Feature Request: Advanced GDPR tools/functionality


  • Official comment
    Luke Behnke

    Hi Matt -- thanks so much for the detailed post here. This is really great feedback, and it definitely resonates with what we are hearing as we roll this out to customers. You are indeed doing our Product Management job for us :).

    Frankly, we've been consumed with the heavy lifting over the past 6 months to meet the basic (and essential) data deletion requirements across all of our systems and infrastructure (a VERY heavy lift as you can imagine), but we understand that there are ways in which we can make the basic Admin experience easier for our customers and your customers. Threads like this and the others you reference are really helpful as we build this roadmap beyond the basics. Thanks for taking the time to provide the feedback.

    I'll also echo some of Graham's points that there is a lot you can do via our developer tools and APIs in the mean time. We have seen some customers build some interesting Apps and background jobs of their own to make this easier. Of course I know how hard can be to find engineers and / or budget to do this, but it is an option.

  • Stephen Belleau
    Community Moderator
    Zendesk Luminary

    Can Zendesk hire this guy as a producer? ;) These recommendations are exactly what we need, very well thought out and would address many of our concerns. For our business, the most important one is being able to automatically anonymize data (specific fields containing PII) from certain tickets based on criteria. Deleting the ticket is not a desired solution as we lose important data for historical volume/trends reports.

  • Dan Ross
    Community Moderator

    This guy gets it.

    Thank you Matt, you've put into words many of the concerns and ideas we have but haven't been able to express nearly as well. Zendesk's current compliance option to 'just delete the ticket' isn't acceptable.

    All tickets (including Closed) need to be able to have specific data redacted in bulk and/or via a rules-based system in order to comply with GDPR and not damage our own business. If they're positioning themselves as an Enterprise grade solution, these data management features are needed!!

  • Matt Savage

    Haha, thanks for the compliments Stephen & Dan.  I posted this because I expected many other Zendesk customers were experiencing similar limitations with managing data effectively.  Maintaining balance between your own business needs and your own customers is tricky business, as well all know well.  There are lots of opportunities to automate the policies to reduce potential errors in their application.

    WRT closed tickets: I had also asked about this initially and failed to include it above.  I also want to know what can be done to handle those more tactically.  I have no issue with immutability at a certain state but it'd be nice to have control over exactly when that transition occurs.  Currently, there's an artificial 28-day maximum on the transition from solved --> closed that can't be overridden.  That's another aspect that would be great to specify directly in data retention/anonymization policies.

  • Graham Robson
    The OG - 2021

    Hey Matt,

    A solid piece of work here, although it appears to come from a suggested solution orientation.

    However, it does highlight the GDPR pain points, and what might work best from a Zendesk admin perspective i.e. define policies and have them enacted.

    At a recent public GDPR and Zendesk Webinar, Zendesk did allude to Zendesk doing and planning much at the product level to more deeply support admins with GDPR management tasks beyond the basics. My understanding is that tickets won't be deleted since that would cause distortion of reporting statistics, rather they would semi-deleted/modified to remove GDPR sensitive data.

    As you highlighted, closed tickets are currently in a lock-down scenario, so we do really need some Zendesk enablement here, hopefully at the API level too.

    Here at CloudSET, a commercial Zendesk App Development Partner, we are prototyping the use of Zendesk new Custom Resources API, which allows the addition of different object types and relationships between them and core Zendesk objects. This offers up some mouth-watering possibilities to model GDPR policies, and enact them using existing and new Zendesk Services. This includes the whole world of Zendesk Apps Framework and the Apps you can build yourself, or obtain from partners like CloudSET.

    As such, there are some fundamental capabilities that only Zendesk can provide, with either Zendesk fleshing out the full solution at the product level and/or allowing other parties to provide a full solution set. 

    If anybody is interested in partnering with CloudSET 's Early Adoption Program for Customer Data, please reach out to us at info@cloudset.net.

