AMA: Data privacy with Kelly Gertridge, Head of Privacy

Kgert
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 4, 2021

Hi all,

My name is Kelly and I’m the Head of Privacy at Atlassian! In the 3 years since I’ve joined Atlassian, coincidentally right after GDPR went into effect, the world of data privacy and legislation has really become a game-changer. If you feel like privacy laws are evolving quickly, you’re not alone. Even in the last year, we saw the Schrems II ruling invalidate the EU-US Privacy Shield and the Court of Justice of the European Union first confirm and then the European Commission update the Standard Contractual Clauses (SCCs) to ensure personal data transferred out of the EU continues to remain compliant with GDPR.

It can be a whirlwind for all organizations involved, which is why our team is always focused on creating transparent policies that handle data based on what’s in the best interest of our customers and offers them the tools they need to perform their own risk assessments. In response to the latest SCCs update, we’ve updated our Data Processing Addendum (DPA) to incorporate the updated SCCs and European Data Protection Board guidance, including:

  • Additional details on where, when, and how we handle our customers' personal data

  • Greater transparency about the measures we’ve put in place to protect against government requests for a customer’s personal data

  • Necessary materials for customers to do a risk assessment commonly referred to as a data transfer impact assessment

We’ve regularly heard from customers how complicated it is to navigate this always-evolving landscape and wanted to open this forum up to help you understand how Atlassian meets these requirements.

Here's how it works:

Add your questions below any time during the month of October. Be sure to take a look at other community member’s questions and up-vote those that you find interesting.

You can expect to see answers from me and my team rolling in on a weekly basis. Watch the page and be ready to add follow-up questions and discuss further with other Community members. 

Note: The information provided by Atlassian here is not legal advice. Customers are responsible for making their own independent risk and data privacy assessments.

Cheers,

Kelly

3 answers

Suggest an answer

Log in or Sign up to answer
5 votes
Andrei Pisklenov _Actonic_
Atlassian Partner
October 26, 2021

Hi @Kgert 

We've found some Cloud feature planned for future releases (https://www.atlassian.com/roadmap/cloud?status=future&selectedProduct=&search=data%20leak):

Data leak prevention
Jira Software, Confluence, Jira Service Management

Tools to help you identify, quarantine, and remediate sensitive data in our products

 

1. Do you have any details about this functionality?

2. Is it connected with GDPR? 

Narmada Jayasankar
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 16, 2021

Hi @Andrei Pisklenov _Actonic_ 

1. We don't yet have details to share on the Data Leak Prevention (DLP)feature. We are starting explore the customer requirements for it and once we have a clearer idea, we will have more to share.

2. No, DLP is not directly connected to GDPR. Atlassian cloud products and platform are fully compliant with GDPR. Any new capabilities we develop will also be GDPR compliant out of the box.

Hope that helps!

Like # people like this
0 votes
marc -Collabello--Phase Locked-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 12, 2021

Hi @Kgert , when can we expect a reply from you or your team?

Hosana
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 16, 2021

Hi @marc -Collabello--Phase Locked- please see our answers below:

  1. Atlassian has implemented supplementary measures in alignment with EDPB guidance, please see Step 4 of our Data Transfer Impact Assessment guide for a list of the measures we have taken. 
  2. GDPR allows for the transfer of data outside of the EU as long as it abides by the Standard Contractual Clauses, which you can find in our Data Processing Addendum.
  3. User account data is not in scope for the data residency solution at this time, more information about why it is not in scope is available here in the section for "Why we don't pin user account information data".  User account data was limited to a single location during our GDPR implementation to align with data minimization guidance.  
     
    It is important to note that the supplementary measures outlined by the EDPB contain use case examples of ways a company can secure data exported from the EU in alignment with the GDPR, but the recommendations do not contain an exhaustive list of measures a company must take (so the guidance does not say data residency is required for all data).  Instead, each data exporter is responsible for reviewing the totality of the measures taken, and determining if those measures sufficiently protect the data.  Atlassian has created a Data Transfer Impact Assessment guide to assist customers in reviewing all supplementary measures taken by Atlassian.  
  4. These issues are ones that a lot of global companies need to grapple with, not just Australian companies, given that laws like the Assistance and Access Act can apply to any companies that operate in Australia (much like the GDPR operates in relation to European data subjects).

    As for which land stands above another, we do not see this as an issue of some laws standing above others. When it comes to these particular laws, although it is a highly technical area, both laws have provisions that account for the lawfulness (or otherwise) of processing data in accordance with the sorts of requests contemplated under the Assistance and Access Act, and we consider those carefully when seeking to understand how we will apply them. 

    With that said, we understand that the Assistance and Access Act has caused some concern internationally, and we want to confirm that Atlassian does not provide unfettered access to data in our products to any government, including in Australia.

Hope that clarifies things a bit more!

0 votes
marc -Collabello--Phase Locked-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
October 26, 2021

Hi @Kgert ,

I've got some questions regarding GDPR and data privacy:

  1. When is Atlassian going to implement the

    Recommendations on supplementary measures for GDPR?  I think this is needed, especially with regard to storage of user account data in the US and data residency.

  2. If I understand correctly, Atlassian data residency means the "primary" residency of customer data.  However it seems that Atlassian transfers these data, and might cache them outside of the primary data residency region.  How is that compatible with GDPR, as you need to guarantee not to transfer your data?
  3. Is Atlassian going to store user account data in the primary data residency region?  If not, how is that handled with regards to GDPR and the above mentioned "supplementary measures"?
  4. As Atlassian is an Australian company, it falls under the

    Assistance and Access Act 2018 . How is that compatible with GDPR?  Can you elaborate which laws stand above which?  I.e. is Atlassian going to follow Australian law with the Assistance and Access Act, or is Atlassian going to follow EU law with regards to EU data?

TAGS
AUG Leaders

Atlassian Community Events