Be GDPR compliant, Part 2: ensure the right to erasure, find and anonymize PII in Jira
Jira user anonymization
By Veronika Averina•28. February 2020•Reading time: 5minutes
In our previous article, we looked at an easy way to get and manage users’ consent for personal data processing and tracking online activity with Cookies. However, GDPR is far more complex and comprehensive than it may appear. In this article, we are going to focus on ways of meeting other important GDPR requirements: ensuring the right "to be forgotten" and tracking personally identifiable information (PII) in Jira and Confluence with subsequent deletion or replacement of such information.
Disclaimer: This article does not constitute legal advice. Its sole purpose is to demonstrate ways of ensuring GDPR compliance in Jira and Confluence from the technical point of view. For legal information or better phrasing, please contact your legal department.
Ensuring the right to erasure or the right “to be forgotten”
The reference to the “right to be forgotten” can be found in Article 17 of the GDPR: “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based according to point (a) of Article 6 (1), or point (a) of Article 9 (2), and where there is no other legal ground for the processing;
the data subject objects to the processing pursuant to Article 21 (1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2);
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
the personal data have been collected in relation to the offer of information society services referred to in Article 8 (1)“.
Saving data in a cloud
Article 17 means that if an EU citizen requests to have their personal data erased, a company should be able to track and delete them within the established time frame unless there are legal grounds to keep this information.
Atlassian has recently presented some solutions to ensure GDPR compliance in Jira Cloud. For example, a user, whose personal data have to be removed, is assigned a new user name which is a unique combination of letters and numbers. However, some experts name it pseudonymization, as other data, such as comments or descriptions, make it possible to deanonymize almost any active user of Jira. Once a unique ID has been traced back to the actual user, It is easy to match this ID with data in other tickets and even find all the user’s activities through search. Deleting the user and clearing all their activity is also not an option, because in most cases it can be harmful to the business and lead to the loss of valuable information.
Actonic-solutions for Jira & Confluence
Considering the complexity of GDPR requirements, ensuring GDPR compliance in Jira and Confluence may be challenging. While there are many solutions aimed at ensuring the right to erasure, none of them has proven to be perfect. We think that currently the best way to ensure the “right to be forgotten” is to replace all users, whose personal data have to be removed, with a single service user, specifically created for this purpose. In this case, if you have more than 2 anonymized users it will be impossible to trace them back as both of them will appear as a “service user” and with every anonymized user the quality of protection will increase. GDPR (DSGVO) and Security for Jira and GDPR (DSGVO) and Security for Confluence are some of the tools providing this functionality for Server and Data Center.
Vulnerability scanning: finding and anonymizing Personal data
The main GDPR principles include “Data minimization” and “Storage limitation”. According to Article 5, personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”. This highlights the importance of having personal data usage under control.
In other words, DPOs or other employees responsible for data protection must be aware when such data appear and perform and monitor further necessary activities, such as deleting data (if the data are outdated or no longer required, if the term of storage is over or the purpose of data processing is no longer relevant) or notify employees if they are not GDPR compliant and need to address the issue.
PII pattern-based search
Unfortunately, currently, there are no default pattern-based search options through ticket fields in Jira and the standard functionality doesn’t allow to search for SSN, phone and credit card numbers, or other data that can be identified as PII. For these purposes, we recommend using GDPR (DSGVO) and Security for Jira or GDPR (DSGVO) and Security for Confluence tools that include extensive pattern-based search through all fields or pages. The app comprises more than 100 various patterns in total, including not only national IDs, SSNs and other PII for the majority of EU countries, but also some kind of sensitive information, such as internal IDs.
Automated comments and notifications
Once PII is found, it needs processing. The app allows to leave standard comments to all vulnerable tickets and create and send automated notifications to employees responsible for these tickets. If the personal data are not important for the company or were added by mistake, they can be automatically deleted or replaced by XXX combinations.
Fast processing and customizable settings
What is especially convenient in GDPR (DSGVO) and Security for Jira or GDPR (DSGVO) and Security for Confluence is that the apps allow to create customized “data rules” and carry out pattern-based search only for new tickets and pages using a flexible time frame for that, for example, “created after the beginning of the week” or “updated after the beginning of the week” till the current date. In other words, you can track the appearance of vulnerable data once a day or once a week and you don’t need to scan all your tickets or pages if you have done it before. Processing only new and updated tickets and pages will be very fast in comparison to processing all the existing ones, which will result in increased efficiency.
At Actonic, we did our best to create a convenient, flexible and customizable solution ensuring GDPR compliance in Jira and Confluence for Server and Data Center and are constantly working to improve it in accordance with our clients’ and customers’ demands. Start your free trial right now to see how it works and let us know what you think. We would be grateful for any feedback and hope that together we will create a comprehensive and all-encompassing app ensuring the highest level of data protection.
For more information on GDPR compliance, check out more articles in this series: