Expand my Community achievements bar.

GDPR and Workfront

Avatar

Level 4
If you have not been caught up in the global craze that is GDPR, then count yourself lucky! However, if you have information on EU Data Subjects in your Workfront environment, it's probably something you've put some thought behind. In particular, there is one area that I have questions on that I was hoping the good people on the forum could help me with. One of the key components that GDPR looks at is the retention of data on Data Subjects. Until now, when someone has left our firm and they had a Workfront account, we have Deactivated the account but never deleted it. The same goes for Projects. Once a project is closed, we mark it as Closed and never think about it again. In a GDPR world, it won't be that simple. Many European authorities believe that data (we'll call it PII for simplicity sake) on Data Subjects who are no longer employees of the organization must be purged as quickly as possible (I know some authorities feel 3 years is the max). Obviously, user accounts for departed employees would fall under that and if a Project features information on departed employees, projects themselves would apply as well. So, as a non-deleter, my questions are: Is there anything "bad" that happens when you delete a user's account? What impact does deleting a user's account have on project time sheets, tasks, etc? If a user is listed in a field, like for example Project Sponsor or Primary Contact, what happens to that field after they are deleted? Does it retain their name or leave it blank? What happens if you delete a project that has been closed for years and has thousands of hours recorded to it? Any unforeseen consequences I should know about? Does anyone do anything to get around deleting user accounts? Like go in and put in fake names and alter the other data to make it unrecognizable? Jason Maust McGuireWoods LLP
3 Replies

Avatar

Level 3
I'm interested in the feedback you get around this as well. When we implemented WF, we were pretty strictly told that we should never delete users. After a quick search on the help site, I found this:

Avatar

Level 4
I had the same thought about leaving everything but e-mail. My hesitance is that my e-mail, which starts 'jmaust' is in itself fairly identifiable. And e-mail address is a data element specifically called out by GDPR. I don't know if it matters that the e-mail is no longer valid. Jason Maust McGuireWoods LLP

Avatar

Community Advisor
Now THIS sounds like a job for FUSION ! (Ahhh: so nice to at last be able to use that word in public!) I sense the need for the " Apply GDPR Compliance " Fusion flo, which, when run on demand for a recently departed Workfront User, will Do The Right Thing in Workfront. @Melinda Layten , may I offer you first dibs? Regards, Doug Doug Den Hoed - AtAppStore Got Skills? Lend a hand! https://community.workfront.com/participate/unanswered-threads