Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

The right to be forgotten in Jira & Confluence

Data protection has become an obligatory task for companies, which many consider to be a nuisance, as there is often a lack of insight into this complicated topic. Granted, checking all personal data for compliance and handling it appropriately is of course an extremely demanding task, but the wrong approach can result in heavy fines. Therefore, it is important for companies not to put this extensive task on the back burner and to take it as seriously as possible. A GDPR criterion that you should also not neglect is the "right to be forgotten". It allows individuals whose data have been processed by companies to initiate a request for the deletion of this data by the company.

Also in the Atlassian ecosystem and in its two major products Jira and Confluence, data protection is an essential topic. Here, personal data is often stored on Confluence pages or within Jira tickets. If a request for deletion of personal data is not or only incompletely followed up, this can cause the previously mentioned high penalties. To handle data in a GDPR-compliant way, Jira and Confluence offer some built-in solutions to deal with the "right to be forgotten". However, the Atlassian Marketplace also contains another option for companies to manage data protection within Jira and Confluence: the apps "GDPR (DSGVO) and Security for Jira and Confluence".

In this article, we will present in detail the out-of-the-box options in Jira and Confluence to deal with the "right to be forgotten" and compare them with the solutions offered by "GDPR (DSGVO) and Security for Jira and Confluence".


“Right to be forgotten” Art. 17 DSGVO in Jira and Confluence

The “right to be forgotten” gives every person the opportunity to demand that companies delete all personal data that they have stored about them. This includes, for example, names, usernames, avatars and personal settings. This request must be complied within one month.

What this means for you is if you have data about people stored in your Jira or Confluence, and they request you to delete that data, you should do so as soon as possible.

To do this, you first need to find this data. You can imagine that searching for this data can be extremely complicated, especially if this data is stored in different Confluence pages and/or Jira tickets. In order to avoid the time-consuming search for data within any conceivable Confluence page and Jira ticket, Jira and Confluence include built-in features. In the following, we will present these and compare them with the possibilities of the “GDPR (DSGVO) and Security” app.

Integrated “right to be forgotten” capabilities in Jira and Confluence.

For Atlassian Cloud products, the “right to be forgotten” is fully covered by the ability to submit requests to the Atlassian Support. This applies with the exception of content stored by third-party applications. If you are a cloud user and receive a request for deletion of personal data, you can submit a support ticket to Atlassian, through which the support will anonymize the content of the requested user. However, this option is not available for server and data center users.

For Jira Server and DC, there are certain workarounds for the “right to be forgotten” where you use SQL scripts in your database. Learn more about this in the Atlassian documentation. However, this option can be very challenging and takes a lot of time.

For Confluence Server/DC, there are a number of custom scripts that must be run manually by admins. Learn more about this in this section of the Atlassian documentation. Even with this method, many users may reach their limits and have to spend too many resources.

“Right to be forgotten” solutions with “GDPR (DSGVO) and Security for Jira and Confluence”

The apps “GDPR (DSGVO) and Security for Jira and Confluence” are a complete toolkit for the two Atlassian software programs to become GDPR-compliant in a simple and fast way. For the “right to be forgotten”, the Jira version of the app includes the “Data Cleaner” module. In the Confluence version, the “User Anonymizer” module is used for this purpose. By using these modules, personal data can be found and deleted within a few minutes. This way, the one-month deadline for deleting data is not a problem and anonymizing just becomes a routine task. Through the app, we cover Jira/Confluence server, data center as well as cloud. At the same time, this method is extremely reliable and secure. In the following, we will give you a quick insight into the two modules:

The “Data Cleaner” module — How to find personal data with “GDPR (DSGVO) and Security for Jira”

With the Data Cleaner module, personal data can be found in just a few minutes. For this purpose, a JQL query, which allows you to pick out your desired data in no time, is used. This can then be further filtered by fields and types. The output can be listed according to various criteria. Here, all desired data is found within Jira, which you can then quickly and easily anonymize or delete.

The “User Anonymizer” module — How to find personal data with “GDPR (DSGVO) and Security for Confluence”

Sometimes you need to anonymize the content of certain users in Confluence, for example when an employee leaves the company. For this purpose, the “User Anonymizer” module can be used in Confluence. To make the desired user(s) invisible, the module simply assigns them a substitute username. The scope of the search can be limited by CQL (Confluence Query Language) and the roles of the person can be reset or changed. Extremely useful here is the “Dry Run” function, through which you can first display the affected content. This allows you to check whether everything was selected correctly in the step before.

Conclusion: Jira and Confluence internal solutions vs. “GDPR (DSGVO) and security for Jira and Confluence”

No matter if you decide to use Jira internal solutions or the apps, in any case, data protection and especially the “right to be forgotten” in Jira and Confluence must be taken extremely seriously. If someone asks you to delete personal data, you should do so as soon as possible. Otherwise, you could face heavy fines. It is important to delete the data completely and not miss any.



Log in or Sign up to comment
AUG Leaders

Atlassian Community Events