Recently, we hosted our event on Zendesk Advanced Data Privacy and Protection. This featured a comprehensive review of our advanced data privacy and protection package, announced at Showcase. Experts shared insights into two new features of this package: Access Log and Advanced Data Retention Policies, both of which were launched in Q4. We discussed practical use cases and highlighted how organizations can use these tools to deliver trusted and secure customer experiences. We also covered best practices and hosted a live Q&A with our product experts.
Top Questions from the Q&A
Q1: Can agent access restrictions be applied from role, group, brand, or even from a custom field value?
Agent access can today be restricted to tickets via groups and roles. We are working on a solution that would also restrict agents to tickets and end users via brand.
Q2: Is there an option where we can restrict the tickets from a few organizations flagged with unique identifiers to be viewed/edited only by a handful of agents?
The condition builder has the “is not” operator, allowing you to exclude tickets from these organizations.
Q3: Why isn’t this included in an existing Suite Enterprise subscription?
This is because Suite Enterprise is a standard package meant for everyday needs and the broadest range of businesses. Advanced Data Privacy and Protection is a separate add-on because it’s more specialized. Not every business needs advanced data privacy and security, so it doesn’t fit as well in a standard package.
A basic version of advanced data retention policies will be available in Suite Enterprise and other Suite plans. It’s less customizable than the advanced version, but it does allow for easier data deletion than is possible in Suite Enterprise today.
Q4: In what areas of Zendesk Support is Advanced Data Privacy and Protection required for GDPR compliance?
Zendesk already supports GDPR compliance, so Advanced Data Privacy and Protection is not required for compliance. However, some of the capabilities can make compliance easier to manage. For instance, data deletion, which supports the GDPR right to erasure, was already possible with Zendesk.
What’s new with Advanced Data Privacy and Protection is that the tools are easier to configure, customize, and scale across different data types. For example, Advanced data retention policies give you a customizable deletion tool within the UI, which requires less technical skill than the Zendesk API or custom apps, which many Zendesk customers use for ticket deletion today.
Q5: How does Zendesk manage data for GDPR systematically? Is it being managed by AWS?
We try to make it as seamless as possible to stay in compliance with GDPR. Zendesk supports five primary obligations of GDPR, including obligations around rights to data access, correction, erasure, portability, and objection.
Q6: How do these new offerings impact existing HIPAA-compliant accounts?
Zendesk already offers HIPAA-enabled service plans; these new offerings don’t change that. If you’re already on a HIPAA-enabled service plan, that plan is still HIPAA-enabled. There is no requirement that you purchase the new add-on.
However, suppose your company is managing protected health information. In that case, the new offerings are certainly still relevant since they’re giving you more control to limit who’s seeing that data, to monitor when it is accessed, and to control how long you keep it. It depends on what level of health data privacy and security a business needs for its specific circumstances.
Q7: Does redacting or deleting a ticket remove that ticket data from Explore?
Yes, deleting tickets will be reflected in Explore. Deleted tickets are excluded from most Explore reports by default. For example, when a key is solved, you will only see non-deleted tickets; this event is not stored in Explore. However, for created tickets, you will see the total of all created tickets including deleted ones, this event is stored in Explore. We will work on retaining metadata with the Explore team in 2024.
Q8: Can you redact instead of deleting old tickets and are there automated ways of redacting personal data?
Yes! You can manually redact text and attachments from old tickets. We are partnering with our ML teams and in 2024 will develop a way of automatically deleting all PII across tickets. For example, find all “phone numbers” and redact once a ticket has been closed for three years.
Q9: How do I use data retention policies to conserve closed tickets before we know we need to retain them?
If these tickets currently have no way of identifying as “need to retain,” there are a couple of options:
- Add tags to closed tickets - this feature is currently being developed at Zendesk. It will allow you to retrospectively add tags to a closed ticket which you could then use the ‘is not” condition to exclude them. (Tags are coming Q1 '24)
- We will also be adding requester conditions in the first half of next year. If you want to retain all tickets by a certain requester, you could delete all tickets where the requester is not John Smith.
Both of these options are coming soon.
Q10: How would we avoid an unauthenticated user viewing any user's support ticket attachment?
You can enable private attachments if sensitive documents are attached to tickets, especially identification documents such as passports and driver's licenses. When enabled, agents must be signed in to view attachments. End users can see private attachments in their tickets in the help center because they have to sign in to view their tickets. They'll need to click the links and sign in to the help center to view the attachments.
Future Events & Opportunities