back to Jitbit Blog home About this blog

What You Need to Know About GDPR and Helpdesk Software

by Katie Joll · Updated Apr 13 2020

Data privacy and protection issues have been big news over the last few years.

In 2018, the European Union enacted the GDPR, a wide-reaching set of regulations with the purpose of promoting data privacy.

Many companies are affected by this and there's a good chance yours is one of them. Here's what you need to know when it comes to GDPR and helpdesk software:

Download our GDPR facts here

What is GDPR?

GDPR is the General Data Protection Regulation. It was created to form a set of standards that protect consumer rights regarding how their data is collected and used. With several high-profile data breaches in recent years and concern over how that data was being used, the EU decided that some stricter rules needed to apply.

The GDPR was officially adopted in April 2016, came into effect in May 2018, and has since had a few updates and clarifications. It is primarily about the “processing” of personal data which companies may collect, including storage, collection and transfer. There is also a mandate to give EU citizens more rights over that data, including “the right to be forgotten.”

Who does GDPR apply to?

Article Three of the GDPR outlines its territorial reach and has been clarified by the EU:

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

The bottom line of this is that all firms located in the EU must comply. Outside of the EU, all firms that offer free or paid goods or services to EU residents, or monitor their behavior online through cookies, must comply.

GDPR applies to your business if you have clients in the EU, even if you're off-shore

Why does this matter for helpdesk software?

If you have any sort of EU presence, your company needs to be compliant with GDPR. To give an example, if you are a software company and you operate a helpdesk, you are collecting data in some form or another on your users.

This means that the helpdesk software you use must be GDPR compliant.

If you're using third-party software (like JitBit), you are responsible for confirming that the software you are using is GDPR compliant (ours is). You might think that being based outside of the EU will let you off the hook, but the laws provide wide-reaching penalties for non compliance. For example:

“For especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher. But even the catalogue of less severe violations in Art. 83(4) GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher.”

Your data on EU customers or users doesn't have to be stored in the EU to meet compliance requirements. You may have it stored anywhere else, as long as you are following the regulations set out in GDPR.

What do you need for compliance?

To be compliant with GDPR, here are some key things your software must do:

  1. Collect only the data that is absolutely necessary. There is a focus on avoiding collecting “data for data's sake,” as it can potentially broaden the risk should there be a data breach. A key principle the GDPR highlights is considering what you need to collect and why.
  2. Encrypt all personal data. This isn't mandatory under GDPR, but it is promoted as a good practice. When data such as names and email addresses are stored in plain-text form, it obviously makes it easy for would-be hackers to identify individuals.

    You might recall a well-known example of this from 2015. The Ashley Madison site was hacked and their user information was stored in plain text. Some time later, the hackers posted the user information for all to see. You're obviously running a helpdesk, not a cheating site, but it's still preferable that your users can't be identified in  case of a hack.

    (Note: The wording of GDPR says things like “…implement measures to mitigate those risks, such as encryption.” (P51. (83)), and “…appropriate safeguards, which may include encryption” (P121 (4.e)). The language does not indicate it is compulsory to encrypt).
  3. Your users must have “the right to be forgotten.” This means that users must be able to unsubscribe and/or remove consent to have their details at any time. So for example, all emails you send out should have an unsubscribe option. If a client were to call or email and request that their details get deleted from your system, you need to comply with that request.
  4. User consent has to be freely-given and unambiguous. This means that you must tell them exactly what they're signing up for (if signing up) and you're not allowed to pre-populate their options on things like checkbox forms. So for example, you can't have any option pre-checked for them; they must be able to read what the opt-in is and check the box for themselves.
  5. Your company (or the third-party you use) needs to have a Data Protection Officer (DPO) appointed whose job is to ensure the privacy and protection of data.
  6. Your company must report any data breaches to data protection authorities and any affected subjects.

If you happen to be a company that uses any sort of profiling or monitoring (such as for marketing), there are also rules for how you keep track of your user data. We're talking about helpdesk software for the purposes of this article though, where these rules are unlikely to apply.

Get our GDPR facts here

JitBit can help…

The bottom line is if you operate in the EU or have EU users or customers, you need to be compliant with GDPR requirements. When you're looking for helpdesk software that fits this criteria, JitBit is here and ready to go.

We welcome GDPR as it answers some of the data concerns we already had. In fact, we didn't have to make too many changes to be GDPR compliant because we already had most of these measures in place.

We think many of the requirements now underlined by GDPR should be taken as best practice anyway. If you're collecting any form of customer data, then it's important to respect those customers by protecting it. They need to be able to put their trust in you!

To find out more about JitBit's own GDPR compliance, you can take a look here.