Make compliancy ready (GDPR, et al) before Go to market

[pettersh]

TLDR

I don't know of any specific issues at the moment, but wanted to start this discussion to make sure we have thought about "everything" we need to think about when it comes to compliance, specifically with GDPR in mind.

Discussion

Here are some bullet points that should be checked off/out before we go-live:

• What personal information is stored? (name, hours, customers, projects)
• What information is synced from Azure AD? Can this be tailored per customer/tenant?
• Do we ask for more information than needed, and can users opt in or opt out?
• Do we have processes and support in place for handling subject requests and deletion requests?
• Do we have agreements in place with third parties, like Microsoft for the tech platform (Azure storage in particular)
• Do we have least privilege security in place and internal admin roles, restricting access to customer's/user data?
• Do we support data storage in Norwegian soil?
• Do we have user friendly and/or comprehensive Terms of Usage and Privacy descriptions in place and are they available for end users and customers before they opt in and subscribe? For instance, inform users how they can avoid personal appointments in their calendars to be excluded from DID, and how they can retract information if they make a mistake (private and ignored(?) appointments)
• Do we support an exit strategy for customers, like export tenant data and delete tenant data?

Subject Access Requests (SAR)

https://cybersmart.co.uk/blog/6-steps-to-deal-with-a-gdpr-subject-access-request-sar/#:~:text=A%20Subject%20Access%20Request%20(SAR,right%20of%20access%20to%20information

• How can users request access to what we have stored about them?
• Are we able to respond within reasonable time?
• Do we have efficient ways to extract and share the information with the user?
• Do we store information that should be deletable upon request?
• If, yes to question above. How do we delete user information and at the same time support the customer's need for the information? Can information be anonymized upon request? I assume we have legal grounds for not deleting time entries in general, but maybe we need support for removing time entries for a user for a requested period, project, customer, etc, or maybe rewrite/anonymize something.

[olemp]

What personal information is stored? (name, hours, customers, projects)

User information, hours, customers and projects.

What information is synced from Azure AD? Can this be tailored per customer/tenant?

id, givenName, surname, jobTitle, displayName, mobilePhone, mail, preferredLanguage

This can be tailored per customer/tenant/subscription.

Do we ask for more information than needed, and can users opt in or opt out?

Hmm... maybe? Discussion needed here.

Do we have processes and support in place for handling subject requests and deletion requests?

Say what..? 🚀

Do we have agreements in place with third parties, like Microsoft for the tech platform (Azure storage in particular)

No agreements in place.

Do we have least privilege security in place and internal admin roles, restricting access to customer's/user data?

We can store the customer storage accounts in closed resource group with strict access levels. cc @pzlespen

Do we support data storage in Norwegian soil?

Yes, if Azure Storage Account supports it. I think Norway East is available?

Do we have user friendly and/or comprehensive Terms of Usage and Privacy descriptions in place and are they available for end users and customers before they opt in and subscribe? For instance, inform users how they can avoid personal appointments in their calendars to be excluded from DID, and how they can retract information if they make a mistake (private and ignored(?) appointments)

This is needed.

Do we support an exit strategy for customers, like export tenant data and delete tenant data?

For now, it would be all manual.

[pettersh]

Subject Access Requests (SAR)
https://cybersmart.co.uk/blog/6-steps-to-deal-with-a-gdpr-subject-access-request-sar/#:~:text=A%20Subject%20Access%20Request%20(SAR,right%20of%20access%20to%20information

• How can users request access to what we have stored about them?
• Are we able to respond within reasonable time?
• Do we have efficient ways to extract and share the information with the user?
• Do we store information that should be deletable upon request?
• If, yes to question above. How do we delete user information and at the same time support the customer's need for the information? Can information be anonymized upon request? I assume we have legal grounds for not deleting time entries in general, but maybe we need support for removing time entries for a user for a requested period, project, customer, etc, or maybe rewrite/anonymize something.