The GDPR became effective on May 25, 2018. The GDPR is enforceable in the United States through international laws and trade agreements. If you process personal information relating to European Union citizens, then you are subject to complying with the GDPR‘s Article 15 information requests from those EU citizens. Additionally, Article 82 of the GDPR provides data subjects with the Right to Compensation and Liability from a Data Processor or Data Controller that has been deemed by its supervisory authority to be in non-compliance with protecting and handling of personal information belonging to those data subjects. The fines associated with a data breach or non-compliance with the GDPR can reach up to 4% of a company’s gross annual earnings per breach.
Given the high stakes involved, Issuetrak can provide some direction with regards to complying with data subject information requests. You remain responsible for understanding your configuration and what data you collect on your customers in an Issuetrak site.
Cloud Customers can contact Issuetrak Support for assistance with identifying locations of Personally Identifiable Information in their database.
Users
If you receive a GDPR erasure request:
- Do NOT delete user accounts, as this will be destructive to data associated with that user throughout the product.
- UserIDs that are subject to GDPR erasure requests should be anonymized or pseudonymized. For example, UserID John.Doe@somedomain.com could become ForgottenUser.97EB6A1, or more simply: ForgottenUser0001. See the Help Center article on changing UserIDs.
- Fields associated with UserIDs that have become subject to GDPR erasure requests should also be anonymized:
- First/Last Name
- Display Name
- Email Address
- Mobile/SMS Email
- Address
Front-End Locations
Issuetrak has many possible places on the front-end that can contain personal information. This will require a fair amount of searching, or the use of Report Writer queries, for each information request.
Below you will find many different examples of fields to look for personal data in Issuetrak. These are examples, but if you are familiar with your own Issuetrak instance's configuration, it will be easier to narrow down where information on data subjects exists.
Fields Typically Used to Store Identifying Information:
| Issues |
| Closed By |
Assigned By |
| Submitted By |
Next Action |
| Issue Change Log: Modified By |
Issue Change Log: Created By |
| Users |
| User ID |
First Name |
| Email |
Last Name |
| Groups |
| View/Maintain Member List |
|
| Organizations |
| Contact User |
Contact Person |
| Active Directory |
| Import users |
|
| Calendar |
| Calendar Out of Office |
Calendar Event |
| Asset Management |
| Assets |
Asset Audits |
| Asset Management Reports |
ScanPC / TrakPC Audits |
| Software Purchases |
Software Licenses |
| Asset Locations |
Manufacturers |
| Software Companies |
Vendors |
| Surveys |
| Survey Design |
Survey Results |
| Survey Reports |
Survey Invitations |
Back-End Locations
On-Premises installations may contain data scoped to GDPR requirements.
Web Server
The Web server has several locations where Personally Identifiable Information (PII) can be stored.
- IEM Logs
- OEM Logs
- AD Import Logs
See our article on Security in Issuetrak to learn more about log file locations.
