General Data Protection Regulation 2018 - the right to be forgotten

Answered

44 Comments

  • Official comment
    Jessie Schutz
    Comment actions Permalink

    Edit: Updated 12/1/17

    Zendesk has launched an  EU Data Protection website to serve as a resource to help our customers prepare for the GDPR and to serve as a centralized information hub where our customers can stay up to date with our product enhancements and EU data protection issues in general.

    This website includes information about various aspects of EU data protection, our BCRs, what the GDPR is, the changes it brings to organizations operating in the EU, and the product features and services Zendesk offers to support your GDPR compliance efforts. In the coming months, we will continue to update the website and add resources to assist our customers’ GDPR compliance efforts when using our services.

    In addition, we invite you to visit the Zendesk Blog for the latest on our EU data protection efforts and how we work with customers who have cross-border, personal-data-transfer issues.

    If you have any additional questions please feel free to send an email over to privacy@zendesk.com.

    _____

     

    Hi everyone!

    I touched based with our Legal Team, and here is the information they shared with me:

    Thank you for your query. Zendesk is in the midst of an in-depth General Data Protection Regulation (GDPR) readiness project across our entire organisation, including the recent completion of our Data Protection Impact Assessments (DPIAs). As part of this project, we are analysing each of our product offerings and our internal policies with a view to identifying any gaps in GDPR compliance; and, we are taking steps to fill any such gaps. We expect to be in a position to release more detailed information (on our website) regarding our state of readiness and guidance for our customers in November of 2017; and, will be GDPR compliant by the effective date of 25 May 2018. We invite you to check back in with us on our website for further updates.

    Zendesk values your trust and share in the same concerns over the privacy of you and your data. That is why Zendesk offers its customer choices when it comes to privacy. Recently, Zendesk has obtained approval for its Binding Corporate Rules (“BCRs”) as a data processor for its customers’ data, which provides our customers with a robust mechanism to facilitate transfers of personal data from the EEA to members of the Zendesk family of companies when using our services. Further information is available in our press release. In, addition Zendesk has certified its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks to the U.S. Department of Commerce and has been added to the Department of Commerce’s list of self-certified Privacy Shield participants. Our certifications confirm that we comply with the Privacy Shield principles for the transfer of European and Swiss personal data to the United States. Finally, in an effort to give our customers even more assurances around our commitment to GDPR compliance, we have updated our Data Processing Agreement that confirms a contractual commitment to comply with the provisions of GDPR when they come into effect and incorporate the EU Model Clauses. You can learn more about of privacy practices and how to obtain our Data Processing Agreement here.

    If you have any additional questions please feel free to send an email over to privacy@zendesk.com, and stay tuned for our official docs to be released in November!

  • Graeme Carmichael
    Comment actions Permalink

    Helle

    I am not familiar with the legislation, but I just want to ensure you are aware of the ticket redaction app. It is provided by Zendesk, but not officially supported so may not meet all your requirements.

    0
  • Helle Buhl
    Comment actions Permalink

    I am aware of that APP. I have tried to test this before, and was not very fund of it.

    But - maybe I should give it another go.

    And - there is still this problem with the APP:

    NOTE: The Redaction API completely deletes data from Zendesk Support databases, but does not purge existing logs when the ticket data was originally created. Zendesk is investigating purging redacted data from logs in the future.

    0
  • Colin Piper
    Comment actions Permalink

    @Helle, the new "Right to be forgotten" legislation was initially designed to address the the concerns that someone's past history could be misrepresented at some stage later. The initial target was search engines and other reference sites. In my non-expert opinion, it would seem that the within the Zendesk realm, only public forums are potentially of concern. However it is not clear to me whether the legislation covers material which is originally posted by an individual or whether it is only material that refers to that individual I.e., would this legislation allow for me to request Zendesk to remove any post I have ever made in this community? It would certain allow for me to request a post removed that expression an opinion of myself but these are not allowed in the community guidelines anyhow and would be removed by Zendesk as soon as spotted anyhow. 

    0
  • Stefan Frithiof
    Comment actions Permalink

    Helle, We share your concern. We are preparing for the GDPR in 2018 as well. Is there any new info about Zendesk preparations for this? We want to ensure the support system we are using complies with this. Because of the massive fines if you don´t follow the legislation, I think many others will do as well.

    0
  • Jessie Schutz
    Comment actions Permalink

    Hey guys!

    Sorry for the delayed response on this. I was just speaking with a colleague the other day, and this new legislation is definitely on our radar. I'm in the process of getting in touch with the appropriate teams to get some information for you.

    Stay tuned!

    0
  • Thomas D'Hoe
    Comment actions Permalink

    Hi,

     

    What's the status about GDPR?

    Thanks!

    0
  • Nicole - Community Manager
    Comment actions Permalink

    Hey Thomas et al -

    I've pinged a few folks internally, and we'll have an update for you shortly. Standby!

    0
  • Nicole - Community Manager
    Comment actions Permalink

    Hi all -

    The official word is that you can rest assured that we will be compliant with the GDPR when it comes into effect in May 2018.

    EDIT: the form originally listed here is not what should be used to access more information. If you have additional questions or need more information, please email privacy@zendesk.com

    0
  • Helle Buhl
    Comment actions Permalink

    Hi - I have followed the link to the Data Processing Agreement. Then I need to sign something - I'am not sure why/what it is that I need to sign for ?

    1
  • DJ Jimenez
    Comment actions Permalink

    Another thing about the redaction app is it does not work on closed tickets. Are there any other tools that are/will be available?

    0
  • Nicole - Community Manager
    Comment actions Permalink

    Helle - Please email privacy@zendesk.com. I was given that form in error, but have received more current information and the folks at that email address will be happy to answer any questions you have. 

    DJ - I know that we will for sure be GDPR compliant, but don't yet have details on how this will be rolled out. You are also welcome to email that address with questions. 

    We will eventually have more public information to share, but they're still working on the documentation and web page for that. Thanks for hanging with us while we get this sorted out! 

    0
  • Susanne Ekenheim
    Comment actions Permalink

    I will for sure send an email, but I think you're wise to explain how this will work in this thread also.

    How long do you save tickets in your systems? 

    Are you saving the ticket itself but remove the customers emailadress?

    There are sensitive information in the tickets also - how do you handle this?

    0
  • Joel Hellman
    Comment actions Permalink

    I will also send an email, but we too would like more details in this thread how you will approach and implement GDPR in Zendesk. 

    0
  • Jessie Schutz
    Comment actions Permalink

    Hey Susanne and Joel!

    As Nicole mentioned earlier, we're still working on the public facing documentation on this. Once it's ready, we'll be sure to share the link here, and make sure that any follow-up questions you might have are answered!

    In the meantime, I'm going to follow up internally and see if I can get a timeframe for when this documentation will be available. If there's any info to share, I'll be sure to let you know!

    0
  • David Wilkes
    Comment actions Permalink

    Hi

    It would be good to see something soon.  We have been conducting our own inhouse review and have a need to implement flexible retention policies.  Ideally we'd be able to mark each ticket with a 'Retention Category' where each category has its own retention rule - for instance 'personal data to be deleted on closure of ticket'.  Ideally we'd be able to obscure content in a ticket reply rather than delete the whole ticket.

    We don't want to loose tickets, in the sense we need them for statistics, but the content itself (in some instances but not all) needs to be either obscured or removed.

    Other ideas - our customers should be able to mark their tickets in the Help Centre as containing personal information.

    2
  • Joel Hellman
    Comment actions Permalink

    Any updates?

    While it's good to know that Zendesk is actively working on GDPR, in the end it will be our own responsibility to implement it towards our customers. 

    That means we need to know what things to address on our end, and what things we can rely on Zendesk to build on their end. Development solutions that address customer privacy concerns takes time, so the sooner we know, the easier it will be for us to get to work on what we need to fix on our end.

    Will Zendesk build new tools to identify sensitive information, such as regex based trigger conditions? 

    Will Zendesk build new tools to redact/permanently delete information inside tickets without deleting the whole tickets. Such as content in comments, subject, meta information such as email, IP addresses, and select custom fields?

    We'd likely want different retention plans on different types of tickets that defined what information to remove. Should we build this ourselves using the business tools triggers, custom fields in Zendesk or will more streamlined tools for this purpose be made available?

    How will we solve the dilemma of protecting our customer's privacy, while still allowing Zendesk analytics solution (GoodData-Insights or BIME) to stay useful? For example, we want to keep aggregated data, such as ticket volumes, what Tickets were About, the volume of tickets per Organization, etc, but not content that leave us with privacy concerns.

    For apps and integrations, removing key data such as Ticket ID and External ID would be troublesome to deal with. There is a difference between a ticket that existed and was removed, and a ticket which never existed. 

    How will removing User information be handled? Users also carry information that have privacy concerns, but handling that will likely be dependent on if the User has been active recently or not. 

    Thanks.

     

     

    3
  • Jessie Schutz
    Comment actions Permalink

    Hey David and Joel!

    We don't have any further updates on this right now. I'd encourage you to read through my official comment above, if you haven't already, which includes a statement from our Legal team about what we're working on and several links to relevant information.

    The TL;DR of it is that we're working on GDPR compliance and expect that we'll have the details ready to release publicly in November. I promise I'll update this thread when that information becomes available, or if anything changes!

     

    0
  • Joel Hellman
    Comment actions Permalink

    November sounds fine, I had honestly missed that we had an ETA already.  

    Thanks Jessie!

    0
  • David Wilkes
    Comment actions Permalink

    Joel's comments are exactly the questions I have Jessie - the various links don't give me much confidence though.  They talk about what Zendesk is doing to become compliant as a business and don't seem to mention in any form what it plans to do to improve the product so that we can be compliant when using Zendesk.  Surely there is a roadmap to say what features are going to be added?  Are we going to get a list of new product features in November, and with that a delivery date for those features?

    Regards

    David

    2
  • Jessie Schutz
    Comment actions Permalink

    Hey David!

    I honestly can't speak to exactly what will be in the information we share in November; Legal didn't share that information with me when I contact them last month.

    We never share detailed roadmaps of our planned product development. Things change very quickly in the development process, and we don't want to provide any information that we're not absolutely confident is going to be accurate. 

    I'll get with our Legal team to see if there's any more detailed information they can share on what you might be able to expect in November, although I suspect there won't be a whole lot more information forthcoming. I'll communicate your questions over to them, though, and let you know if I find out anything new!

    0
  • Joel Hellman
    Comment actions Permalink

    Okay, now I'm back to being worried. Just as David says, I'm not concerned Zendesk themselves will be GDPR compliant; I'm worried that it will become hard for us to use Zendesk efficiently and stay compliant. 

    I do expect a roadmap relating to customer's being GDPR compliant while using Zendesk products, and I also expect Zendesk to be helpful to their customers in identifying areas of concerns, and be straight up about which concerns we will have to handle ourselves - I mentioned a few of these concerns in my previous post. Since adhering to GDPR is very much about addressing technical challenges, Zendesk needs to be sufficiently detailed, or it won't be helpful to us.

    Thanks for the prompt responses Jessie, and for helping us by delivering our feedback back to Legal and Product at Zendesk!

    2
  • Jessie Schutz
    Comment actions Permalink

    Hey Joel,

    I'm definitely not saying that we won't tell you what we're doing/have done at some point. I'm just saying that I don't know when that information will be forthcoming, whether it'll be part of the announcement we're planning to make in November, or if the Legal team will be able to share any additional information before said announcement.

    With product development in general and this situation in particular, we have to be very careful about what we share publicly about what we're working on. We don't want to put you in a situation where you've made business decisions based on something we've said, only to have those plans change so we're not able to deliver as promised. Not only is a crummy experience for you, but it also puts us in a legally dicey situation. That's why we're communicating with the Legal team about this, and not Product or Marketing or somebody else. This is a really important piece of legislation and we need to make sure we do things the right way.

    We want our customers to be set up for success, so we always try to be as thorough as possible when we're rolling out new features and functionality. I can't imagine that this will be an exception. I've relayed your concerns to our Legal team, and I'll let you know if I find out anything useful. :)

    0
  • Chun Lee
    Comment actions Permalink

    Hi @Jessie, do we have a firmer idea when in November we will get an update?

    0
  • Nicole - Community Manager
    Comment actions Permalink

    Hey Chun - 

    We will have more info to share the week of the 27th. 

    0
  • Helle Buhl
    Comment actions Permalink

    The week of the 27th is just about to "run out of time". 

     

    When will you announce the news about GDPR?

    I'am beginning to get a bit worried. If I find out that I cannot get Zendesk to fit in our GDPR plans, then I need to find another helpdesk solution - and it takes time.

    So please - come up with some very good news. 

     

    1
  • Thomas D'Hoe
    Comment actions Permalink

    We are also waiting ... Please move on Zendesk!!

    0
  • Nicole - Community Manager
    Comment actions Permalink

    Hi all - 

    Zendesk has launched an  EU Data Protection website to serve as a resource to help our customers prepare for the GDPR and to serve as a centralized information hub where our customers can stay up to date with our product enhancements and EU data protection issues in general.

    This website includes information about various aspects of EU data protection, our BCRs, what the GDPR is, the changes it brings to organizations operating in the EU, and the product features and services Zendesk offers to support your GDPR compliance efforts. In the coming months, we will continue to update the website and add resources to assist our customers’ GDPR compliance efforts when using our services.

    In addition, we invite you to visit the Zendesk Blog for the latest on our EU data protection efforts and how we work with customers who have cross-border, personal-data-transfer issues.

    If you have any additional questions please feel free to send an email over to privacy@zendesk.com.

     

     
    0
  • David Wilkes
    Comment actions Permalink

    Well that's an anti-climax.  Can't see there's anything at all about new product features.  Not one thing, unless you care to point me at the list of planned features I think we all expected to see.

    1
  • Nicole - Community Manager
    Comment actions Permalink

    Hey David - 

    The legal team said they expect to update the website with product functionality updates related to GDPR in Q1. That's all the information they've given us at this time. 

    That being said, you're welcome to email them directly at privacy@zendesk.com with your concerns. 

    1

Please sign in to leave a comment.

Powered by Zendesk