Article 15 GDPR with Atlassian products: The access right in Jira & Confluence - Actonic – Unfolding your potential

Article 15 GDPR with Atlassian products: The access right in Jira & Confluence

The access right in Jira & Confluence


5
(1)

The GDPR law gives individuals whose personal data has been stored by companies various rights to guarantee that this important data is handled in accordance with data protection regulations. One of these rights is the right to be forgotten, which we covered in the first part of this series. Another essential right in relation to the GDPR is the right of access. This obliges companies to provide applicants with information about their processed personal data. Almost every company stores personal data of customers, employees, or partners in some way. Companies that use Atlassian's agile software Jira and Confluence are no exception.

To properly handle the right of access in both software, the Atlassian ecosystem offers several solutions in Jira and Confluence. Built-in capabilities in the software and the apps "GDPR (DSGVO) and Security for Jira and Confluence" are available for data protection officers. In this article, we will introduce you to the two ways to properly handle requests related to the right of access, so that you can make an informed decision about which option you will choose.

Download: GDPR-Checklist

Checklist about your GDPR compliance - read now!

Get GDPR-Checklist
5
(1)

Article 15 GDPR: the access right simply explained

The right of access is defined in Article 15 of the GDPR as follows:

For you, this means that persons from whom you have stored personal data such as the name, address, mail address, health data, etc., can request information about this data from you at any time informally and without justification. The information on this data may relate, for example, to the processing purposes, the categories of personal data and the recipients or categories of recipients to whom the personal data are disclosed. If a person makes use of this right of access, the person in your company who is responsible for data protection must also provide the person with information about this without delay. Here, a period of one month should not be exceeded, because high fines may be imposed here, like in other GDPR-related cases. You must provide the applicant with a copy of the personal data that is the subject of the processing.

In this process, it is really important that when a request for access is made, you first check the identity of the person making the request. If it is a fake request, this may result in a data breach, from which very high penalties would follow.

Article 15 GDPR in Atlassian: the access right in Jira and Confluence

If you use the agile software Jira or Confluence in your company, you usually have a large amount of personal data stored. This could be for example data from customers or from current/former employees that you have stored in a Jira ticket or a Confluence page.
If a person makes use of their right of access and asks you for stored personal data, it is essential to be prepared. After all, you should have processed the request within one month at the latest. To do this, you should be able to gather the requested data as quickly as possible and have established a process for searching for the data.

For this process, there are built-in options in Jira and Confluence that you can use to search for the data. We will present these to you in the following.

Out of the box solutions for the access right in Jira

Meeting the right to information, with Jira’s built-in capabilities, can be very complicated. The first thing to note here is that you need Jira admin rights to query the data.
The search here is done through a series of custom scripts that need to be run manually by administrators. When searching, you need to apply different procedures for structured data of a user profile (user names, names, and email addresses) and free textual data respectively. The procedures for free textual data differ again for Jira issues, logs, backups and other entries. For the respective procedures, partly Rest APIs, partly JQL searches, partly SQL searches are used (a description of the individual procedures can be found here).

However, these procedures have some limitations. Personal data in attachments cannot be accessed by the procedures, which greatly limits the search. This requires access to the database for the execution of SQL scripts.

Out of the box solutions for the access right in Confluence

Personal data that is often stored in Confluence includes user profile information such as: Website, phone number, position, department, and location. In this regard, avatars, usernames, display names, and email addresses are among other information often processed in Confluence.

If you are a Confluence Cloud user and receive a request for information, you can submit a support ticket to Atlassian, through which the support will gather the content of the requested user and send it to you. Unfortunately, this option is not available for Server or Data Center. For Confluence Server/DC, some custom scripts are provided by Atlassian (learn more). Even with this method, many users may reach their limits because numerous resources have to be spent.

How to handle the access right with “GDPR (DSGVO) and Security for Jira”

While the methods built into Jira and Confluence are very nerve- and time-consuming, the Atlassian ecosystem offers simple solutions to deal with the right of access: the apps “GDPR (DSGVO) and Security for Jira” and “GDPR (DSGVO) and Security for Confluence”. They are a complete toolkit to work in Jira and Confluence in a guaranteed GDPR-compliant way. For the correct handling of right of access requests, “GDPR (DSGVO) and Security for Jira” offers the Data Cleaner module and “GDPR (DSGVO) and Security for Confluence” the User Anonymizer module.

The Data Cleaner module, which allows you to find the personal data in Jira you need within minutes. A simple JQL search is used for this purpose detailed instructions on how to use the Data Cleaner module can be found here).

How to edit the access right with “GDPR (DSGVO) and Security for Confluence”

The use of the User Anonymizer module in “GDPR (DSGVO) and Security for Confluence” is relatively similar to the Data Cleaner module, but here a CQL (Confluence Query Language) search is used. Using the built-in “Dry Run” feature, the content is displayed and can then be summarized and sent to the person who made the request. With a few clicks, your result will look like this:

The acess right in Jira & Confluence – a conclusion

The comparison of the two variants for dealing with the “right of access” was clearly won by the apps “GDPR (DSGVO) and Security for Jira & Confluence”. These offer quick and straightforward solutions, without complex workarounds and incomplete results. Moreover, the two apps not only provide quick answers for this use case, but also deliver attractive added value beyond data protection, such as in authorization monitoring (learn more about authorization monitoring). The apps are a complete toolkit to become fully GDPR-compliant in Jira and Confluence in a simple and fast way.

Curious? Try “GDPR (DSGVO) and Security for Jira and Confluence” now for free for 30 days on the Atlassian Marketplace:

 

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

Download: GDPR-Checklist

Checklist about your GDPR compliance - read now!

  • Check it yourself!
  • Six essential GDPR-criteria
  • Free download
Get GDPR-Checklist