This blog post was written by Patricia Modispacher from Actonic.
In our modern digital world, we don’t have to wait long to get hold of information. A new account here, a signature there, the input of your mobile phone number and you already have access to a platform – and all that at no cost.
At least that’s what many people think. But that’s not quite true.
The currency we pay for the fast transfer of knowledge is not money, but our personal data. The General Data Protection Regulation (GDPR) exists to protect citizens. What was thought to help end users can actually create major challenges for companies. After all, there are heavy penalties for non-compliance with the guidelines.
To make your Jira instance privacy compliant, Atlassian provides a range of apps you could use. So for this article, we have chosen the GDPR (DSGVO) and Security for Jira app, developed by the Atlassian partner, Actonic. This extension provides an all-in-one solution for your data protection needs and is continuously developed to be ready to use for new use cases.
In this blog post, we will introduce you to GDPR and its compliance, data privacy pain points, how the GDPR (DSGVO) and Security for Jira app works, and what benefits you will get from using the app.
What’s covered in this blog post?
- What is GDPR and why is everyone talking about it?
- GDPR Compliance in Jira and Data Anonymization
- Pain Points of Data Privacy and Solutions
- A GDPR app for Jira
What is GDPR and why is everyone talking about it?
In 2018, the EU Parliament adopted the General Data Protection Regulation (GDPR). It is intended to give EU citizens the right to determine for themselves how their personal data is stored and processed. Your data can only be stored if you explicitly agree.
So if you change your mind, your consent can be withdrawn at any time.
The GDPR was established to ensure that data storage is uniform and that an EU-wide standard ensures transparency for end-users.
It is also regulated in the GDPR that possible security flaws in the system that could affect personal data must be reported within 72 hours of discovery. In this way, the holistic protection of data is ensured.
- Personal data is any information that relates to an individual and can be used to identify them. Name, address, telephone number, or IP address fall under this term.
- The declaration of consent for the processing of personal data must be given voluntarily, be informative, and clearly understandable. Withdrawal from the declaration of consent should be simple and practical at any time.
- Pseudonymization of personal data means that the information must be anonymized or hidden so that it cannot be easily accessed. The right to erasure guarantees that the stored data will be deleted immediately at the user’s request.
- The right of access ensures that data subjects receive all information about the purposes of, the time period for, and the form in which their data is stored.
A common myth about GDPR is that it only applies to European companies. In fact, the regulation applies to any company that collects or processes the personal data of EU citizens – no matter where your company is located.
Note: As soon as your company starts working with some European people, you also need to be compliant with the GDPR!
Ever since the Google case, the GDPR has been on everyone’s lips. You remember: Google had to pay a fine of 50 million euros because their users were not informed in time how their personal data was collected and stored.
Violations usually happen unknowingly and therefore you must be prepared to act quickly to address the issue. However, all risk factors can be easily prevented if you use the right tool(s).
GDPR Compliance in Jira and Data Anonymization
For many companies, Jira is the be-all and end-all for processing personal data.
For example, applicants submit their documents via Jira Issue Collector, customers submit their inquiries via Jira and may enter bank or company data, relevant data is shared company-wide or even internationally.
And last but not least, the company’s own employees create tickets on a daily basis, which also contain login data. All these processes are classified as sensitive and personal by the EU Parliament, which is why they are relevant under data protection law and the GDPR applies here.
Data misuse or the dissemination of data can cause great damage. That is why the right to erasure and anonymization also applies to Jira. The software already includes some data protection features, but these are not sufficient for the requirements of the strict EU guidelines. Many important issues to the GDPR, such as data anonymization have to be started manually and also have to be monitored constantly.
Therefore, it is essential to take advantage of an all-encompassing solution that is automated and error-free. In this way, you can focus on your actual work and not have to constantly think about any guidelines.
Pain Points of Data Privacy and Solutions
In the banking sector, for example, particularly high standards for data protection guidelines apply. Depending on the case, there are deadlines of one or more years after which the originator of a transaction must be anonymized.
For many employees, this task is very time-consuming and difficult to manage. An automatic anonymization enriches the workflow immensely. Read more about a similar use case here.
This scenario is just one of many problem cases created by the new policy. Learn more about other pain points:
Collection of personal data in a transparent and secure manner
According to Article 5 of the GDPR, data must be processed lawfully, fairly, and transparently. This includes protection against accidental loss, destruction, or damage.
In order to regulate DSGVO-compliant data processing, it is essential that you are clear about the exact requirements. So discuss data protection compliance with data dissemination partners and make sure your data protection policy is set up in a clearly understandable way.
