Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Four easy questions to check if you are fully GDPR compliant

In today's data-driven world, people are increasingly concerned about possible data breaches and the theft of important information. In order to protect its citizens, the EU Parliament adopted the General Data Protection Regulation (GDPR), which came into force on 25 May 2018. In this article, we are going to look at the key elements of the GDPR and offer you a simple checklist to see if you are fully compliant.

If you are wondering whether you are affected at all, then the answer is probably yes. Regardless of where your company is based, the regulation affects you if you supply goods or offer services to EU citizens or companies.

The idea behind the GDPR is quite simple: it is meant to give EU citizens the right to know and decide how their personal data is being collected, stored, processed, protected and deleted. Simple as it may sound, the regulation sets a very high standard and many companies find themselves struggling trying to comprehend its requirements and put all the necessary systems and processes in place. However, non-compliance may result in hefty fines (up to 4% of annual global turnover), high legal costs and significant reputational damage. Therefore, we believe it is high time we all understood what the GDPR entails and took the steps to ensure compliance.

Key elements of the GDPR

First of all, let's examine the main elements of the GDPR in more detail.

Personal data. Personal data is any information relating to an identifiable person, which can be used to directly or indirectly identify this person. It includes name, surname, address, email address, phone number, Social Security number, IP address, medical and biometric data, etc.

Consent. The conditions for consent have also been strengthened. According to Article 4(11), consent should be “freely given, specific, informed and unambiguous". In other words, your request for consent should be easily accessible, intelligible and state the purpose of collecting data in plain language. It must also be as easy to withdraw as it is to give. For more information, see Be GDPR compliant: everything you need to know about getting consent in Jira and Confluence

Pseudonymization. It means that personal data must be obscured or anonymized so that it cannot be traced back to a person without additional information.

Right to be informed. Data subjects have the right to be informed that their personal data is being collected and processed. You must also provide privacy information to the data subject at the time you collect their data (for the full text, see Article 13).

Right to access. It means that data subjects can obtain information as to whether or not their personal data is being processed, the purposes of the processing, the period for which the data will be stored, the recipients to whom that data has or will be disclosed, etc. (for the full text, see Article 15 ).

Right to be forgotten. It entitles the data subject to have the data controller erase their personal data without undue delay (for the full text, see Article 17). Now, this rule might be tricky to implement - on the one hand, you have to erase all the personal data completely, on the other hand, you don't want to run the risk of losing valuable data which may be associated with the user, as data subjects are not just your customers, but also your employees. With our solution, you can use simple JQL queries to anonymize personal data across Jira and Confluence without having to delete important information.

Breach notifications. Breach notifications are now mandatory. It means that you must report all breaches to data subjects and supervisory authorities within 72 hours of becoming aware of the breach (for the full text, see Articles 33 and 34).

GDPRAtlassian.jpg

It is getting serious

Ensuring compliance may be challenging, especially for smaller companies which might not have sufficient resources or expertise to handle all the requirements. In fact, many research reports show that a lot of companies are still not fully compliant. However, the stakes are getting high.

We all remember the high-profile case of Google, an American technology giant, which was fined 50 million EUR at the beginning of 2019 for not properly disclosing to its users how their personal data is collected and stored across its services.

Later this year British Airlines were fined a record  £183.39 million (1.5% of the company's total revenue for 2018) following the data breach that took place the previous year. British Airlines were accused of poor security arrangements, which led to the leak of sensitive personal data, including credit card details and personal addresses, of hundreds of customers.

More recently, Österreichische Post AG, an Austrian post company, had to pay 18 million EUR for creating and selling a register containing personal data of millions of Austrian customers.

Deutsche Wohnen SE, a German real estate company, are also being fined for failing to provide an archiving solution that would allow for the erasure of the data that was no longer necessary. The imposed fine amounts to 14.5 million EUR, which constitutes 2% of the company’s annual turnover).

As you see, the new legislation is going to affect everyone. Of course, you can have your fingers crossed and hope that your company will never be checked (which, we believe, is wishful thinking), or you can have your back covered with a useful tool for Jira and Confluence See how it works.

Check yourself

If you are not sure of your regulatory compliance status, you can check it by answering the simple questions below:

  • Do you know what personal data you have and how and where it is stored?
  • Do you manage the process of getting consent from data subjects in a proper way?
  • Can you prove how personal data is stored and used and for what purpose?
  • Have you set up appropriate processes to manage breach notifications, the right to be forgotten, the right to access, etc?

If you answered "No" or "Not sure" to any of the questions, you might actually be in trouble. Many companies unknowingly overlook some aspects and think they have all the pieces in place — until a regulator comes knocking on the door or an unhappy customer complains whereupon the company discovers that its data protection system isn’t as robust as it was thought to be.

Sounds daunting? We know exactly how you feel - after all, our company is also affected by the GDPR. That is why we have put together a team of our best professionals to develop a solution that will cover all your GDPR compliance needs. Keep ahead of the requirements and become fully compliant now in a swift and easy way with our solutions for Jira GDPR (DSGVO) and Security for Jira and Confluence GDPR (DSGVO) and Security for Confluence.

Do follow us on LinkedInFacebook, and Twitter.

2 comments

Interesting article. I notice the links in the last paragraph point to GDPR (DSGVO) and Security for Confluence for Server and Data Center but what about companies using Atlassian products such as Jira and Confluence on the cloud? 

@Mike Bowen thank you for your question.  GDPR (DSGVO) and Security for Jira for Cloud is already available, but for now contains only Information Announcement module, adding others are in the process. GDPR (DSGVO) and Security for Confluence for Cloud release is also in the process, we are working on that. Today we posted a second article about GDPR Compliance https://community.atlassian.com/t5/Compliance-articles/Be-GDPR-compliant-ensure-the-right-to-erasure-find-and-anonymize/ba-p/1282676  We would be grateful for any feedback from you. Thank you in advance :)

Comment

Log in or Sign up to comment
TAGS
Community showcase
Posted in Compliance

Introducing the Trust & Security Group!

Hello Compliance fans! I wanted to jump in this group to introduce a brand new Community group that our Atlassian Security team started. The Trust and Security group is  a space to share inform...

1,071 views 2 6
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you