Why everyone using Jira must be GDPR-compliant

Did you know that penalties up to 4 % of the yearly company turnover are possible in case of GDPR violations? GDPR regulations are currently mainly relevant for companies in the EU, but countries like Brazil are taking steps in the same direction as well. The list of companies that have already been sanctioned includes European big players like AOK (German insurance company), H&M and VfB (German soccer club), which received penalties ranging from several hundred thousand to more than 35 million euros. This came about, among other things, because customer data was stored and used improperly or because there was no deletion concept or rules for using and maintaining personal data.

Where is the connection between GDPR regulations and Jira in companies?

Many companies use Jira as part of their data storage processes for personal data (also called “PII”: personally identifiable information). They consist of: full names, addresses, e-mail addresses, birthdates, telephone numbers, login data, passwords, bank details etc.

• Customers create tickets, which contain personal data like login data (e.g. in support)
• Applicants send in applications via Jira issue collector
• Potential customers send in requests for licenses and fill out company or bank details
• Relevant data is shared company-wide and maybe even internationally between teams

This proves that personal and sensible data can be part of Jira instances in companies and need underlying GDPR settings for PII handling.

Why you should be GDPR-compliant, especially when using Jira

Personal data is the new oil on today’s markets. Due to personal data business processes in B2B or B2C market can be carried out quickly and accordingly.

For example: Customer John Doe is sending in some of his PII (name, address, credit card number) to a company to purchase their software license.

This is where Jira comes in play: It can be used as a diverse tool for project management, HR, marketing, sales and so on. It stores diverse data, from customers to employees and could contain the most secure personal data like birthdates, telephone numbers or credit card numbers. In most cases personal data is needed for successful business processes, like in the example above. But, major damage is possible in case of data abuse and data spreading as well. Therefore, it’s important to point out that it’s a personal right to get more insight into storage of personal data and to have the right to erasure (Art. 17 GDPR). Therefore, companies using tools like Jira should enable data processing and deletion according to laws.

How does GDPR-compliance in Jira look like and how to achieve it?

Data privacy and GDPR compliance is achieved through data protection officer (DPO) or responsibles and the usage of designated systems, of course with underlying GDPR regulations. Jira offers some useful functions by default, but they are not enough to cover all GDPR needs. A lot has to be done manually and needs monitoring. By using tools that allow checking and editing existing instances and data records, you will be able to set up a GDPR-compliant Jira environment. In the best case: all done automatically, extensively and without errors. Therefore, we definitely recommend using the complete toolkit called GDPR (DSGVO) and Security for Jira from Actonic.

When a GDPR tool is needed in Jira: Scenario 1

Imagine working in an international enterprise, with a dozen of projects, hundreds of employees and thousands if not millions of data elements. If a single customer requests the deletion of his data, employees are responsible to look for tickets related to the customer, to be deleted or anonymized. For some of you this scenario might not be fiction, but reality. This use case does require a tool which is checking issues in Jira automatically and in a time-saving manner, collecting relevant elements and deleting or anonymizing information according to a created rule. The same scenario could take place in case of data deletion from employees or applicants.

When a GDPR tool is needed in Jira: Scenario 2

GDPR is not only concerned with data deletion, but also with announcing GDPR regulations and their approval. So another scenario would be spreading company-relevant information in relation to cookies or regulations for your Jira instance. Maybe you would like to announce new data protection rules for your Jira instance and track, who has accepted it. In case of important changes in those rules you would like to announce them to every user just with one click. Like in scenario 1, you will be in need of a tool that is quickly spreading messages and supports data protection laws in your company.

GDPR (DSGVO) and Security for Jira helps you to achieve GDPR compliance:

• Get insights into data records, storage period and which data is stored in detail
• Search for specific data, for example in single projects or tickets
• Extensive and controlled deletion of personal or sensitive data (right to erasure)
• Extensive deletion without manual tasks for employees
• Create rules and templates for data search and deletion, with the possibility to customize them completely

Here is a glimpse of our app. As you can see you’re able to set up and activate/deactivate individual templates for data cleaning processes. By doing so, Jira tickets can be cleaned out of personal data for example.

Tools like our app GDPR (DSGVO) and Security for Jira can also be used for other use cases:

• informing users about changes in data regulations and asking for approval
• company-wide communication channel for guidelines and changes
• getting consent for different guidelines, cookies or GDPR regulation
• processing recurring tasks, for example anonymizing specific data regularly
• quick and easy communication and documentation
• and many more

Have you spotted some use cases that you would like to easily enable in your Jira instance? Then test our app GDPR (DSGVO) and Security for Jira for free on Atlassian’s Marketplace.