GDPR-compliance in Atlassian products: The right to be forgotten in Jira & Confluence

“Right to be forgotten” Art. 17 DSGVO in Jira and Confluence

The “right to be forgotten” gives every person the opportunity to demand that companies delete all personal data that they have stored about them. This includes, for example, names, user names, avatars and personal settings. This request must be complied within one month.

What this means for you is if you have data about people stored in your Jira or Confluence, and they request you to delete that data, you should do so as soon as possible.

To do this, you first need to find this data. You can imagine that searching for this data can be extremely complicated, especially if this data is stored in different Confluence pages and/or Jira tickets. In order to avoid the time-consuming search for data within any conceivable Confluence page and Jira ticket, Jira and Confluence include built-in features. In the following, we will present these and compare them with the possibilities of the “Data Protection and Security Toolkit for Jira and Confluence’ app.

Integrated “right to be forgotten” capabilities in Jira and Confluence

For Atlassian Cloud products, the “right to be forgotten” is fully covered by the ability to submit requests to the Atlassian Support. This applies with the exception of content stored by third-party applications. If you are a cloud user and receive a request for deletion of personal data, you can submit a support ticket to Atlassian, through which the support will anonymize the content of the requested user. However, this option is not available for server and data center users.

For Jira Server and DC, there are certain workarounds for the “right to be forgotten” where you use SQL scripts in your database. Learn more about this in the Atlassian documentation. However, this option can be very challenging and takes a lot of time.

For Confluence Server/DC, there are a number of custom scripts that must be run manually by admins. Learn more about this in this section of the Atlassian documentation. Even with this method, many users may reach their limits and have to spend too many resources.

“Right to be forgotten” solutions with “Data Protection and Security Toolkit for Jira and Confluence”

The apps “Data Protection and Security Toolkit for Jira and Confluence” are a complete toolkit for the two Atlassian softwares to become GDPR-compliant in a simple and fast way. For the “right to be forgotten”, the Jira version of the app includes the “Data Cleaner” module. In the Confluence version, the “User Anonymizer” module is used for this purpose. By using these modules, personal data can be found and deleted within a few minutes. This way, the one-month deadline for deleting data is not a problem and anonymizing just becomes a routine task. Through the app, we cover Jira/Confluence server, data center as well as cloud. At the same time, this method is extremely reliable and secure. In the following, we will give you a quick insight into the two modules:

The “Data Cleaner” module — How to find personal data with “Data Protection and Security Toolkit for Jira and Confluence”

With the Data Cleaner module, personal data can be found in just a few minutes. For this purpose, a JQL query, which allows you to pick out your desired data in no time, is used. This can then be further filtered by fields and types. The output can be listed according to various criteria. Here, all desired data is found within Jira, which you can then quickly and easily anonymize or delete.

The “User Anonymizer” module — How to find personal data with “Data Protection and Security Toolkit for Confluence”

Sometimes you need to anonymize the content of certain users in Confluence, for example when an employee leaves the company. For this purpose, the “User Anonymizer” module can be used in Confluence. To make the desired user(s) invisible, the module simply assigns them a substitute user name. The scope of the search can be limited by CQL (Confluence Query Language) and the roles of the person can be reset or changed. Extremely useful here is the “Dry Run” function, through which you can first display the affected content. This allows you to check whether everything was selected correctly in the step before.

Conclusion: Jira and Confluence internal solutions vs. “Data Protection and Security Toolkit for Jira und Confluence”

No matter if you decide to use Jira internal solutions or the apps, in any case, data protection and especially the “right to be forgotten” in Jira and Confluence must be taken extremely seriously. If someone asks you to delete personal data, you should do so as soon as possible. Otherwise, you could face heavy fines. It is important to delete the data completely and not miss any.

In our comparison of Jira and Confluence out-of-the-box solutions with “Data Protection and Security Toolkit for Jira and Confluence“, the app is clearly ahead. Here you can quickly and easily find personal data and then anonymize or delete it. In doing so, you can be sure that you have not overlooked any critical data and have complied with the “right to be forgotten”.

Moreover, “Data Protection and Security Toolkit” contains much more data protection features. For example, the app lets you create simple customizable notifications to get consent from people to process personal data. Another powerful feature of the tool is the ability to create data processing rules to ensure you don’t miss any personal data that should be deleted. “Data Protection and Security Toolkit for Jira and Confluence” is your complete toolkit to become fully GDPR-compliant within Jira and Confluence!

Curious? Try “Data Protection and Security Toolkit for Jira and Confluence” now for free for 30 days on the Atlassian Marketplace!