GDPR Compliance with SupportPal

  Print
This guide will explain what GDPR is, the effects of GDPR on users of SupportPal software and the tools available in SupportPal to make complying with it easier.

GDPR Details

This guide is specifically tailored to the use of SupportPal, it is not intended to provide you with, nor should it not be used as a substitute for, legal advice. We recommend reading the more in-depth ICO guide and you should seek independent legal advice on your status and obligations under the GDPR.

What is GDPR?

The General Data Protection Regulation (GDPR) is the EU-wide data privacy law that is in effect from 25th May 2018. It was introduced to unify all EU member state's approaches to data regulations. The aim is to give more control to EU citizens over their personal data in terms of what information is shared, where and how it's shared, and protect against organisations using their data irresponsibly.

Who does it apply to?

GDPR applies to all businesses that handle EU citizens' data, even if the business is located out of the EU. There are however differing levels of responsibility based on what you do with the data.

When considering personal data, there are two classes to consider:
  • Data Controller - states how the personal data is processed and why it is needed.
  • Data Processor - does the actual processing of the data on behalf of the data controller.

As SupportPal is on-premise software, typically the software runs on your own servers or with a web hosting company. In the former case, where you manage everything, you would be both the data controller and processor. In the latter case, you are still both a data controller and processor, but the web hosting company is also a processor. As a controller, it is your responsibility to ensure that all third party processors comply with GDPR too.

If you run SupportPal for a client or have a third party managing it for you, this adds another processor level to the equation.

What data is protected?

It applies to all data concerning individuals (not organisations) and anything that can be considered as personally identifiable information. This includes name, email, and even IP addresses. Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.

With SupportPal, the following data that is stored in the database and file system can be considered as personal data:

  • User profile, including avatars and custom fields data.
  • Tickets, messages, attachments and custom fields data.
  • Ticket feedback.
  • Activity log, email log and failed logins.
  • Comments and article ratings.
As the data controller and processor, you must ensure you are handling personal data responsibly.

SupportPal and GDPR

SupportPal has tools to help you comply with GDPR. Below is a description of the individual rights of GDPR and how SupportPal can help you for each.

We recommend running at least SupportPal 2.3.1 where improved tools were introduced to better handle data erasure and information requests.

For users running SupportPal 2.3.0 and below, we highly recommend to turn off the 'Send Diagnostic Data' option, or upgrade to 2.3.1 where this function has been completely removed. If left enabled, in the event of an unexpected error, personal data may be transmit to third-party Rollbar in accordance with our Privacy Policy.

Individual Rights

Right to be informed


Individuals have the right to be informed about the collection and use of data, you must provide information about your purposes for processing their data, retention periods and who it will be shared with in your privacy policy and/or terms of service.

A list of the personal data collected in SupportPal can be found above, and should be modified based on your own specific requirements. You should mention if the data is shared with anyone such as a web hosting company or another third party for whatever reason.

For data retention, the system cleanup tool can be used to automatically remove inactive users, tickets and organisation after a certain time.

Data Retention Options

Right of access and to rectification


Individuals have the right to access their personal data. SupportPal has a frontend portal where users can log in, view and update their data.

Right to erasure


Individuals can request for their personal data to be erased. In SupportPal, deleting a user account will delete all related personal data including tickets, activity and email logs.

Delete User Warning

Right to data portability


Individuals can request to obtain all the personal data you have of them. SupportPal offers a user export option which will generate a JSON format file containing all of their personal data.

Export Data Options

Right to restrict processing


Individuals can request the restriction (store but not use) of their personal data under certain circumstances, for example if the controller no longer needs the data but the data subject requires it for the defence of legal claims. Such cases should be extremely rare and unlikely, but if the situation ever arises, a user export can taken as above and the user can then be deleted from the system. The export should be held for as long as needed.

Right to object


Individuals have a right to stop their data being used for direct marketing. Replying to support tickets or contacting users when there is a need are considered as legitimate interests and allowed, but consent is required for marketing contact.

SupportPal offers a mass email tool as well as the option of emailing users directly, but we advise to not use this for marketing as there is no option to unsubscribe or ask for consent, instead we recommend to use a tool like Mailchimp. Instead these tools can be used when you need to contact a number of users together for a legitimate interest.


Related Articles


  • Comments

Add Comment

Replying to  

Self-Hosted Help Desk Software by SupportPal.

Login

 
Forgot password?
Register now

Language