Checklist: Inventory data protection
Does your company want to use Atlassian Cloud in the future and are you asking yourself: "What do we have to consider when it comes to data protection?” Then we have something for you: a checklist to help you be well-prepared for an initial meeting with your Data Protection Officer (DPO). This checklist acts as a reference framework to identify your data protection needs going forward.
What personal data will you store or use in Atlassian Cloud?
Describe all the data that could be associated with your Atlassian Cloud
Examples of typical personal data in companies:
- Email address
- Key identifying a person (e.g. personnel number, customer number)
Examples of personal data requiring specialized protection:
- Contracts or contract data
- Salary data
- IT usage data or log files (with IP addresses, if applicable)
Where does this data originate from?
Based on the previous question, which group of individuals does the data belong to?
Examples of different group types are:
- IT users (including external)
- Service providers
What is the purpose of storing or using the data?
According to the law, when companies process personal data, it must always be for a defined and legitimate purpose. For this reason, data retention is generally not permitted. From a data protection perspective, it is therefore first important to understand the purpose of the respective data and how it is being used by your company.
This is particularly important if your company plans to process and store any personal data from customers in the Atlassian Cloud. It could be possible that you have customer contracts that restrict or exclude the use of the Cloud infrastructure.
Furthermore, you should describe exactly what will happen to the data once it is in the Atlassian Cloud.
Who is involved (employees, company)?
Apart from your company employees, who is involved in the implementation and future operation of your Cloud project? The use of Cloud products or a migration to the Cloud often requires further support from specialised service providers. If they come into contact with your company data, additional contractual agreements on data protection are often required.
Is your company part of a group of companies and are employees of the subsidiary, sister or parent company involved? Or do you yourself work for a subsidiary that is implementing this Cloud project as an IT service for other companies in your corporate group? This information is also relevant for data protection.
Who is involved (IT systems, interfaces)?
Which IT systems are connected to the Atlassian Cloud via interfaces - for example, to provide a single sign-on or to automate processes? In this case, a system/interface overview or a data flow diagram can contribute to a better understanding.
Our data protection expert Thomas Rosin
The content for this whitepaper was created in collaboration with our data protection expert, Thomas Rosin.
Thomas Rosin specializes in data and information protection. In addition to his work as a data protection officer and consultant for numerous companies, he teaches data protection in the Master's program in information systems at the RFH University of Applied Science in Cologne.