How to Completely Remove PII in order to comply with GDPR?
Hi, I have a use case that is leading to some larger questions about how Smartsheet manages PII.
In this application, we offer users a form to enter their information (name, address, email etc.) into a secure sheet for our limited use. This is all relatively easy, clean (and secure).
However, it gets tricky to comply with the requirements when a user requests that their PII be removed from our system. I have built some automations that clear the cells, but:
- The row cannot be automatically deleted so Cell History still retains the PII
- Moving the row to a 'delete' sheet has more or less the same problem
- In either case the row would have to be manually deleted at some frequency as a work-around
The other (even bigger) problem is the Activity Log. Is there any way at all to clear the log? We certainly are not 'allowed' to have PII data sitting in the log for all time, even if it is somewhat difficult to get to.
Please let me know if I am missing a trick, or if this is already being addressed somewhere else?
Thanks!
Answers
-
Hi @Josh W
Smartsheet publishes our privacy practices online at https://www.smartsheet.com/privacy. Here is a link to an FAQ on GDPR: https://www.smartsheet.com/legal/privacy-faqs#GDPR
If the information online does not answer your questions, you can contact the Privacy team at the bottom of this page:
Cheers,
Genevieve
Need more help? 👀 | Help and Learning Center
こんにちは (Konnichiwa), Hallo, Hola, Bonjour, Olá, Ciao! 👋 | Global Discussions
-
Thanks Genevieve, unfortunately this info is primarily about how Smartsheets manages my, and other customers', PII. It does not (directly at least), cover information provided to my organization by our customers.
I have sent in a ticket & was referred to the privacy team, but they only sent a canned response that does not actually address the fact that it is not ok to have customer's PII sitting in the Activity Log for all time. Disappointing, let's see if they come back with more.
By the way, their only suggestion was to copy the sheet to get a fresh activity log, delete the old one, then apparently spend a day rebuilding reports, WorkApps, Dynamic Views from the new sheet. Not good, to say the least.
I don't really understand the casual nature of the approach here, this is essentially making Every Smartsheet user that collects PII for any reason to be non-compliant with GDPR unless they use the 'delete the entire sheet' approach any time a single individual requests that their info be removed. This is a big deal & needs attention.
Thanks!
Categories
- All Categories
- 14 Welcome to the Community
- Smartsheet Customer Resources
- 64K Get Help
- 410 Global Discussions
- 220 Industry Talk
- 459 Announcements
- 4.8K Ideas & Feature Requests
- 143 Brandfolder
- 137 Just for fun
- 57 Community Job Board
- 459 Show & Tell
- 31 Member Spotlight
- 1 SmartStories
- 298 Events
- 37 Webinars
- 7.3K Forum Archives
