Hi all, here comes a questions related to GDPR, Personal Identifiable Information (PII) and Analytics.
When publishing an App (3LO in our case, similar to other App types I guess), Atlassian asks:
App stores personal data?
Select “Yes” if you copy and store personal data associated with user references (e.g. AccountID) in your own systems or if you cache data for longer than 24 hours.
So far our App only stores the Atlassian Account ID of the user and gets other details link email address on-the-fly, which I believe means, we can answer No here. However I’m not sure, since the accountId is considered Personal Identifiable Information, right?
Second, we are setting up an analytics system and think about using the accountId to store certain user events (specific actions like ‘page created’, ‘feature x used’). Do we need to obfuscate the accountID in such records? If yes, would a simple hash of the AccountID be an identifier we can use without GDPR considerations?
Thanks for your thoughts on this!
Lukas
Tagging some people I’ve seen are knowledgable during my research: @ldellatorre @remie @akassab