GDPR is coming. Have you heard about the “dreaded” GDPR?
I bet you have.
Everybody seems to know a bit about it, yet nobody really seems to truly understand how it will impact them, or even what measures to take.
A heads up, in this article we will not really get into the details of GDPR itself. You can just Google a bunch of articles to get to that.
Instead we will share with you some actionable tips you to implement GDPR as a Jira-user or Jira administrator.
This way you will not be caught off guard by anything GDPR might throw at you. Instead you’ll be armed and ready for ultimate compliance-measures.
So let’s get into it.
What is the GDPR again?
The General Data Protection Regulation (GDPR) is a far-reaching new piece of legislation which is intended to give EU-citizens more visibility and control over the personal information that companies hold about them.
As businesses prepare for the new legislation, they are reviewing how they collect, store and use data on individuals across their systems. Of course, this includes Jira.
If you store personal information relating to customers or staff on Jira, then you may need to change how you work in order to ensure that you are compliant.
What does it mean to be GDPR “compliant”?
The legislation comes into force on 25 May, 2018, and applies to all businesses, of all sizes, with customers or staff in the European Union.
Individuals will be able to ask your business:
– What information you hold on them
– How personal information is being used
– For personal information to be altered or removed; or for it not to be used
Naturally, the above has significant ramifications as to how you use Jira. You should also be able to:
– Explain why you have customers’ personal information and what it’s being used for
– Actively remove data that is inaccurate or out of date, or that is not being used
– Explain who is responsible for the data
– And allow users to export their data
Personal data, which you might have stored on Jira, includes:
– Location data and identification numbers
– Any other online records that might identify individuals (yes, even IP’s)
The following details are considered particularly sensitive:
– Race, ethnic origin and religion
– Political affiliation
– Trade union membership
– Health, genetic details and biometric data
– Sex life and sexuality
Minimization of personal data in Jira
One of the working practices advised to ensure GDPR compliance is to practice the minimization of data.
In order to do this, you will first have to locate all the personal information that your business holds in a single, central data store (for example in a CRM). And then minimize the degree to which this is replicated elsewhere.
This makes it relatively easy to find information, to establish what you have and, if need be, to remove it.
It makes sense to limit the amount of personal information that you enter into Jira.
Tip: Rather than talking about specific employees of a client business, you could refer to the name of the company as a whole or the individual’s role in a way that wouldn’t identify them (for example, ‘primary account manager at Client x’).
The advantage of Anonymisation of Jira data
Equally, there will be situations where you need to refer to a specific individual, but can do so while obscuring their identity.
That is called “anonymisation”.
For example, in a Jira issue relating to a customer support ticket, you could refer to the ticket number and the issue but exclude any personally identifying details.
However, keep in mind that alphanumeric codes designated to individuals are also considered to be personally identifying – so you can’t just substitute ID numbers for names if they could be used to identify the individual.
Apps like PII Protector for Jira may also come in useful for identifying, anonymising and deleting personal information across your system.
Using Jira search to identify what information you have
If you want to find all instances of a piece of information in the Jira system, the best place to start is with search.
You can find the search field in the top right of the screen.
This will allow you to search issues, projects, issue descriptions and comments for whatever information you might need. Whether that might be a name, an email address or another keyword.
If you need to refine your search, you can also use filters – for example, “Only My Issues”, “Recently Updated”, “Created Recently” or “Reported By Me”. This way, you can do a targeted search of specific issues or comments that may be problematic.
Of course, it will be important to make information searchable when it is entered in the system.
So if you have to store personal details in the system, make sure that it’s matched with a consistent keyword. This might be the individual’s email address or their first name and last name.
This will ensure that all personal details relating to that individual will be detected with a single search.
If you don’t follow this policy then an initial attempt to remove information may well leave you with data fragments dotted around the system. This way you’ll miss some data. Meaning that you won’t be compliant!
Keep in mind also that information could be added to comments that wouldn’t show up when searching for a keyword. Words like nicknames or abbreviations for example could be a problem here. Because of this, referring to usernames and identifying personal data in a consistent manner is a cornerstone of good practice.
Exporting Jira data
Individuals also have the right to request what information you hold on them.
You can get this information by exporting relevant records.
Once you’ve created a search you can export the selected information as a CSV or an XML file by clicking the export button in the top right of the search screen.
How to delete Jira users completely
As your staff will be able to ask for personally identifying information to be removed, it’s advisable to ask them to minimize the amount of data they enter into the system.
If the account name and associated email address are all the personal information that you hold on an individual, it’s simple to remove this data. You can do this by just by editing the information on the account.
To edit the username and email address of an account, go to “Jira Administration”, then “User Management” and then click “Edit” on the account that you want to change details for.
In the event that the account does need to be deleted, go to “Site administration”. Then select the user that you want to delete – and choose “Delete”.
Keep in mind however, that if they have reported or been assigned issues or have commented on issues, then deleting the user might cause some problems for your system.
This could even break certain searches.
But no worries, there’s a work-around.
You can instead anonymize personal information and then deactivate the account.
In order to anonymize personal data, run searches on the name, username and email address of the relevant individual – and then remove these references from the system.
To deactivate a user go to the “User Management” page, then click “Edit” on the user that you want to deactivate – and then untick “Active”. If you later want to reactivate the user, go to the same screen and click “Active”.
Apps for GDPR
There are a very limited range of apps that promote themselves as assisting with GDPR compliance, but PII Protector for Jira may come in useful.
This app monitors the presence of Personally Identifiable Information on your Jira installation, including addresses, credit card numbers and social security numbers.
It also provides a UI for admins to manage and audit this information and to then erase it if need be.
Making your Jira installation GDPR compliant will also require a number of organizational changes.
These are changes that go beyond having a culture that minimizes the collection and processing of personal information.
Whether you have a Chief Data Officer or not, you’ll need to designate an individual as being responsible for all the personal data that you hold. And you will need to make them aware of what you store in Jira as well as your policies surrounding it.
Of course, in many cases this individual will be setting the agenda.
Given that GDPR makes organisations responsible for breaches, you will also need to enhance your security policies.
And encouraging staff to use password managers (storing robust, regularly updated passwords) is recommended.
In the event that employees suspect a breach – or have potentially responded to a phishing message – it should be made clear that it is imperative that they report this immediately.
BONUS TIP: Synchronize Jira issue data
GDPR also creates challenges when sharing data with other businesses.
However, synchronization solutions are able to overcome this by ensuring that only specified information is shared.
For example, Exalate allows users to determine precisely which fields are shared with partners.
So personal information which needs to be held on the Jira instance can be placed in non-synchronized fields, hence ensuring complete control over the data.
Following these tips should lay the groundwork to ensure that your Jira instance is fully GDPR compliant, and that it stays that way going ahead.
Nevertheless, vigilance is required and particularly so when sharing information with third parties.
However, the most important thing is that your team understands the requirements of the regulation and is able to handle data in a precise and consistent manner. Which will make dealing with any issues in future far simpler and easier.
Back to you! Was this article helpful? What are your thoughts on GDPR? Do you have any additional tips to handle GDPR-compliance in Jira? Let me know in the comments below. I’ll be happy to hear it!