How To Comply with GDPR Information Requests in Issuetrak

The GDPR became effective on May 25, 2018. The GDPR is enforceable in the United States through international laws and trade agreements. If you process personal information relating to European Union citizens, then you are subject to complying with the GDPR‘s Article 15 information requests from those EU citizens. Additionally, Article 82 of the GDPR provides data subjects with the Right to Compensation and Liability from a Data Processor or Data Controller that has been deemed by its supervisory authority to be in non-compliance with protecting and handling of personal information belonging to those data subjects. The fines associated with a data breach or non-compliance with the GDPR can reach up to 4% of a company’s gross annual earnings per breach.

Given the high stakes involved, Issuetrak can provide some direction with regards to complying with data subject information requests.  You remain responsible for understanding your configuration and what data you collect on your customers in an Issuetrak site. 

Cloud Customers can contact Issuetrak Support for assistance with identifying locations of Personally Identifiable Information in their database.

Users

If you receive a GDPR erasure request:

  1. Do NOT delete user accounts, as this will be destructive to data associated with that user throughout the product.
  2. UserIDs that are subject to GDPR erasure requests should be anonymized or pseudonymized. For example, UserID John.Doe@somedomain.com could become ForgottenUser.97EB6A1, or more simply: ForgottenUser0001. See the Help Center article on changing UserIDs.
  3. Fields associated with UserIDs that have become subject to GDPR erasure requests should also be anonymized:
  • First/Last Name
  • Display Name
  • Email Address
  • Mobile/SMS Email
  • Address

Front-End Locations

Issuetrak has many possible places on the front-end that can contain personal information. This will require a fair amount of searching, or the use of Report Writer queries, for each information request.

Below you will find many different examples of fields to look for personal data in Issuetrak. These are examples, but if you are familiar with your own Issuetrak instance's configuration, it will be easier to narrow down where information on data subjects exists.

Fields Typically Used to Store Identifying Information

  • Issues
    • Closed By
    • Assigned To
    • Submitted By
    • Next Action
    • Issue Change Log
      • Modified By
      • Created By
    • Tasks
      • Task Completed By
  • Users
    • User ID
    • First Name
    • Last Name
    • Email
  • Groups
    • View/Maintain Member List
  • Organizations
    • Contact User
    • Contact Person
  • Active Directory
    • Import users
  • Calendar
    • Calendar Out of Office
    • Calendar Event
  • Asset Management
    • Assets
    • Asset Audits
    • Asset Management Reports
    • ScanPC / TrakPC Audits
    • Software purchases
    • Software Licenses
    • Asset Locations
    • Manufacturers
    • Software Companies
    • Vendors
  • Surveys
    • Survey Design
    • Survey Results
    • Survey Reports
    • Survey Invitation
  • Projects
    • Project Manager

Back-End Locations

On-Premises installations may contain data scoped to GDPR requirements. 

Web Server

The Web server has several locations where Personally Identifiable Information (PII) can be stored. 

  • IEM Logs
  • OEM Logs
  • AD Import Logs

See our article on Security in Issuetrak to learn more about log file locations.