Staying GDPR compliant with Zendesk
Last updated September 21, 2021
Well, it’s finally here. Enforcement of the European Union’s new GDPR directive has officially commenced. User privacy in the internet age is an incredibly important topic that isn’t going away any time soon. At Zendesk, we’re committed to delivering products that are at the forefront of protecting our customers’ and users’ data.
The GDPR represents the most sweeping changes to data privacy regulations in a decade, affecting any company worldwide that does business in the EU. At Zendesk, we’ve been preparing for this day for a long time.
What’s Zendesk doing to keep me compliant with GDPR?
Under the definitions of the GDPR, Zendesk is a “data processor” with regard to the personal data in our customers’ accounts transmitted by end users and agents (“data subjects”) of our customers (“data controllers”). For most of our customers, Zendesk is one of the primary suppliers with access to personal data of its end-users. We realize the impact of our GDPR compliance on our customers and strove to make it as seamless as possible to stay in compliance with Zendesk.
Zendesk started working 18 months ago to meet the GDPR specification. We’ve focused around the five main pillars of GDPR compliance:
- The access obligation
- The correction obligation
- The erasure obligation
- The data portability obligation
- The objection obligation
Meeting your GDPR obligations
We’ve documented our product functionality in great detail in this help center article, which is an in-depth guide to how our product functionality helps our customers meet their GDPR obligations.
Zendesk allows our customers to identify and search for users and take action on that user’s account in a number of ways:
- View: view end user profile, activity, and tickets
- Export: print / screenshot / export user info
- Edit: edit any user profile fields via UI or API
- Redact: Customer can manually change info (i.e. “Name: Deleted User”), or redact info in tickets
- Delete: Customer can permanently delete tickets, Chat history, and user profiles
Right to be forgotten
Perhaps most central to the GDPR is a user’s “right to be forgotten”, meaning an erasure of all personal information associated with a given user. In order to meet this obligation, the “delete” functionality was an area of improvement for Zendesk. In preparation for the GDPR, Zendesk has released two major improvements to our product functionality:
Note: these operations are NOT reversible (which is why they are called “permanent”!).
- Permanent Ticket deletion: released last year, Zendesk allows our customers to perform two levels of ticket delete. First, tickets are moved to a trash can, where they are automatically held for 30 days before being permanently deleted. Tickets can also be permanently deleted manually at any time. Note: some non-personal information remains about the ticket (ticket ID #, status, channel source, date created, etc.) in order to maintain the integrity of reporting in Zendesk.
- Permanent User deletion: we’ve recently released a major update to our user delete functionality. Users can now be permanently deleted via our UI or API, which deletes the user profile completely from Zendesk. This also triggers a delete throughout the Zendesk family of products: comments on Guide articles, Talk voicemails, backend logging tools, etc. More information can be found in this help center article.
Building custom experiences
At Zendesk, our developer platform is pivotal to helping our customers tailor their customer support solutions to their own particular use cases or embedding customer experiences natively into their existing products. We believe there should be “an API for everything” for what we build, and the GDPR-related functionality is no exception. We’ve worked with customers using our API to deliver innovative GDPR experiences for their specific use cases. One customer built a custom app that allows agents to bulk-delete tickets and users in a way that works better with their workflows. Another has integrated Zendesk user data deletion natively into their product, allowing their customers to click a “delete my account” button which triggers data deletion from Zendesk and various other internal systems. We’re always fascinated by what customers can build on top of the Zendesk platform.
While Zendesk is confident that we have delivered the tools to allow our customers to meet their obligations under the GDPR, we realize that May 25th is not the end of the journey. Our products are used by 125,000+ customers because they are easy to use and beautifully simple.