    Graham Robson - CloudSET (Coherence Design)

  • Matt Savage

    (edit: 2018-05-18 13:44 - post is pending approval still- check later if you don't see it yet)

    Since it's relevant to the points above, I'm cross-posting my best attempt at enacting a deletion/retention process with the current API endpoints.  I hope this provides more depth into just how under-equipped the current features are to comply with the necessary data policies imposed by GDPR.

  • Michael F

    I was going to create a new thread but this post captures part of my requirement exactly and I would like to add my thoughts to it. 

    If a customer terminates their contract with us, yes I can retain their data for a reasonable amount of time to protect the company against claims of negligence for example. However eventually this data will need to be removed from Zendesk. My issue, as confirmed by your Support team, is that by hard deleting tickets you're opening yourself up to inaccurate reporting through Insights. 

    If I want to report on all of the tickets created 6 months ago but I've had to delete a bulk of them, then the only way to include them in the report is to add the filter that states to include deleted tickets. However, this includes all of the tickets that should never have been a ticket in the first place i.e. the ones that made it through your spam filters etc.

    So now I'm stuck between a rock and a hard place, either way my reporting is now inaccurate. I'm missing tickets, or adding in ones that shouldn't be included, and this is just one example of the many frustrations that I have with GDPR and Zendesk's lack of support for it.

    There has to be a way to obfuscate data! Our company is a supplier of case management software and we now scrub our DB of all information, but leave a marker behind for our reporting so that we can still accurately account for what cases went through our software.

    I'm seriously surprised given the period of notice that everyone had that GDPR was coming, that a company as big as Zendesk has not adequately produced a set of tools available to it's user base to support the introduction of this law. 

  • Brendan Foley

    @matt this is an amazing summary of needs around GDPR!  

    We have built a GDPR Redaction app that helps remove all PII and customer data based on a ticket, a user, or an entire organization.  We built this custom for a few clients then made it available as a general app.  It doesn't accomplish all of the above, but it DOES solve the problem in the mean time.  

    Find it in the Marketplace here:  https://www.zendesk.com/apps/support/gdpr-redaction-app/

    We have a couple of major international clients using the app and have also worked with Zendesk Services team on one of those implementations.  

    Please reach out to me with any questions.  gdpr@thoughtexhaust.com.  

  • Katie McCormick

    I work for a smaller company and have been tasked with developing the data retention policy for my group. The current lack of tools to set a data retention policy without additional spend is appalling. Our engineering team already runs extremely lean and doesn't have the resources to help me with an API; there are not enough details in any of the API articles to help me do this myself. My higher-ups won't approve additional spend on any of the apps geared towards this. ZenDesk needs to integrate data retention into its program sooner rather than later. 

  • Katie McCormick

    @... My organization would be interested in joining this EAP. Thanks! 

  • n.kunzer


    Thanks for these information.

    But what about the servers physical locations? If I am not mistaken they must be located in the EU territory and must not be replicated outside isn't?



  • Daryll Holland

    Nicholas - No, they don't physically need to be located in EU territory, they can be outside of the EEA (European Economic Area). However, safeguards need to be in place to transfer data outside of the EEA such as Privacy Shield (which is now not valid), EU standard contractual clauses or consent from the end user. 

    Can someone from Zendesk please update us with what progress is being made? The GDPR text has been out in its final form since March 2016 - over four years ago. 

  • Sydney Neubauer
    Zendesk Luminary

    This is definitely on our list of priorities as it is typically on anyones minds when taking on a platform as there are laws we abide by

  • Bradley Lowes

    Any Updates on Zendesk creating native apps to cleanse users and organizations? The manual import and export of the data is incredibly tedious and time consuming. I realize there are third party solutions, however, our business does not have the budget and are conscious of system security...

  • Mary O'Neill
    Zendesk Product Manager

    Hi Bradley Lowes,

    Thanks for your comment!

    Automation for deletion is currently in development with an estimated delivery of early H2. Ticket deletion will be released first then users to follow shortly afterwards.

    We'll be posting an official announcement in the coming weeks with more info on confirmed dates and scope.


  • Bradley Lowes

    Mary O'Neill Thank you for the update


Please sign in to leave a comment.

Powered by Zendesk