5 min read

This is how you successfully anonymize personal data within Atlassian

Volker Blum : Aug 10, 2023 2:31:19 PM

Ensuring GDPR-compliant data cleansing on your server

In today's digital realm, safeguarding personal data has become more critical than ever. Particularly when dealing with sensitive information, prioritizing data protection has become a non-negotiable. To ensure user privacy, adhering to the EU's General Data Protection Regulation (GDPR) isn't just a box to tick – it's the compass guiding us toward top-tier data security.

We'll guide you through the simple process of anonymizing personal data in your Atlassian tools, combining security and performance.

Here's what to expect in this post:

  1. 6 Steps to Anonymize Personal Data 
  2. What options for data cleanup do I have as an Atlassian Server customer?
  3. This is how user anonymization can appear in Jira
  4. What does data privacy and cleanup look like in the Cloud?

 

6 Steps to Anonymize Personal Data

Personal data includes sensitive information about identifiable individuals - whether it's names, email addresses, phone numbers, or other confidential details. Failure to keep this data confidential is a violation of GDPR regulations. To prevent data breaches and increase user trust, it's critical to anonymize this data to protect the individuals involved.

We'll show you how to do it in just 6 steps:

1. Identify personal data

The first critical step is to carefully identify all personal data captured and stored in Jira. This includes everything from custom fields to comments and attachments, so no detail is overlooked..

2. Establish clear policies and procedures

Establish clear policies and procedures for securely anonymizing your user data. Make sure they comply with applicable privacy laws and your company's policies.

3. Pseudonymization at ticket creation

A highly effective method of anonymization in Jira is to use pseudonyms instead of real names. For example, users can enter their usernames or randomly generated IDs instead of their real names when creating issues..

4. Removing or anonymizing existing personal information

When personal information is no longer needed, it must be deleted or anonymized. It's also important to remove any references to this data in comments or links.

5. Access control and permissions

Anonymity of personal information depends on the proper definition of access controls and permissions. Limit access to sensitive information to only those who need it.

6. User training

Last but not least, it's important to educate all Jira users about the importance of anonymizing personal data. Make your team aware of best practices and privacy requirements to foster a strong privacy culture.

With this guide, you'll be able to successfully implement GDPR-compliant anonymization of personal data in Jira.

 

What options for data cleanup do I have as an Atlassian Server customer?

You have several options for cleaning up your data. We'll walk you through them and highlight their pros and cons.

Preface: we recommend discussing this with a data protection officer or legal counsel to ensure compliance with GDPR requirements.

Manual cleanup can be useful when a user or customer insists on their "right to be forgotten". In this case, the name can be searched for in the appropriate application and the data can be manually deleted.

 

Pros
  • Complete control over the data being cleaned up
  • Adaptation of the cleanup process to one's specific needs
  • Immediate visibility of the effects of the actions

 

Cons
  • Time-consuming, especially for large amounts of data
  • Risk of accidentally deleting important data or making mistakes during the cleanup process
  • Requires regular monitoring of cleanup actions to maintain the system

Using the  ScriptRunner - App from the Atlassian Marketplace, cleanup rules and criteria can be defined for automated cleanup.

 

Pros
  • Company-specific rules and criteria can be defined based on the organization's individual requirements
  • Save time with automations

 

CONS
  • Unless customized or programmed, script can only access predefined names stored as separate objects
  • To use free text recognition, it must be specifically integrated and programmed into the script

Other applications and solutions from the Atlassian Marketplace can help you securely clean up your data. Here are a few recommendations:

User Anonymizer for Jira (GDPR),

User Anonymizer for Confluence (GDPR),

Data Protection and Security Toolkit for Jira (DLP),

Data Protection & Security Toolkit Confluence (DLP).

 

Pros
  • Third-party apps and plug-ins often offer automated cleanup processes that save time and effort.
  • Because these applications handle large volumes of data, they're suitable for organizations that use Atlassian products extensively.

 

Cons
  • Configuring these applications may require technical knowledge and an understanding of data structures.
  • Improper configuration or use may result in accidental deletion of important data
  • It is important to ensure that the chosen application integrates well with the specific version of Atlassian and other integrated systems.

Atlassian provides an integrated, system-level feature for Data Center users that allows for the anonymization of user data in Jira. A detailed guide can be found here: Anonymizing users:  Anonymizing users.

 

Pros
  • Fast and complete anonymization at the touch of a button
  • Always available to data center users

 

Cons
  • Captures only identifiable usernames, not free-text content, which may contain sensitive information
  • Can be time-consuming as anonymization must be performed for each user individually
  • Data on external drives or within third-party applications is not anonymized

It's also possible to delete a user account. There are three steps to deleting a user account:

    1. Select "Account Settings" at https://id.atlassian.com/manage-profile/profile-and-visibility  
    2. Navigate to the "Delete Account" section
    3. Select "Delete Account" and confirm again

 

Once you've confirmed the deletion, your account will be temporarily disabled for 14 days. During this time, you can cancel the deletion process. After 14 days, the account will be permanently deleted.

When the account is permanently deleted, the name will be replaced with "Former User" followed by the "#" symbol.

 
THE FOLLOWING DATA WILL BE DELETED
  • Full public name, email address, job title, department, and organization
    Atlassian profile picture, location, timezone

 

THIS DATA WILL NOT BE DELETED
  • All content created with your Atlassian account in Atlassian products, such as pages, issues, and comments
  • Personal information you've provided in content you've created on Pages, such as names or email addresses
  • Profile information stored in Marketplace applications or custom applications in products
 

 

This is how user anonymization can appear in Jira

Regardless of which method you choose, the user name is replaced with an anonymous username. This applies to issue creators, comments, and user profiles alike.

AnonymizingUsersReporter1
1 View as task creator: Before
AnonymizingUsersReporter2
2 View as task creator: After
AnonymizingUsersComments1-1
3 View comment area: Before
AnonymizingUsersComments2-1
4 View comment area: After
AnonymizingUsersProfile1
5 User profile view: Before
AnonymizingUsersProfile2
6 User profile view: After

 

What does data privacy and cleanup look like in the Cloud?

When it comes to GDPR compliance in the cloud, Atlassian takes responsibility for the security, availability, and performance of its applications, systems, and environments. At the same time, the customer is responsible for how they use and manage the platforms. Customer responsibilities fall into four areas: users, policies and compliance, third-party applications, and information and data management.

Cloud data and compliance is a broad and important topic. While we can't cover every aspect in this blog post, we wanted to share some thoughts that can help you take a critical step toward compliance.

Verify your domain and request all associated Atlassian accounts. This gives you greater control over password rules and user sessions.

Strengthen your security centrally by installing Atlassian Access. This allows you to use SSO over SAML. You can enable user provisioning via SCIM to automatically create and synchronize users in a controlled manner.

If you're using a manual user management system, you may want to rethink your approach.

Check global permissions and make sure unauthorized people don't have access to your data. Also, make sure that not just anyone can create an account on your website.

Review all applications in your environment and set requirements for their vendors. Make sure they meet your standards, not lower your standards to accommodate them.


Limit tools to a reasonable level of classification. Determine what information is appropriate in the tools and refine it internally. Develop a plan for onboarding and supporting new employees. Make sure they understand how to use the tool and what is permissible.