How to Completely Remove PII in order to comply with GDPR?

Josh W
Josh W ✭✭✭✭
edited 03/08/24 in Smartsheet Basics

Hi, I have a use case that is leading to some larger questions about how Smartsheet manages PII.

In this application, we offer users a form to enter their information (name, address, email etc.) into a secure sheet for our limited use. This is all relatively easy, clean (and secure).

However, it gets tricky to comply with the requirements when a user requests that their PII be removed from our system. I have built some automations that clear the cells, but:

  • The row cannot be automatically deleted so Cell History still retains the PII
  • Moving the row to a 'delete' sheet has more or less the same problem
  • In either case the row would have to be manually deleted at some frequency as a work-around

The other (even bigger) problem is the Activity Log. Is there any way at all to clear the log? We certainly are not 'allowed' to have PII data sitting in the log for all time, even if it is somewhat difficult to get to.

Please let me know if I am missing a trick, or if this is already being addressed somewhere else?



  • Genevieve P.
    Genevieve P. Employee Admin

    Hi @Josh W

    Smartsheet publishes our privacy practices online at Here is a link to an FAQ on GDPR:

    If the information online does not answer your questions, you can contact the Privacy team at the bottom of this page:



  • Josh W
    Josh W ✭✭✭✭

    Thanks Genevieve, unfortunately this info is primarily about how Smartsheets manages my, and other customers', PII. It does not (directly at least), cover information provided to my organization by our customers.

    I have sent in a ticket & was referred to the privacy team, but they only sent a canned response that does not actually address the fact that it is not ok to have customer's PII sitting in the Activity Log for all time. Disappointing, let's see if they come back with more.

    By the way, their only suggestion was to copy the sheet to get a fresh activity log, delete the old one, then apparently spend a day rebuilding reports, WorkApps, Dynamic Views from the new sheet. Not good, to say the least.

    I don't really understand the casual nature of the approach here, this is essentially making Every Smartsheet user that collects PII for any reason to be non-compliant with GDPR unless they use the 'delete the entire sheet' approach any time a single individual requests that their info be removed. This is a big deal & needs attention.