Every company in the world saves data in some way. Freelancers, start-ups and global corporations: There is no company without data from customers, employees, projects or payments. The sticking point is that a lot of this stored data is personal data, which has to be secured.
When companies are using systems for processing customer requests (e.g. Jira Service Management) or for project management (e.g. Jira and Confluence), data is being stored company-wide. How? Once a customer ticket is being sent, it will be processed by customer service, consultants and accounting. In order to provide the obligatory security for mentioned data, it’s important to know how to search for it in company systems and delete it.
Data privacy means securing personal data from being abused or stored in an unsafe manner. This applies that the data owner needs to have to the right of self-determination concerning his data. In Germany, this right is part of the constitution. For clear delimitation from other data, it’s defined which data is being referred to as personal data under the data privacy law. In case of violation of those rules, the law also provides sanctions (Art. 77 ff GDPR), which in the past have been up to multiple millions fines for well-known companies.
Personal data (PII: personally identifiable information) under the data privacy law can be defined as sensitive data. It’s related to any kind of data being used for identifying a person. It’s protected explicitly in terms of usage, storage and disclosure.
Examples for personal data (PII)
Name and address
Birthdate
IP address
Social security number
ID card number
Bank account information
License plate
Etc.
Let’s keep the answer simple: Those who are not, will find themselves confronted with massive penalties at some point. Because data privacy laws in Europe (known under GDPR, in Germany explicitly under DSGVO), but also in countries like the USA and Brazil, set clear rules.
The problem: Even though high sanctions are already imposed worldwide and the media is talking about it, many companies still do not know a lot about data privacy. Data breaches or risks are being overseen or misjudged. This starts with misuse of personal data in offices, for example whilst leaving laptops open without being at your desk, but goes on to data storage in Jira and Confluence.
Atlassian is jointly responsible for data privacy as the system provider of Jira and Confluence as well, especially on Cloud instances. Therefore, the Australian company has published a “GDPR Commitment“, which officially addresses all kinds of regulations and technical features connected to data privacy in Jira and Confluence. One example would be the “right of erasure”. ISO/IEC standards are also mentioned. In case of data storage, Atlassian communicates what hosting looks like in detail.
But, you as a company are responsible for data privacy as well. Simply because you’re signing a contract with your customer, employee etc. and will receive their data. If a customer requires information on personal data, the anonymization or deletion, it’s your responsibility to react.
If PII is being stored in companies, handling their security is of importance. Therefore, you need experts like data protection officers or admins with the right education. They will establish processes for data storage, processing and following data privacy laws.
This all starts with defining which data is being stored, for which purpose and where it will be saved inside your Jira and Confluence. Users will have to accept those terms at the beginning. When requested, you should be able to find this data quickly. Maybe in connection to the users “right of information”, or because of their “right of erasure”, which means that you will have to delete all personal data.
Common ways
Many companies work with self-developed scripts for data privacy, which are supposed to reduce manual tasks. They are also supposed to help with data search and erasure in Jira and Confluence. But imagine doing this for hundreds of customers each year in thousands of data records for multiple projects, support tickets etc. Sounds not only like a lot of work, but actually is. And it is the source for immense errors, which could lead to massive consequences.
The fast, comfortable and safe way with Actonic
We have the right solution for your data privacy issues! For supporting you in being compliant with data privacy laws, we’ve developed our app GDPR (DSGVO) and Security for Jira and Confluence.
Here is what our app does:
GDPR (DSGVO) and Security for Jira and Confluence supports you in announcing your privacy policies to your users and ask for their consent.
Through built-in templates and rules, you’re able to search for PII in Jira and Confluence and anonymize it. A step-by-step-process guides you towards your goal.
Responsible people can get notified in case of the creation of sensitive data inside your Jira and Confluence instance and react on it.
And much more
If you have any questions about this article or about our products, please let me know!
Andreas Springer _Actonic_
Head of Marketing
Actonic GmbH
Germany
2 accepted answers
4 comments