GDPR and ERP: the checklist for an SME

Your ERP centralizes the company's most sensitive data: customers, employees, suppliers. Here's a concrete checklist to bring your management software into compliance with the GDPR, without needless jargon.

Why the GDPR directly concerns your ERP

An ERP is not a tool like any other from a regulatory standpoint. It aggregates personal data by nature: customer records, prospect details, employment contracts, payslips, purchase histories, support tickets. As such, it becomes the nerve center of your compliance with the GDPR, the General Data Protection Regulation in force since May 2018.

For an SME, the good news is that achieving compliance doesn't require a full-time law firm. It rests on a structured and documented approach. The checklist below covers the key requirements to review, processing activity by processing activity.

The GDPR checklist for your management software

1. Keep the record of processing activities (Article 30)

This is the cornerstone of compliance. The record of processing activities lists, for each purpose (sales management, payroll, prospecting, support), the categories of data collected, the data subjects, the recipients and the retention periods.

Best practices for an ERP:

  • Map every module that handles personal data (CRM, HR, invoicing, support).
  • State the precise purpose of each processing activity — no "just in case" collection.
  • Update the record with every new feature or integration.

Keeping this record is mandatory as soon as you process data on a regular basis, which is the case for any SME using an ERP.

2. Identify the legal basis for each processing activity (Article 6)

Every processing activity must rest on one of the six legal bases provided by the GDPR. The most common in SMEs:

  • Performance of a contract: invoicing a customer, managing an order.
  • Legal obligation: keeping accounting records, declaring payroll.
  • Legitimate interest: reasonable B2B prospecting, system security.
  • Consent: newsletters, marketing cookies, B2C prospecting.

The frequent trap is invoking consent everywhere. In reality, your CRM most often rests on performance of the contract or legitimate interest, and the HR module on legal obligation. Document the chosen basis in the record.

3. Frame your sub-processors: the DPA (Article 28)

As soon as your ERP is hosted with a provider, or it integrates with third-party services (payment, emailing, accounting), these players become your sub-processors within the meaning of the GDPR. You must sign a DPA, or data processing agreement, with each of them.

This contract notably specifies:

  • The subject matter and duration of the entrusted processing.
  • The security measures implemented by the sub-processor.
  • The prohibition on engaging a further sub-processor without authorization.
  • The commitment to assist in the event of a data breach or a request to exercise rights.

Require this document from your ERP vendor before signing. It's a marker of regulatory maturity.

4. Define retention periods

The GDPR imposes the principle of storage limitation: data must not be kept indefinitely. For each category, set a justified period:

  • Active customer data: throughout the contractual relationship, then intermediate archiving.
  • Accounting records and invoices: the legal retention period (several years depending on the nature).
  • Inactive prospects: generally a few years after the last contact.
  • HR data: according to the applicable employment-law obligations.

A good ERP lets you schedule the automatic purge or archiving of records at the end of their period, rather than accumulating data with no use.

5. Enable data subjects to exercise their rights

Your customers, employees and prospects have rights that your system must be able to honor within one month:

  • Access: provide a copy of the data held.
  • Rectification: correct inaccurate information.
  • Erasure (the right to be forgotten): delete data when the purpose no longer exists.
  • Portability: return the data in a structured, machine-readable format.
  • Objection: stop a processing activity, particularly prospecting.

Check that your ERP centralizes these functions rather than forcing you to search manually across ten modules. The ability to export and anonymize a record in a few clicks is a decisive selection criterion.

6. Check hosting and transfers outside the EU

The place of hosting matters. Hosting within the European Union simplifies compliance, because the data remains subject to the GDPR without additional transfer formalities.

If your vendor hosts or replicates data outside the EU, specific safeguards are required (standard contractual clauses, an adequacy decision). Ask clearly: where is my data stored, and who can technically access it? Sovereign hosting in Europe removes much of the uncertainty.

7. Secure the data (Article 32)

Compliance requires technical and organizational measures proportionate to the risk:

  • Encryption of data in transit (HTTPS) and at rest.
  • Strong authentication and fine-grained access management by role (RBAC).
  • Access logging and a tamper-proof audit trail.
  • Regular backups and a tested recovery plan.

Granular access control is essential: a salesperson doesn't need to see payslips, and an HR manager has no business consulting the sales pipeline. A well-designed multi-tenant ERP partitions these perimeters by default.

8. Minimize and anonymize

The principle of minimization requires collecting only strictly necessary data. Use any audit to remove unnecessary fields.

For statistics or reporting needs, favor anonymization or pseudonymization: data that is irreversibly anonymized falls outside the scope of the GDPR, which lightens your obligations while preserving analytical value.

The ERP as an ally of your compliance

Well chosen, your management software becomes a compliance lever rather than a source of risk. Centralizing data in a single system — equipped with document management, an audit trail and export/erasure tools — radically simplifies the work of the data controller or the DPO.

Also consider appointing an internal compliance contact, even without a mandatory DPO, and training your teams in good reflexes: a data incident often stems from human error, not a software flaw.

Discover eyeot

eyeot is a French ERP designed for SMEs that care about their compliance: hosting in Europe, role-based access management, an audit trail, and data export and anonymization functions. If you want to evaluate the solution under your real-world conditions, the free individual account lets you try it with no credit card and no time limit. A good opportunity to turn a regulatory obligation into a quality initiative.

On the same topic

CRMHuman resourcesDocument managementGDPRDPADPOEDM (electronic document management)
All articles

Try eyeot for free

eyeot is a French all-in-one ERP for small and mid-sized businesses, hosted in France and GDPR-compliant. Free for individuals (1 user, every module); simple team packs for companies.

Create my free accountSee pricing