How To Comply with GDPR Information Requests in Issuetrak

The GDPR became effective on May 25, 2018. The GDPR is enforceable in the United States through international laws and trade agreements. If you process personal information relating to European Union citizens, then you are subject to complying with the GDPR‘s Article 15 information requests from those EU citizens. Additionally, Article 82 of the GDPR provides data subjects with the Right to Compensation and Liability from a Data Processor or Data Controller that has been deemed by its supervisory authority to be in non-compliance with protecting and handling of personal information belonging to those data subjects. The fines associated with a data breach or non-compliance with the GDPR can reach up to 4% of a company’s gross annual earnings per breach.

Given the high stakes involved, Issuetrak can provide some direction with regards to complying with data subject information requests.  You remain responsible for understanding your configuration and what data you collect on your customers in an Issuetrak site. 

Cloud Customers can contact Issuetrak Support for assistance with identifying locations of Personally Identifiable Information in their database.


Users

If you receive a GDPR erasure request:

  1. Do NOT delete user accounts, as this will be destructive to data associated with that user throughout the product.
  2. UserIDs that are subject to GDPR erasure requests should be anonymized or pseudonymized. For example, UserID John.Doe@somedomain.com could become ForgottenUser.97EB6A1, or more simply: ForgottenUser0001. See the Help Center article on changing UserIDs.
  3. Fields associated with UserIDs that have become subject to GDPR erasure requests should also be anonymized:
  • First/Last Name
  • Display Name
  • Email Address
  • Mobile/SMS Email
  • Address


Front-End Locations

Issuetrak has many possible places on the front-end that can contain personal information. This will require a fair amount of searching, or the use of Report Writer queries, for each information request.

Below you will find many different examples of fields to look for personal data in Issuetrak. These are examples, but if you are familiar with your own Issuetrak instance's configuration, it will be easier to narrow down where information on data subjects exists.


Fields Typically Used to Store Identifying Information:

Issues
Closed By Assigned By
Submitted By Next Action
Issue Change Log: Modified By Issue Change Log: Created By

Tasks
Next Action      

Users
User ID First Name
Email Last Name

Groups
View/Maintain Member List

Organizations
Contact User Contact Person

Active Directory
Import users

Calendar
Calendar Out of Office Calendar Event

Asset Management
Assets Asset Audits
Asset Management Reports ScanPC / TrakPC Audits
Software Purchases Software Licenses
Asset Locations Manufacturers
Software Companies Vendors

Surveys
Survey Design Survey Results
Survey Reports Survey Invitations

Projects
Project Manager


Back-End Locations

On-Premises installations may contain data scoped to GDPR requirements. 


Web Server

The Web server has several locations where Personally Identifiable Information (PII) can be stored. 

  • IEM Logs
  • OEM Logs
  • AD Import Logs

See our article on Security in Issuetrak to learn more about log file locations.