Article 15 GDPR: the access right simply explained
The right of access is defined in Article 15 of the GDPR as follows:
For you, this means that persons from whom you have stored personal data such as the name, address, mail address, health data, etc., can request information about this data from you at any time informally and without justification. The information on this data may relate, for example, to the processing purposes, the categories of personal data and the recipients or categories of recipients to whom the personal data are disclosed. If a person makes use of this right of access, the person in your company who is responsible for data protection must also provide the person with information about this without delay. Here, a period of one month should not be exceeded, because high fines may be imposed here, like in other GDPR-related cases. You must provide the applicant with a copy of the personal data that is the subject of the processing.
In this process, it is really important that when a request for access is made, you first check the identity of the person making the request. If it is a fake request, this may result in a data breach, from which very high penalties would follow.
Article 15 GDPR in Atlassian: the access right in Jira and Confluence
If you use the agile software Jira or Confluence in your company, you usually have a large amount of personal data stored. This could be for example data from customers or from current/former employees that you have stored in a Jira ticket or a Confluence page.
If a person makes use of their right of access and asks you for stored personal data, it is essential to be prepared. After all, you should have processed the request within one month at the latest. To do this, you should be able to gather the requested data as quickly as possible and have established a process for searching for the data.
For this process, there are built-in options in Jira and Confluence that you can use to search for the data. We will present these to you in the following.
Out of the box solutions for the access right in Jira
Meeting the right to information, with Jira’s built-in capabilities, can be very complicated. The first thing to note here is that you need Jira admin rights to query the data.
The search here is done through a series of custom scripts that need to be run manually by administrators. When searching, you need to apply different procedures for structured data of a user profile (user names, names, and email addresses) and free textual data respectively. The procedures for free textual data differ again for Jira issues, logs, backups and other entries. For the respective procedures, partly Rest APIs, partly JQL searches, partly SQL searches are used (a description of the individual procedures can be found here).
However, these procedures have some limitations. Personal data in attachments cannot be accessed by the procedures, which greatly limits the search. This requires access to the database for the execution of SQL scripts.
Out of the box solutions for the access right in Confluence
Personal data that is often stored in Confluence includes user profile information such as: Website, phone number, position, department, and location. In this regard, avatars, usernames, display names, and email addresses are among other information often processed in Confluence.
If you are a Confluence Cloud user and receive a request for information, you can submit a support ticket to Atlassian, through which the support will gather the content of the requested user and send it to you. Unfortunately, this option is not available for Server or Data Center. For Confluence Server/DC, some custom scripts are provided by Atlassian (learn more). Even with this method, many users may reach their limits because numerous resources have to be spent.
How to handle the access right with “GDPR (DSGVO) and Security for Jira”
While the methods built into Jira and Confluence are very nerve- and time-consuming, the Atlassian ecosystem offers simple solutions to deal with the right of access: the apps “GDPR (DSGVO) and Security for Jira” and “GDPR (DSGVO) and Security for Confluence”. They are a complete toolkit to work in Jira and Confluence in a guaranteed GDPR-compliant way. For the correct handling of right of access requests, “GDPR (DSGVO) and Security for Jira” offers the Data Cleaner module and “GDPR (DSGVO) and Security for Confluence” the User Anonymizer module.
The Data Cleaner module, which allows you to find the personal data in Jira you need within minutes. A simple JQL search is used for this purpose detailed instructions on how to use the Data Cleaner module can be found here).
How to edit the access right with “GDPR (DSGVO) and Security for Confluence”
The use of the User Anonymizer module in “GDPR (DSGVO) and Security for Confluence” is relatively similar to the Data Cleaner module, but here a CQL (Confluence Query Language) search is used. Using the built-in “Dry Run” feature, the content is displayed and can then be summarized and sent to the person who made the request. With a few clicks, your result will look like this:
The acess right in Jira & Confluence – a conclusion
The comparison of the two variants for dealing with the “right of access” was clearly won by the apps “GDPR (DSGVO) and Security for Jira & Confluence”. These offer quick and straightforward solutions, without complex workarounds and incomplete results. Moreover, the two apps not only provide quick answers for this use case, but also deliver attractive added value beyond data protection, such as in authorization monitoring (learn more about authorization monitoring). The apps are a complete toolkit to become fully GDPR-compliant in Jira and Confluence in a simple and fast way.
Curious? Try “GDPR (DSGVO) and Security for Jira and Confluence” now for free for 30 days on the Atlassian Marketplace: