Ensure GDPR comlpliance - automatic deleting tickets after a periode of time

Answered

4 Comments

  • Dan Ross
    Comment actions Permalink

    Today, there's no tool I'm aware of to do that. GDPR compliance on Zendesk's part seems to currently be limited to manual deletion of tickets. Hopefully they have something up their sleeve in time for the actual launch date of GDPR at end of this month.

    If you have the resources, you may be able to build an API tool to gather ticket IDs 1 year after they were solved and then do a bulk delete of those tickets on the API. 

     

    1
  • Nicole - Community Manager
    Comment actions Permalink

    Hey Jesper - 

    Dan is correct. In V1 of the GDPR compliance tools, deletion will have to be manual. For more details on product functionality related to GDPR compliance, please visit the Zendesk EU Data Protection website and scroll part way down to the section titled "Zendesk and GDPR Product Readiness." 

    You can also email privacy@zendesk.com with additional questions or feedback. 

    0
  • Matt Savage
    Comment actions Permalink

    @Jesper - I've mentioned the need for automated retention/deletion policies in another post about GDPR tooling.  If automations could run on closed/archived tickets, any admin could set a basic rule that says when [some conditions] are met, delete this ticket permanently.  This might not be as nuanced as you'd like, but you could set broad conditions where you're confident tickets are no longer serving a useful business need.  Most customers could be satisfied with this solution, I'd bet; it's a good method of purging ancient tickets if nothing else.

    The lack of more robust tooling is really problematic, especially for Zendesk customers who don't have technical resources to plug into the APIs.  A non-technical attempt would follow this guide to bulk delete via views; however, views explicitly exclude archived tickets, which are likely included in historical tickets you may want to delete for compliance reasons (in my test, only 90 of the 267,000 tickets I found via search appeared in the view due to this limitation).  Even 'bulk' deleting here is limited to the max you can select (100) at a time; not very practical if you have thousands of tickets to delete.  Since you can't combine views, triggers, and automations to accomplish this task en masse, your next option is the Zendesk API.

    Even if you do have a technical resource available, it's a very cumbersome process right now.  I haven't figured out the end-to-end process or fully tested this yet, but here are the steps I'm daisy-chaining to search, extract, submit, and confirm deletion of ticket IDs in Python:

    1. Using this Search API guide for tickets matching your filtered search conditions (you can test these in the normal Agent UI search to confirm their accuracy) through the /search endpoint, output the results to a .json file
      '/search.json?{parameters}'  

      ^^ which effectively encodes a query like below:
       '/search.json?query='status:closed updated<"2017-05-18"'
    2. From the returned JSON file of all the filtered tickets, loop through it to extract the ticket IDs and store those in another file or variable
      with open(filename, 'r') as f:
      data = json.load(f)
      pages = len(data['tickets'])
      ticket_dict = {}

      # add for loops to recursively iterate through any
      # lists, brackets for key values
      for p in range(pages):
      tlist = data['tickets'][p]['results']
      for t in tlist:
      id = str(t['id'])
      pp.pprint(id)
    3. Submit those ticket IDs (in batches up to 100 - you'll need to recursively break your list into 100-item chunks in the previous step if you have more) to the Bulk Delete /tickets/destroy_many endpoint
      'tickets/destroy_many.json?ids=1,2,99,100'

      ^^ At this point you've effectively 'soft deleted'
      these tickets. They can still be recovered, deleted
      permanently, or left there. Presumably, after 30 days,
      they'll be permanently deleted if they follow the same
      process as manual deletions. API docs don't explicitly
      state the answer. But you can't see them anymore in the
      main agent UI if you insert the ticket ID or search for
      it.

      Curiously, they don't appear in the 'deleted tickets'
      system view.
    4. To permanently delete the tickets immediately, you'll need to submit them back into another API endpoint: /deleted_tickets/destroy_many.json?ids=1,2,99,100' (docs don't mention if this is also limited to 100 IDs).  For each request you submit, Zendesk will return a batch delete job ID, which you should store in another file/variable for the next step:
      /deleted_tickets/destroy_many.json?ids=1,2,99,100'

      { "job_status" : { "status" : "queued", "progress" : null, "url" : "https://wombatsupport.zendesk.dev/api/v2/job_statuses/d4239ba02d5f0132c0b2600308a8421a.json", "id" : "d4239ba02d5f0132c0b2600308a8421a", "total" : null, "results" : null, "message" : null } }
    5. To confirm your permanently deleted tickets are, indeed, gone, you'll need to wait a bit before querying the job ID(s) to check their final status:
      job_statuses/show_many.json?ids=12345,67890

      {
        "job_statuses": [
          {
            "id": "8b726e606741012ffc2d782bcb7848fe",
            "status": "completed",
            ...
          },
          {
           "id": "e7665094164c498781ebe4c8db6d2af5",
           "status": "completed",
           ...
          }
        ]
      }
      Once you receive this confirmation, you've (hopefully?) become GDPR compliant with your Organization's data retention/deletion policies.  *Whew*  You deserve a vacation.

    I'll try to share some finalized github code links once I have the whole process chained together.  But that's the best idea I have so far.  If someone has a simpler one, I'd love to hear it!  I think a feature could have been built in the Admin UI to handle these tasks in a more user-friendly way, such as allowing them to create the conditions, sanity check them in a test 'view', then submit them into a black box that does all of the above and returns a final log of the actions taken. 

    This is a prime example of a GDPR tool for customers that could have been handled more thoughtfully.

    1
  • Brendan Farrar-Foley
    Comment actions Permalink

    @Jesper the problem with automatic deletion is you also lose all the metadata on the ticket when deleting it.

    We have built a GDPR Redaction app that helps remove all PII and customer data based on a ticket, a user, or an entire organization.  We built this custom for a few clients then made it available as a general app.  It retains metadata on the ticket so that reporting still operates as intended.  

    Find it in the Marketplace here:  https://www.zendesk.com/apps/support/gdpr-redaction-app/

    We have a couple of major international clients using the app and have also worked with Zendesk Services team on one of those implementations.  

    Please reach out to me with any questions.  gdpr@thoughtexhaust.com.  

    0

Please sign in to leave a comment.

Powered by Zendesk