Be GDPR compliant: everything you need to know about getting consent in Jira and Confluence

Hello, everyone! Today, we are launching a series of articles on the GDPR compliance in Jira and Confluence to help you navigate your GDPR journey. Over a year on after the GDPR inception, many businesses are still struggling to fully understand its requirements and implement data strategies to comply with it. We hope our articles will provide valuable insights to help make your business more compliant with this challenging regulation in a safe and cost-effective way.

As you know, businesses must have a legal basis for data processing, and getting consent is one of the easiest ways to ensure compliance. However, getting consent right will not only legitimise the use of data , but is also an essential part of customer service: it will help build customer confidence and trust, enhance your reputation and set you apart from the competitors.

In this article, we are going to focus on the “Conditions for consent” (outlined in Article 7 of the GDPR) and look at ways of getting users' consent to the storage and processing of their personal data.

Everything that relates to “personal data” is defined in Article 4 (1): “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. Thus, cookies, first names, last names, and e-mail addresses, which are usually used for marketing purposes, fall within the scope of this definition and should be collected, processed and stored in a way that satisfies the GDPR requirements.

Consent for personal data processing

According to the GDPR, a company cannot use clients' personal data if it hasn't obtained consent for each particular way of interaction. If you collect personal data during the registration process, you cannot send a newsletter with special offers afterwards without asking a person to give the consent for the processing of his or her e-mail address, first name, and last name to receive such e-mails. 

One of the main GDPR principles is “purpose limitation”, which as it is clearly indicated in Article 5, implies that all personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89 (1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)”.

In other words, it is necessary to specify what data you will process for what purpose. For example: “I confirm that I allow Company A to use my first name, last name and email address to contact me by email about personalized special offers”. Similarly, if you are going to collect phone numbers for cold-calling or any other data for any other purpose, remember to indicate it in a clear way.

Case 1. Let’s imagine that a startup SaaS company uses Jira to deal with clients’ reports on bugs and performance issues and wants to use their personal data to send them special offers, product updates and order notifications, to share news, and conduct surveys. Thus, after a client has completed their registration process in Jira, they should give their consent for personal data processing. One of the ways to implement this process in Jira is to use an “Information Announcement” module of the GDPR (DSGVO) and Security for Jira add-on and make a pop-up window with the following text: “I confirm that I allow Company A to use my first name, last name and email address to contact me by email about personalized special offers, relevant news and events, order completion reminders, and surveys” with “Accept” and “Decline” buttons. 

Image 1: Example of a consent request for personal data processing in GDPR (DSGVO) and Security for Jira

Here it is very important to have a balanced approach and stick to the other GDPR principle, “Data minimization”, and to collect only the data you really need. Moreover, including too many options for marketing communication can simply scare a client off, making them hit the “Decline” button.

Cookies in GDPR

Tracking online activity of customers and employees, as it was mentioned before, also falls within the scope of the GDPR. Thus, before starting to collect such data, we also need to get a user’s consent.

The reference to cookies in the GDPR can be found in Recital 30: "Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them".

According to the main GDPR principles, “Data minimization” and “Storage limitation”, the amount of collected data for tracking online activity must be minimized and kept only for as long as it is necessary for the specified purpose. It is important to indicate what cookies the company uses for what purposes and how long they are kept. Therefore, it is a common practice to create a separate page with the list of cookies’ categories, names, descriptions and expiration dates.

Case 2. Company B uses Jira for client support and wants to track their online activity to target customers with highly specific ads. Standard process of client support includes the following sequence of events: client faces a problem, completes registration process in Jira and creates a ticket. In order to use Cookies in compliance with the GDPR, Company B must ask every client to give consent for tracking their online activity. One of the ways to do it in Jira is to use the “Information Announcement” module of the GDPR (DSGVO) and Security for Jira add-on and make a pop-up window with the following text: “We use cookies to make your online experience better. By continuing to use this website we assume that you are happy to allow the usage of these cookies. Learn more about our Cookie Policy”.

Image 2: Example of a consent request for tracking online activity in GDPR (DSGVO) and Security for Jira

The “Information Announcement” module is very flexible and can be used for any other purposes, for example for getting consent to “Terms and conditions”, or “User Agreement”, etc in Jira and Confluence.

Consent withdrawal

Returning to the issue of the GDPR compliance in Jira and Confluence, it is also necessary to ensure the data subjects’ right to withdraw their consent to personal data storage and processing at any time. Article 7 of the GDPR clearly states that “The data subject shall have the right to withdraw his or her consent at any time”. If a person decides to withdraw their consent or in any other cases related to sensitive information, the first challenge a company will face is to find these data as quickly as possible. Therefore, navigation through all users and consents should be simple and convenient, and filtering and sorting options should be provided. A supervisory authority can also request information on data subjects’ consent as it is specified in Article 7: “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data”. Here again, we need to find and extract this information in a quick, clear and simple way.

The “Information Announcement” module of the GDPR (DSGVO) and Security for Jira add-on has a built-in feature, which allows for finding structured and systematized information on any type of consent requested by the company (Cookies Policy, Personal data processing, Terms and Conditions, etc.) and significantly facilitates the navigation process. In the next article, we will discuss what to do next with the data you have found and how to erase all personal data related information in Jira and Confluence.

Image 3: Example of quick filtering option in GDPR (DSGVO) and Security for Jira 

Thank you for your attention and looking forward to your questions and comments. Do follow us on LinkedIn, Facebook, and Twitter.