GDPR Regulation

The GDPR (General Data Protection Regulation) is a set of rules and regulations intending to provide more control over their personal data to all individuals within the European Union and the European Economic Area.

It applies to all organizations holding and processing EU resident’s personal data, regardless of geographic location. If you store or process the data of EU individuals, GDPR will apply to you.

GDPR and ]project-open[

GDPR is mostly about your data processing policies, and to be transparent about them. So how does this relate project management in general and to the use or operation of ]project-open[?

Please try to answer the following questions first: 

• Does your ]project-open[ instance process data only for users inside your company? Or does it also contain data about non-employees, perhaps contractors or customers? 
• What data does ]po[ store about it's users?
• Is part of this data especially protected (medical information, race, gender, ...)?
• Did you inform your outside user about the processing of their data in ]project-open[? Or do you still have to ask them about their consent?
• Does ]po[ store data that are not necessary for operations? Do you really need them, or can they be deleted?

User Data Stored in ]project-open[

]project-open[ stores various types of data about a user. You will have to inform any non-employee about the storage of these data and ask for their permission to continue to store these data: 

Basic User Data 

]project-open[ stores most data about users in user object type. By default, this object contains the following fields:

• Title (optional)
• First Name(s)
• Last Name
• Email
• Portrait photo (optional)
• Password (optional)
• Work Phone
• Work Address
• Cell Phone
• Home Address

User Data in Dynamic Fields 

]project-open[ includes the possibility to extend the basic user data with additional dynamic fields. These DynFields are installation dependent. Please make a list of the user related DynFields in your system and add them to the list above.

Relation of User and Other Objects 

In addition to this basic user data, ]po[ also stores the relationship of users to other objects (projects, companies, inventory items, ...). This data is listed in the User -> Related Objects portlet on the user's page.

Audit Data 

]project-open[ will store a complete list of changes that a user has performed to business objects, if you have installed the audit Enterprise package. 

The audit data include the following information for each change:

• User ID
• Date and time
• IP address of the computer causing the action
• Old values before the change and
• New values after the change

Web Server Logs

Finally, each interaction of the user with the Web application server is stored in the Web server logs.

These data are different from the previous ones, as they are not stored in the database, but in separate log files only accessible for system administrators. These files should be deleted periodically.

Security Measures in ]project-open[ to Protect Data

Please see the security architecture pages for detail on the ]po[ security architecture. This architecture in general complies with GDPR requirements to keep user data safe.

However, GDPR compliance depends on the specific implementation of safety measures by you. For example, running a ]project-open[ system without regular updates violates the GDPR, because known security vulnerabilities may not be corrected.

Data Operations Required by GDPR

GDPR requires to you perform the following action on request of the user, or by a user not agreeing to their data being processed. ]po[ in it'd default configuration allows to perform all actions required by the GDPR:

• Data portability:
  This is implemented by the user's page "Basic Information", "Contact Information" and "Related Objects" portlets. Just copy the information from these portlets.
• The right to be forgotten:
  Please use the page /intranet/users/nuke?user_id=xyz page to permanently "nuke" a user.
• The right to prevent profiling:
  ]project-open[ in it's standard configuration does not perform any profiling actions.
• The right to object to processing:
  ]project-open[ in it's standard configuration does not perform any "processing" actions as defined by GDPR.
• The right to rectification and erasure:
  This is implemented by the basic three portlets mentioned in the "Data portability" section.
• Subject access requests:
  Please see data portability above.

Note: This article has been written by Frank Bergmann. Frank is not a lawyer, and this article is not legal advice.