Related to CORE-2671, part of GDPR.

Right now, staff (with the proper ACL permission) can delete clients that have no invoice, service, or transaction data, under Actions, on a client profile page.

• Add a new Client Profile Action link called Anonymize Client
• This option should have it's own ACL permission (Enabled by default on install) similar to Delete Client.

Anonymizing a client

When anonymizing a client, we are essentially removing identifying particulars from the client. The client will continue to exist, but all contact and identifiable information will be replaced with a predefined set of details. This allows the retention of certain information, like transactions, which, if a client were deleted, would impact financial reporting.

When anonymizing a client, some information should be deleted, including:

• The client's payment accounts
• The client's email logs
• The client's contact update logs
• The client's authentication logs

The client should be marked inactive.

Anonymize Data Set

The data set used to replace client/contact data should be defined someplace. Whether this is in a language file, or a database or config file setting is yet to be determined. I would say though, that since usernames must be unique, even if the client may not log in, that we should set a random address @ a predefined domain name.

Restrictions

To anonymize a client, there are the following restrictions:

1. No open or recurring invoices, or active services

Display

If possible, this could be done in a modal, if not it may need to be done in the client profile window like other forms.