This document outlines the functionality in the Awesome Support Help Desk plugin that will help you meet your GDPR and similar consent and privacy related obligations around the globe.
However, nothing in this document should be construed as legal advice. Instead it is intended to be used as one source of input when discussing your GDPR obligations with your legal adviser.
The Awesome Support WordPress Help Desk Plugin collects and stores personally identifiable information in order to help you to provide your customers with the help they require. Data is collected:
If you choose to register your users using the Awesome Support Registration Screens, then you can configure a mandatory checkbox for the user to accept your privacy policy and terms and conditions. You also have the option to configure up to three additional check-boxes to collect additional specific consent for items related to your business. Any of these three check-boxes can be made mandatory or optional.
The date of the user registration in the WordPress user profile will be the date that consent was given. Or, if one of the GDPR/Privacy checkboxes is enabled then the date of consent will be logged in the user profile screen.
One of the “best practices” for complying with the GDPR and related Privacy regulations is letting users know the reason that data is being collected at the time it is being requested. You can add such information for each of the fields being requested on the Awesome Support Registration screen.
In the event that a user needs to remove consent for a particular item there are a number of ways they can go about doing that:
For options 3 and 3, there is nothing that Awesome Support can do to automate that process since the specific steps that need to be taken to satisfy this request will vary with each business.
If a user wishes to submit a request for data to be deleted, there are a few options that you can provide to them:
If a user wishes to submit a request to view the data that you hold on them, they can open a support ticket asking for such. You should have processes in place to handle this situation. There is no automated way that Awesome Support can handle this request.
If WordPress 4.9.6 or later is installed, the admin can use the TOOLS->EXPORT PERSONAL DATA toolset to export data for the user.
Additionally, if the user only wants access to their Awesome Support data they can use the EXPORT option under the PRIVACY button (if the admin has enabled the PRIVACY button).
Data will automatically be encrypted IF your MYSQL server has encryption turned on. Attachments stored on your server will also be automatically encrypted IF your server has turned on file system encryption. Attachments sent to FILESTACK using the FILESTACK add-on will be processed according to the FILESTACK terms and conditions which, if you are using, you should review as part of your GDPR process.
The Private Credentials add-on will allow your users to store any sensitive data they share with you with an additional level of encryption. The data will automatically be deleted when the ticket is closed. Please be aware that there is no guarantee that a user will use this area to store their credentials – they can still decide to send sensitive information via a regular ticket reply!
The PINS add-on will allow you to verify users that call-in and that request help via chat.
One of the GDPR principles is to limit the amount of data you keep unless you have a bona-fide legal or operational reason to keep it for longer than is reasonable. You can easily delete closed tickets using the DELETE option from the MAIN TICKET screen. In your annual review of what data should be retained you should probably include your support tickets as a data source.
Additionally, you can edit ticket replies to remove any sensitive data that users or agents might have contributed on the ticket. You should encourage your users to send you requests to remove sensitive data they may have inadvertently provided via tickets.
Finally, your agents should be trained to review tickets for sensitive information just before closing them – this way they can edit the tickets to remove that information immediately instead of waiting to review potentially hundreds or thousands of tickets later.
One of tenets of GDPR is that data should be portable between systems. By installing the Awesome Support REST API you can provide your users access to their tickets from any other system that can access data via REST. Not all data in Awesome Support is accessible via this API but the most important TICKET and REPLIES information is available. Note that this alone is likely NOT enough for you to comply with the GDPR requirements – you might be obligated to build out tools to actually provide the data in a more user convenient format such as XML.
Users can also export their Ticket data using the EXPORT option available under the PRIVACY button in their Awesome Support dashboard. And, if WordPress 4.9.6 or later is installed, the admin can use the TOOLS->EXPORT PERSONAL DATA toolset to export data for the user.
You can control whether agents can delete or edit their own replies on a ticket. Additionally you can control which roles can delete or edit any reply on a ticket. This can help scrub tickets of sensitive information such as credit-card information or user ids and passwords that may have been submitted by the user.
07-02-2018: Added update for additional tools that will be available in version 5.2 of Awesome Support
04-25-2018: Added update for additional tools that will be available in version 5.2 of Awesome Support
04-23-2018: Initial Version