GDPR & Helix Plan: 4 Best Practices for Compliance
In this blog post, we’ll cover best practices for GDPR compliance for current Helix Plan (formerly Hansoft) customers. First, let's begin with some background...
Background on GDPR
GDPR is the General Data Protection Regulation, a regulation regarding data protection privacy for individuals within the European Union (EU). The GDPR regulates how companies use personal data collected from individuals. Under the GDPR, personal information is any information that makes it possible to identify a person, such as a name, telephone number, email address, social security number, or web data. The GDPR also covers how you can export personal data from the EU. There are cases where you must keep the information. For example, if there is a legitimate business interest, you must use it to fulfill a contract or to comply with laws and regulations.
How Does GDPR Affect Helix Plan?
To understand how GDPR affects Helix Plan, we must consider the question, “What information in Helix Plan can identify a person directly?” Items in Helix Plan are all work items — activities related to project delivery and product improvements. They contain minimal personal information. If, however, you store personal data as a part of your product delivery, then you need to address GDPR.
Also, keep in mind that Helix Plan users typically authenticate with their name and e-mail, so it’s likely there is information in the system we must consider to be compliant.
1. Store Your Data Securely
As a first step, identify where your Helix Plan database is located. Your Helix Plan database is the central repository for all Helix Plan-related information, including information that could identify an individual. We recommend reviewing the access to and security of the actual disk where the database is stored.
But the best practice? Keep your Helix Plan database on premises. By doing so, no information is sent from your database to the outside world (where someone can personally identify any of your users). There is an option to connect to the central Helix Plan license server so that license keys are delivered automatically, but there is no personal information exchanged. This is an option you can turn off as the Server Administrator.
2. Establish a Strategy
Your organization is an ever-changing organism. That is probably one of the reasons you’re using Helix Plan today — to manage rapid changes in projects, processes, and the structure of your company.
For most companies, the only constant is change, so you will want to have a Helix Plan strategy that addresses those changes. From a GDPR perspective, the two major things to consider are:
- Your strategy for completed projects.
- How you will handle the situation when, for example, someone leaves the organization.
Also, you will need to establish a policy regarding what information you retain (and for how long). We’ll cover how to do that in the next section.
3. Remove Outdated Information
Under the GDPR, companies are not permitted to retain data longer than is necessary, except when retaining data is necessary to:
- Fulfill the purposes for which it was collected.
- Comply with applicable laws or regulations.
- Resolve disputes and enforce agreements.
As a Server Administrator in Helix Plan, here are some steps you can take to remove outdated user information, project history, and log files, and maintain compliance with the GDPR.
Delete Outdated User Information
In Helix Plan, personal information is stored in the list of users. It’s recommended that you have a policy (or process) in writing that addresses how long you keep personal information of individuals that are no longer with the organization. Once you have your process or policy in place, you can then follow those timelines for the deletion of users. To delete a Helix Plan user, go to the Admin tab of Helix Plan.
When deleting a user in Helix Plan, you have two options:
- Delete user accounts but save assignments and history.
- Delete user accounts completely.
From a GDPR-compliance perspective, it’s important to note that if you choose the first option, personal information will still be saved in Helix Plan, as shown in the image below.
So, for GDPR, you’re better off deleting the account completely, with the knowledge that you will lose traceability of who exactly completed some tasks in Helix Plan. In the change history, it will show you that ‘(Deleted user)’ completed the task.
Remove Outdated Project History
The project history feature in Helix Plan stores old versions of your plan so you can compare it with current versions. The project history includes who was assigned to tasks (with their names) and when the task was in a specific state (blocked or complete, for example).
With this access, users can go to the Planning view and find historical versions under More > Project History. Note the auto-save option here that automatically saves a version of the project history for you.
The project history is stored in a separate folder in the database. If, for any reason, you need to delete the project history completely, delete folders from the disk that are under Database > ProjectHistory > [id] > Project history file.
Using your favorite tool to browse these folders, you can focus on removing those that are, for example, older than 2 years (or however long your policy allows you to store the information).
Remove Outdated Log files
Each Helix Plan server keeps several log files of activities that occur in the server. It is safe to delete the log files completely, since the .debug.log file will include details on when users (identified by user name) logged in and out of the system.
The log files are typically found in the directory where you have installed the server, in the folders Log and Log_Localized.
How to Locate Old Items
Helix Plan has a powerful reporting and search system that lets you search all the items you have access to, so you can find items you may want to remove.
For example, you can use the criterion Last Updated On as the query in the Find window or a report: Lastupdatedon <= 2016-05-28
Note that, if you’re creating a report for this, you might have to turn on the Advanced mode to find this criterion (see image below).
4. Restrict Access to Personal Information
Under the GDPR, companies are required to have appropriate access policies in place. This includes, but is not limited to, having a policy outlining those persons in the organization that need to have access to such personal information. With appropriate access policies in place, you’ll reduce the risk of compromising the confidentiality of personal information being stored.
With Helix Plan, you can restrict access to information by simply ticking a box. In the Project administrator view, you can easily control who has access to the project history.
Bringing It All Together
The GDPR brings new regulations regarding what personal information a company can keep on record. For organizations managing projects and products in Helix Plan, adapting to GDPR is as simple as storing data securely, removing outdated information, and restricting user access to certain information. Before you do that, though, put together a standard policy (or process) for handling change.
Have Questions? Contact our friendly Support Team.