Knowing the location of cloud services
Many companies don’t know where their cloud services store personal data. However, all EU citizens have the right to receive this knowledge. Providing the knowledge manually for each request is a huge time and effort commitment. It is easier to provide the information already in a clear notification in Jira. Users can read the information and confirm their consensus.
Right to erasure
On top of the right to anonymization, the right to erasure presents companies with a significant challenge. When someone requests the deletion of their data, the company must be able to track and delete that data within a specified time frame.
On the other hand, the data must not be lost. One solution to this problem would be a toolkit that allows you to use simple JQL queries to anonymize personal data in Jira without deleting important information.
So let’s see how Actonic’s GDPR app does this.
A GDPR app for Jira: GDPR (DSGVO)and Security for Jira by Actonic
With a GDPR app, you can easily find and handle personal data, collect privacy consents, and quickly provide information on demand. And for all the pain points of the EU directive, GDPR (DSGVO) and Security for Jira offers an all-around solution.
The app was developed by Actonic that has got experience in the banking and insurance sectors. Due to this practical reference, GDPR (DSGVO) and Security for Jira is suitable for conceivable scenarios and is intuitive to use.
The Data Cleaner module ensures a thorough and comprehensive search for personal data in all Jira tickets. Complete anonymization of compromised data can be done quickly with automated cleanup templates.
This powerful module can automate notification and deletion processes. This way, you set up recurring tasks to be executed at intervals.
One of the most important GDPR requirements is to always know who has access to which data. If you are a system administrator using Jira, you cannot see in Jira User Management, for example, in which projects a new employee has joined.
Group assignments are also not visible at aglance. The lack of an overview of thousands of permissions makes life difficult for system administrators. The Permission Monitoring module allows you to do this quickly and easily.
This module offers the possibility to filter access statistics by a “user, project or issue key” and provides information about who accessed the issue and when. The results of the access statistics can be filtered by a user and then easily made available to them.
- Avoid high penalties
- Always know where data is stored
- Easily obtain consent
- Create notifications
- Automatic anonymization
- Compatible with many problem cases
- Added value beyond data protection (e.g. for permission monitoring)
- Free 30-day trial
- Full compatibility with all Jira instances
To provide a closer look at the app, here is a handy guide.
1. Open the Manage Apps tab and navigate to the GDPR and Security/Home section. Locate the Notifications and Announcements button, click on it and you will see the Notifications and Announcements dashboard.
Alternatively, you can create a new announcement by clicking on the “Create” button immediately to the left of the option to “Create from template”.
Now you will see the configuration page. The configuration of a new announcement consists of two tabs: General and Additional configuration.
3. First, set up the General configuration. Create a Name for the Announcement, then specify a Title and enter the Main text to be displayed to users.
Finally, you should specify whether the notification status should be enabled or disabled.
In Jira, the * is used to denote that a field is mandatory and therefore some text or value must be entered.
4. In the Additional configuration tab, you can set whether the user’s feedback is desired or whether only certain groups should see the notifications. For the display type, you can decide whether the text should appear as a dialog in the center of the screen or as a banner in the footer.
In addition, you choose the size of the window and the text that will be displayed on the buttons to approve or reject the notification. You can also define a start and an end date of the notification.
5. This is what a possible output might look like:
6. After activating the notification you will have the full overview of the statistics.
You can filter the results by a specific announcement/notification or user. All results can be exported to a CSV file.
If you want to know how to configure recurring tasks or anonymize user data, it is best to check the vendor’s documentation.
In this blog post, we went over what GDPR is, why everyone is talking about it, and what pain points data privacy can cause.
We also introduced an app, the Actonics GDPR app which is an all-in-one suite to meet a company’s GDPR requirements. It is functional for all Jira versions (server, data center, cloud) and it covers all aspects of the GDPR. Plus, it’s customizable when it comes to company-specific requirements. And with this security suite, your company is privacy compliant.
You think it already is? Click here to review this checklist and learn if you’re really already protected against penalties, or there are things you can still improve.
You can also watch this video for more insights.
- A Guide to Advanced SLAs in Jira Service Management
- Maintaining the Atlassian Stack: Best Practices
- How to Prepare and Validate your Jira Test Instance after Changes or Migration
- Migrating Atlassian Apps from Server to Cloud – Part I: Migrate Scriptrunner
- Migrating Atlassian Apps from Server to Cloud – Part II: Gliffy and Draw.io