Violation of the protection of personal data in Jira or Confluence - How to deal with data leaks & breaches in a GDPR-compliant way - Actonic – Unfolding your potential
We have outsourced our Atlassian licensing and services business to the newly founded Seibert Solutions GmbH. Actonic's products will be further developed under the usual name.
Read more...

Violation of the protection of personal data in Jira or Confluence – How to deal with data leaks & breaches in a GDPR-compliant way

By Ruben Jäckle3. March 2022Reading time: 5 minutes

5
(1)

The GDPR poses challenges for both large and small companies. It is important to avoid data leaks, where personal data can be accessed by outsiders, and data breaches involving a deliberate attack on a company's data. However, if these do occur, it is of utmost importance to deal with them properly and to take appropriate steps. Because the law provides clear rules for dealing with data violations, which can lead to high sanctions against the company if handled incorrectly.

Companies that are using the popular agile software Jira and Confluence from Atlassian face the same challenges due to these circumstances. Because when using this software, a large amount of personal data is usually stored. If a data breach or leak occurs here, it is essential to be prepared and to know directly what actions need to be taken. Because the law gives you a 72-hour period in which you must have acted.

In order to prepare you for a data breach or leak in Jira or Confluence, we show you in this article a simple and relaxed way to deal with such cases. Furthermore, we will show you how to prevent these data violations in Jira and Confluence from the very beginning, so that you never get into such a situation.

Download: GDPR-Checklist

Checklist about your GDPR compliance - read now!

Get GDPR-Checklist

Data leaks & data breaches: These rules must be observed according to the GDPR

A violation of the protection of personal data is defined in the GDPR as a “breach of security leading unintentionally or unlawfully, to the destruction, loss, alteration or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. This therefore includes both a data leak, where there is a possibility that third parties could access personal data stored by you, and a data breach, where unauthorized third parties have intentionally accessed data.

In Article 33 (1) of the GDPR, the legislator specifies what must be done in these cases. It states that a violation of the protection of personal data must be reported to the local supervisory authority without delay, which means that you must comply with a deadline of 72 hours. In addition, all cases must be logged internally. Which authority you need to contact varies from country to country. In Germany, there is one competent supervisory authority per federal state.

Additionally, if there is a “high risk to personal rights and freedoms” as a result of the violation, all affected individuals must be notified without exception. This high risk arises from data leaks or breaches of financial or medical data, which can be credit card or bank account data, for example.
However, if “only” contact information is affected, such as names, e-mail address or address, notification is not absolutely necessary. However, it should be noted that if a large number of individuals are involved, the affected individuals must also be contacted in addition to the supervisory authority.

The aforementioned 72-hour time limit for reporting a violation of the protection of personal data begins from the time a data controller becomes aware of the personal data violation. Therefore, if you come across a circumstance involving personal data in your company, and you are unsure whether it is a violation of the protection of personal data, you should first check the incident carefully. If you then know after the examination that this is actually the case, the time limit begins.

Personal data breach or leak according to the GDPR: What must be reported

In this regard, the law specifies what information you must provide to the supervisory authority. According to Article 33 of the GDPR, you must notify the authority of the following:

  • A description of how the protection of personal data has been breached by you, the number of data subjects, the number of data sets, as well as the category of the violation of the protection of personal data
  • The contact details of your data protection officer or the person who is responsible for it
  • A description of the possible and likely consequences of the violation
  • A description of the steps you have taken against the violation

This may require notifying the data subjects, as mentioned above. This can be done by letter, email or SMS.

Dealing with a violation of the protection of personal data in Jira and Confluence

The two software products Jira and Confluence from Atlassian are enjoying great popularity across Europe. With the great advantages of the software, which enable an agile workflow in project management, there are of course also risks associated with the storage of personal data. However, these risks can be eliminated in no time with a few simple tricks.
The simplest solution for all data protection use cases in Jira and Confluence are the apps “Data Protection and Security Toolkit for Jira/Confluence“. These apps allow you to prevent personal data breaches and leaks in advance. If it already happens and there is a data leak or breach, you can react to it quickly and fix it.

In the event that personal data has already been compromised, this can be remedied by the following steps:

1. If you notice that there is a violation of the protection of personal data the app’s “Data Cleaner Module” is the first place to go. Here you can find all stored and processed personal data such as email addresses, phone numbers, social security numbers, credit card numbers, etc. through a simple JQL query.

2. Once you have found the affected data, you can apply various actions to them. One of the actions is extremely useful in the case that there is a “high risk to personal rights and freedoms” for personal data involved, because then you need to notify the data subjects by letter, SMS or email. For this purpose, the app has the function: “Send notification email”. This allows you to create an email template in the app, which you can then send to all data subjects, fulfilling your obligation to notify them.

3. The next step is to use the app function “Permission Monitoring”. After you have found all affected information in Jira tickets and Confluence pages in the first step, you can view all permissions to access the underlying data. You can edit these in the app to avoid possible access by third parties again. You can also view the entire history of access to the data in the app, allowing you to see if anyone has accessed the data and data may have leaked out. Afterwards you can anonymize or, if necessary, delete the data.

4. In the event of a violation of the protection of personal data, you must immediately report the data breach or leak to the local supervisory authority. We have listed the information you must provide to them in the last section. When describing the actions you took, you can mention the actions taken in steps 1 to 3.

By following these steps, you have handled the violation of the protection of personal data in compliance with the law.

Prevent data breaches and leaks with Data Protection and Security Toolkit for Jira and Confluence

To prevent the violation of the protection of personal data from happening in the first place, the app has other useful features for you: data rules. With these, you can define data processing rules to ensure that you don’t miss any personal data that needs to be cleaned (or even deleted). To learn how to use these data rules in practice, watch our short product video:

With the help of this tool, you do not have to worry about plugging data leaks or breaches in Jira or Confluence, because you don’t let them happen in the first place.

Personal data breaches and leaks in Jira and Confluence: a conclusion

Data protection in Jira and Confluence may seem inscrutable to you at first, but with the help of the right tool it can be done in no time. Thanks to our article, you now know all the steps you need to take just in case of a data breach or leak and which tool will help you in Jira and Confluence: Data Protection and Security Toolkit for Jira und Confluence. Because our app not only helps you when it’s already too late, but also prevents data leaks and breaches in advance. This makes your company’s work on data protection much easier and lets your data protection officers sleep in peace again.

Interested in how Data Protection and Security Toolkit for Jira and Confluence can solve your personal use case? Simply test our app for free for 30 days and find out for yourself in practice! Through the link below, you can view and test Data Protection and Security Toolkit for Jira and Data Protection and Security Toolkit for Confluence on the Atlassian Marketplace:

Data Protection for Jira
Data Protection for Confluence

Download: GDPR-Checklist

Checklist about your GDPR compliance - read now!

  • Check it yourself!
  • Six essential GDPR-criteria
  • Free download
Get GDPR-Checklist

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

Related Posts

  1. Roles and Responsibilities of a Data Protection Officer
  2. Biggest Data Breaches in Healthcare in 2022
  3. The most common data security pitfalls – and how to avoid them
  4. 4 easy questions to check if you are fully GDPR compliant
  5. CCPA vs. GDPR: data privacy laws in Europe and the USA