies to GDPR, as it aligns its workflow, security and privacy features/ options with GDPR.
4- Vtiger CRM
Vtiger CRM has a wide range of users around the world, as it has offices in 4 countries. It has a community open source edition used worldwide by thousands of companies. Vtiger CRM is based on SugarCRM.
Vtiger CRM developers have made several changes to the project's codebase to comply with GDPR, They have created a list of Vtiger CRM features which helps the customer/ user to comply with GDPR as it includes: encryption feature for the customer data, automated data processing notification, data access audition and Double opt-in mechanisms for email marketing.
5- NextCloud: Self-hosted cloud and file sharing platform
NextCloud a project originated by the founder of OwnCloud the self-hosted cloud platform, It supports multi-user collaboration and file/ documents sharing. It comes with a rich ecosystem that have many modules for security, encryption, communications and document editing.
Prior to GDPR dead-line (May 25, 2018), NextCloud released GDPR Compliance Kit, which helps NextCloud's users to make their NextCloud installs GDPR ready, It includes GDPR checklist, and automates rights management for end-users.
OwnCloud is an open source cloud file sharing solution, It's basically the parent of NextCloud. Both projects originated from the same founder. OwnCloud provides enterprise services including private cloud services.
OwnCloud has listed the GDPR requirements and its solutions it provides as it most of those solutions are implemented already as OwnCloud features. It provides Client-side end-to-end encryption; server-side encryption with HSM support, Multi-factor authentication, file auditing, activity logging, and Ransomware protection application.
7- RocketChat: Open source Chat for teams and groups
RocketChat is an open source real-time communication platform for teams and groups, It provides self-hosted community edition and enterprise cloud services. RocketChat developers made several changes in the codebase to make it compatible with GDPR, they also have released a summary of their GDPR readiness strategy as well as a list of the changes to their codebases to comply to GDPR as Right of Access, and Right to be forgotten, with several other modifications.
ERPNext is an open source ERP solution with cloud service for the enterprise that used by companies around the world. ERPNext is one of the best incoming open source ERP solutions yet, especially for developers as it provides a powerful platform to build an application over it. It aims to many sectors like healthcare, finance, manufacturing, shipping, and education.
ERPNext's forum and Github's issue tracker got several posts/ issues from its users considering GDPR-compliance, ERPNext cloud service privacy page was updated to reflect their GDPR-readiness, some code modification was made, but there is not enough information about that yet.
9- Axelor ERP
Axelor is an ERP solution aiming for the enterprise, It has cloud-based service, free self-hosted open source community edition.
Axelor's GDPR page declared the measures they took to be GDPR compliant ERP, like protecting the personal data, a full audit of access to ERP and personal data, the customer/ user right to be forgotten, and the right to portability of personal data. Axelor GDPR's page also has a section for "the benefits of an ERP for processing data under the GDPR".
10- Dolibarr ERP/ CRM
Dolibarr ERP is an open source ERP/ CRM solution that works in several European countries including France, Italy, Germany, and Greece. Dolibarr ERP developers have provided a GDPR module to help their customers comply with GDPR.
Dolibarr ERP/ CRM is written in PHP and has powerful rich ecosystem includes custom paid plugins, It has GDPR-compliance plugin though it's not free its an easy solution to implement the features required to make it GDPR-ready.
11- Matomo: Open source Web Analytics
Matomo is a self-hosted open source web analytics, It can be configured to be GDPR-compliant easy it has built-in features added by its developers to do so like automatic data anonymization, right to access ( allow visitors to access to their data), Supports “Do Not Track” and Anonymise historical data.
Matomo also provides a GDPR service to help its customers to get their Matomo installation ready for GDPR compliance. There is also a well-written article/ tutorial in Matomo's blog to guide Matomo's user to make it GDPR-Compliant , I believe all of the open source solutions should follow Matomo's step.
12- Open Web Analytics (OWA): Self-hosted Web Analytics
Open Web Analytics was our top pick in Open source Web analytics & Google Analytics alternatives because they take the data collection seriously. Analytics and tracking scripting are often in question when it comes to user's privacy.
Open Web Analytics developers have been making changes to the codebase to make it align with GDPR for a year. Though, there is not enough documentation about GDPR-compliance
13- GrandNode eCommerce
GrandNode is an eCommerce solution that is based on ASP.NET and MongoDB. The developers released the community version as an open source free edition. GrandNode is modular, has multi-lingual support, has native development support for iOS and Android development and highly customizable.
GrandNode admins have published a detailed article explaining how to meet GDPR requirements for their solution, and they declared they have implemented more privacy features and privacy options in their following release including the community open source edition. In GrandNode now the user can export the data collected by the system, delete their account and data and automated consent for the market processes and data collection.
14- 0 A.D.: Open source real-time strategy game
While many solutions are struggling to comply with GDPR, 0 A.D. the open source real-time strategy game has achieved that, 0 A.D. in its release " 0 A.D. Alpha 23 (Ken Wood)", It gets a new User Data Protection policy for Wildfire Games online services which allow users to join the game servers to set up online multiplayer matches, to make it GDPR-compliant.
Wordpress is a well known open source blog/ CMS, It got some improvements and update to its codebase in its last version, to comply with GDPR, However, WordPress also has several Wordpress plugins/extensions to make Wordpress self-hosted installation GDPR-complaint. Wordpress is a popular open source product as it begins used in millions of the websites, so it is backed by a huge community of users, developers and designers, It has many tutorials to help its users to make it fully GDPR-compliant.
16- Zenario CMS
Zenario CMS is a free open source CMS built by for designers, It supports multi-site installation and management from the same install, multi-lingual support, built-in SEO options, options-rich user-management, GIS data support, Datasets management tool and it has the modular architecture to build applications and extensions for it with ease.
Zenario CMS declared in its GDPR dedicated page that it is the best CMS for GDPR as it has builtin privacy and consent automation tools as well as automated data deletion process engine to delete logged events, form data and temporary user-submitted data. Currently, we have not seen this in any other project here as a built-in feature.
17- Jahia CMS
Jahia is an enterprise CMS for eCommerce and Digital marketing,
Jahia is a content portal aiming for the enterprise, It can be customized to work as an eCommerce portal or digital content marketing platform. Jahia is built using Java and Google Web Toolkit (GWK). It has 2 editions: one the open source community edition and enterprise distribution edition.
Jahia has dedicated several pages to explain how Jahia Solutions help their users to comply with GDPR, which includes press releases about Jahia's privacy-awareness products and several videos addressing privacy and GDPR for its users.