This guide will explain what GDPR is, the effects of GDPR on users of SupportPal software and the tools available in SupportPal to make complying with it easier.
This guide is specifically tailored to the use of SupportPal, it is not intended to provide you with, nor should it not be used as a substitute for, legal advice. We recommend reading the more in-depth ICO guide and you should seek independent legal advice on your status and obligations under the GDPR.
What is GDPR?
The General Data Protection Regulation (GDPR) is the EU-wide data privacy law that is in effect from 25th May 2018. It was introduced to unify all EU member state's approaches to data regulations. The aim is to give more control to EU citizens over their personal data in terms of what information is shared, where and how it's shared, and protect against organisations using their data irresponsibly.
Who does it apply to?
GDPR applies to all businesses that handle EU citizens' data, even if the business is located out of the EU. There are however differing levels of responsibility based on what you do with the data.
When considering personal data, there are two classes to consider:
- Data Controller - states how the personal data is processed and why it is needed.
- Data Processor - does the actual processing of the data on behalf of the data controller.
As SupportPal is on-premise software, typically the software runs on your own servers or with a web hosting company. In the former case, where you manage everything, you would be both the data controller and processor. In the latter case, you are still both a data controller and processor, but the web hosting company is also a processor. As a controller, it is your responsibility to ensure that all third party processors comply with GDPR too.
If you run SupportPal for a client or have a third party managing it for you, this adds another processor level to the equation.
What data is protected?
It applies to all data concerning individuals (not organisations) and anything that can be considered as personally identifiable information. This includes name, email, and even IP addresses. Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.
With SupportPal, the following data that is stored in the database and file system can be considered as personal data:
- User profile, including avatars and custom fields data.
- Tickets, messages, attachments and custom fields data.
- Ticket feedback.
- Activity log, email log and failed logins.
- Comments and article ratings.
As the data controller and processor, you must ensure you are handling personal data responsibly.
SupportPal and GDPR
SupportPal has tools to help you comply with GDPR. Below is a description of the individual rights of GDPR and how SupportPal can help you for each.
We recommend running at least SupportPal 2.3.1 where improved tools were introduced to better handle data erasure and information requests.
Right to be informed
A list of the personal data collected in SupportPal can be found above, and should be modified based on your own specific requirements. You should mention if the data is shared with anyone such as a web hosting company or another third party for whatever reason.
For data retention, the system cleanup
tool can be used to automatically remove inactive users, tickets and organisation after a certain time.
Right of access and to rectification
Individuals have the right to access their personal data. SupportPal has a frontend portal where users can log in, view and update their data.
Right to erasure
Individuals can request for their personal data to be erased. In SupportPal, deleting a user account will delete all related personal data including tickets, activity and email logs.
Right to data portability
Individuals can request to obtain all the personal data you have of them. SupportPal offers a user export
option which will generate a JSON format file containing all of their personal data.
Right to restrict processing
Individuals can request the restriction (store but not use) of their personal data under certain circumstances, for example if the controller no longer needs the data but the data subject requires it for the defence of legal claims. Such cases should be extremely rare and unlikely, but if the situation ever arises, a user export can taken as above and the user can then be deleted from the system. The export should be held for as long as needed.
Right to object
Individuals have a right to stop their data being used for direct marketing. Replying to support tickets or contacting users when there is a need are considered as legitimate interests and allowed, but consent is required for marketing contact.
SupportPal offers a mass email tool as well as the option of emailing users directly, but we advise to not use this for marketing as there is no option to unsubscribe or ask for consent, instead we recommend to use a tool like Mailchimp
. Instead these tools can be used when you need to contact a number of users together for a legitimate interest.