Handling the apparent paradox of permanent records in Agile PLM with the new GDPR
I’m hearing a lot of talk on the new European General Data Protection Regulation and how it requires companies to not store personal data after a certain period for people no longer employed at the company.
Any of you good folks run into this?
Without having received any specifications I can hear from legal department that retaining full name and title could be an issue. This is of course part of the useraccounts in Agile, and is part of the permanent Audit trail of the user in the system: creations and approvals throughout their time. There are other regulations that require us to keep those records.
Any insights and experiences would be most welcome!
Well, names (usernames, that is) and oftentimes job titles aren’t considered PII, unless the EGDPR as you mentioned is considering it personal data. If compliance is that strict, do an import to update or nullify those selected data fields for inactive users. You could also develop a script to do just that for future user inactivations.
Username is not PII, so there shouldn’t be an issue with keeping that as is in your system. If you have to update the other fields, you can do so – Agile will need something in the First Name and Last Name fields, though it doesn’t have to be a person’s full name.
Now that I know more about GDPR, this question is a lot more relevant for us as my company does have European employees and I wanted to tackle this question. I was wrong in my earlier answer.
In a legal battle, there’s some provisions were we can confidently say that we have a legal obligation to keep a user’s PII. That is, our regulated companies has an obligation for the sake of compliance and product quality to have personal data. Employees have also given that consent when they were hired to perform work on quality product. Therefore, we could make the argument that employees do not have the right to be forgotten because they consented to this already. Per GDPR, ‘processing’ includes collection and storage of personal data. In the regulation, processing is considered “lawful” if it is “necessary for the performance of a contract”, which in this case would be the employment contract.
Furthermore, GDPR asks questions about 3rd parties and how you use that information. To answer that, I know for me we’d only use personal data for things like sign-off duration reports and file access history – both for internal use only. It’s likely that your data is kept in the country where you work, which probably makes a difference. GDPR would call my company both the “data collector” and “data processor”.
We’ve determined that Agile, under normal settings, keeps the following PII, outside of any added field data: first name, last name, userid (if your user id corresponds to name information), job title, email address, address or location, SID (database query only), hire date, job function.
Nonetheless, there is only very little things you could do if an employee wanted to be forgotten. I found that removing someone’s PII with a pseudonym on the User’s profile page will not update a Closed ECO or the history tab of a Document, for instance (though I haven’t tried if this applies after a database refresh). The history tab of an object will still show their PII. Therefore, worst case scenario, log an SR with Oracle. They need to provide us with a SQL script to conduct a database data hard-update.