Be GDPR compliant, Part 1: everything you need to know about getting consent in Jira and Confluence
Today, we are launching a series of articles on the GDPR compliance in Jira and Confluence to help you navigate your GDPR journey. Over a year on after the GDPR inception, many businesses are still struggling to fully understand its requirements and implement data strategies to comply with it. We hope our articles will provide valuable insights to help make your business more compliant with this challenging regulation in a safe and cost-effective way.
As you know, businesses must have a legal basis for data processing, and getting consent is one of the easiest ways to ensure compliance. However, getting consent right will not only legitimise the use of data , but is also an essential part of customer service: it will help build customer confidence and trust, enhance your reputation and set you apart from the competitors.
In this article, we are going to focus on the “Conditions for consent” (outlined in Article 7 of the GDPR) and look at ways of getting users’ consent to the storage and processing of their personal data.
What is personal data?
Everything that relates to “personal data” is defined in Article 4 (1): “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Thus, cookies, first names, last names, and e-mail addresses, which are usually used for marketing purposes, fall within the scope of this definition and should be collected, processed and stored in a way that satisfies the GDPR requirements.
Consent for personal data processing
According to the GDPR, a company cannot use clients’ personal data if it hasn’t obtained consent for each particular way of interaction. If you collect personal data during the registration process, you cannot send a newsletter with special offers afterwards without asking a person to give the consent for the processing of his or her e-mail address, first name, and last name to receive such e-mails.
Data with a purpose
One of the main GDPR principles is “purpose limitation”, which as it is clearly indicated in Article 5, implies that all personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)”.
In other words, it is necessary to specify what data you will process for what purpose. For example: “I confirm that I allow Company A to use my first name, last name and email address to contact me by email about personalized special offers”. Similarly, if you are going to collect phone numbers for cold-calling or any other data for any other purpose, remember to indicate it in a clear way.
Let’s imagine that a startup SaaS company uses Jira to deal with clients’ reports on bugs and performance issues and wants to use their personal data to send them special offers, product updates and order notifications, to share news, and conduct surveys.
Thus, after a client has completed their registration process in Jira, they should give their consent for personal data processing. One of the ways to implement this process in Jira is to use an “Information Announcement” module of the GDPR (DSGVO) and Security for Jira add-on and make a pop-up window with the following text: “I confirm that I allow Company A to use my first name, last name and email address to contact me by email about personalized special offers, relevant news and events, order completion reminders, and surveys” with “Accept” and “Decline” buttons.
Here it is very important to have a balanced approach and stick to the other GDPR principle, “Data minimization”, and to collect only the data you really need. Moreover, including too many options for marketing communication can simply scare a client off, making them hit the “Decline” button.
Cookies in GDPR
Tracking online activity of customers and employees, as it was mentioned before, also falls within the scope of the GDPR. Thus, before starting to collect such data, we also need to get a user’s consent.
The reference to cookies in the GDPR can be found in Recital 30: “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them”.
According to the main GDPR principles, “Data minimization” and “Storage limitation”, the amount of collected data for tracking online activity must be minimized and kept only for as long as it is necessary for the specified purpose.It is important to indicate what cookies the company uses for what purposes and how long they are kept. Therefore, it is a common practice to create a separate page with the list of cookies’ categories, names, descriptions and expiration dates.
The “Information Announcement” module is very flexible and can be used for any other purposes, for example for getting consent to “Terms and conditions”, or “User Agreement”, etc in Jira and Confluence.
Returning to the issue of the GDPR compliance in Jira and Confluence, it is also necessary to ensure the data subjects’ right to withdraw their consent to personal data storage and processing at any time.
Article 7 of the GDPR clearly states that “The data subject shall have the right to withdraw his or her consent at any time”. If a person decides to withdraw their consent or in any other cases related to sensitive information, the first challenge a company will face is to find these data as quickly as possible. Therefore, navigation through all users and consents should be simple and convenient, and filtering and sorting options should be provided. A supervisory authority can also request information on data subjects’ consent as it is specified in Article 7: “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data”. Here again, we need to find and extract this information in a quick, clear and simple way.
Jira-Module for GDPR
The “Information Announcement” module of the GDPR (DSGVO) and Security for Jira add-on has a built-in feature, which allows for finding structured and systematized information on any type of consent requested by the company (Cookies Policy, Personal data processing, Terms and Conditions, etc.) and significantly facilitates the navigation process. In the next article, we will discuss what to do next with the data you have found and how to erase all personal data related information in Jira and Confluence.
For more information on GDPR compliance, check out more articles in this series:
- Be GDPR compliant, Part 2: ensure the right to erasure, find and anonymize PII in Jira
- 7 popular myths about GDPR
- CCPA vs. GDPR: data privacy laws in Europe and the USA
- 4 easy questions to check if you are fully GDPR compliant
- New model of calculating GDPR fines is to increase possible penalties