The GDPR became effective on May 25, 2018. The GDPR is enforceable in the United States through international laws and trade agreements. If you process personal information relating to European Union citizens, then you are subject to complying with the GDPR‘s Article 15 information requests from those EU citizens. Additionally, Article 82 of the GDPR provides data subjects with the Right to Compensation and Liability from a Data Processor or Data Controller that has been deemed by its supervisory authority to be in non-compliance with protecting and handling of personal information belonging to those data subjects. The fines associated with a data breach or non-compliance with the GDPR can reach up to 4% of a company’s gross annual earnings per breach.
Given the high stakes involved, Issuetrak can provide some direction with regards to complying with data subject information requests. You remain responsible for understanding your configuration and what data you collect on your customers in an Issuetrak site.
If you receive a GDPR erasure request:
- Do NOT delete user accounts, as this will be destructive to data associated with that user throughout the product.
- UserIDs that are subject to GDPR erasure requests should be anonymized or pseudonymized. For example, UserID John.Doe@somedomain.com could become ForgottenUser.97EB6A1, or more simply: ForgottenUser0001. See the Help Center article on changing UserIDs.
- Fields associated with UserIDs that have become subject to GDPR erasure requests should also be anonymized:
- First/Last Name
- Display Name
- Email Address
- Mobile/SMS Email
Issuetrak has many possible places on the front-end that can contain personal information. This will require a fair amount of searching, or the use of Report Writer queries, for each information request.
Below you will find many different examples of fields to look for personal data in Issuetrak. These are examples, but if you are familiar with your own Issuetrak instance's configuration, it will be easier to narrow down where information on data subjects exists.
On-Premises installations may contain data scoped to GDPR requirements.
The Web server has several locations where Personally Identifiable Information (PII) can be stored.
- IEM Logs
- OEM Logs
- AD Import Logs
See our article on Security in Issuetrak to learn more about log file locations.