Research GDPR requirements around storing sensitive information. It has been determined that we cannot remove sensitive data from the text of tickets, we can only delete attachments or delete the tickets all together. Using this information, research and create an approved policy to determine how to handle sensitive data in tickets, including specifying when a ticket should be deleted altogether and how to document that. In addition to a policy, you must also create training material to be posted to less only to be assigned to and completed by all agents.
Background & Research.
To what purpose do we store sensitive data and what are our obligations against the GDPR requirements.
We start our research by identifying the data by checking dozens of tickets, the sensitive information/data we are focusing on can be identify as Personal data based of the GDPR criteria. Most tickets with sensitive information contain copies of Government issued documents, send to our ticket systems by customer as part of the validation of OV or EV based orders.
Providing a Government Issued Photo ID is one of the prerequisites to verify the administrative contact of an OV or EV order, as part of the validation process.
These documents should be supplied directly to the Vendor, but customers do send the documents in for us to process on their behalf with the vendor.
The next step is to research the official GDPR website (Source 1), if there are criteria we need to uphold when dealing with personal data.
In de context how we receive Personal Data , we (SignMyCode) would identify as a Data processor for Data subjects (an identified or identifiable person) on behalf of a Data Controller (Sectigo or DigiCert).
SignMyCode has non-disclosure agreements with our Data controllers, and we act with consent of the data subject to fulfill a purpose.
For more detailed information, please check the website (Source 1).
One other criterion I could find on the website, is that we need to safeguard and protect the Personal Data we receive from our customers to the best of our knowledge.
Our ticket system where we store the Personal Data is provided by the company Fresh works.
Fresh works runs SaaS based solutions like Freshdesk and FreshChat we use for our support channels, dispersing the data around the globe on datacenters owned and managed by Fresh works.
All data is stored in an encrypted format and is accessible only to authorized users and the data protection and Privacy is covered by contract and is also by their GDPR Policy. (Source 2)
The DPO assured me that this should cover the criteria for Data Protection.
The final part in this research, would be the right to be forgotten.
An individual can ask the information to be removed if it is not needed anymore to fulfill a purpose. We have a procedure in place for these requests, but we should establish a procedure to remove any tickets that contain Personal Data annually or a to be determined time frame.
With all information gathered from the Research I have done, I can conclude we do not have to remove the data after usage or when its hits our ticket ssystem, we are the processor of the data in agreement and approval with the data subject, the data is secured, and liabilities have been covered by contracts with our SaaS provider (Fresh works).
We cannot store this data indefinitely,
I do advice to implement an annual procedure to check on tickets containing Personal Data, to lower the risk of Personal Data being compromised by accident or unlawfully.
To distinguish tickets with sensitive data from the rest, the best option would be to tag the tickets, tagging would help to trace these tickets and have them removed.
Create lessonly Knowledge Item on what is Personal Data.
- Identifying personal data
- Tagging of tickets containing personal data with Tag: SensitiveDocsOrInfo
Update lessonly: GDPR and other Privacy Laws - Account Deletion / Customer Concern Process
- Section 3/6 , 1c, include the search and request deletion of any tickets with the tag: SensitiveDocsOrInfo
Personal Data: Personal data is any information about an identified or identifiable person, also known as the data subject. Personal data includes information such as their:
- ID card/passport number
- cultural profile
- Internet Protocol (IP) address
- data held by a hospital or doctor (which uniquely identifies a person for health purposes).
Government issued documents/ Government Issued Photo ID
- Driver’s License
- Identification Card
- Holds and processes data on behalf of a data controller.
- An identified or identifiable person
- decides the purpose and way in which personal data is processed
- Data Protection Officer
Company behind Freshdesk and Fresh Chat,
- Freshdesk is our ticket system
- Fresh Chat is our Chat platform
Right to be forgotten
- In some circumstances, an individual can ask the data controller to erase their personal data, for example if the data is no longer needed to fulfil the processing purpose.
Our Trusted Clients
Code Signing Tools
Globally Recognized Certificate Authority (CA)
Quick Validation and Issuance by Pro Code Signing Experts
Technical Troubleshooting in Real-Time
24 x 7 Customer Support via Live Chat & Email