Delete/Scramble service desk issues for GDPR compliance

First of all thank you for the Gitlab Service Desk, it’s a really great way to keep track of issues by users. But I have some doubts about the current implementation and its GDPR compliance.

The service desk automatically saves the e-mail address of the sender and allows the communication through the comments. But once it is closed, the issue can only manually be deleted permanently in order to delete user data.

My understanding of the GDPR regulation is, that as an organization you should be able to:

  • inform users about the retention period of their data (that must be clearly defined)
  • be able to delete any data of the user

The first two points are a bit sensitive. I have not found any information about a retention period for user issues in the documentation.
If this would be up to the administrator to make sure that the data is deleted, it would still be okay, but there is no bulk delete (or bulk scramble) option. So the only way to fulfill data deletion of a customer (or bulk deletion after a defined retention period) would be by deleting the entries one by one.

The most practicable solution for this problem in my eyes would be to define a time when the actual sender of the service desk issue should be removed (or made irrecognizable).
So let’s say all information of the sender of an issue is made irrecognizable one year after the closure of an issue.
Another option could be to add a bulk action to delete or scramble the user data of selected entries.

So I would like to put this up for discussion. Or is there maybe any other way to handle this problem?

1 Like