Hi Jeremy,

thank you for getting back to this.

I do not understand what exactly do you mean by removing usernames from the drop-down and showing only the display name.

The issue is not related to what exactly is shown in the drop-down, but to the fact that all users from the Jira instance can get information about all customers from JSD. It doesn't matter if they can see only email or username.

The expected fix is to disallow that completely, i.e. only users with access to JSD should be able to access customers.

Please remember, that not only your drop-down on search form is affected, but also REST API and thus other places.

Regards,

  Jakub.

Hi Jakub,

The GDPR piece is around PII (Personally identifiable information); it felt like that was your main concern. Display names is a different category than email addresses, avatars, or other PII, which is why I was keyed in on that distinction. That's particularly true on public sites like this one, but indeed applies to internal Jira instances as well.

It's true that most people choose to make display names personalized (ie it's generally their real name especially inside companies where that's their work), but the distinction from a legal perspective is still valid: the display name is different from personal data.

For example, you can choose to make a burner-account type display name here on Community or you can choose your actual name; in either case, it'd be a serious violation if we could click on your user account and see your email address, but it's not a violation if we see your actual name that you've chosen to display. If you choose to include a real picture of yourself, you should also be able to control removing it.

I think what you're after is more of a feature request around permissions control for fine-grained control around user pickers, but if I'm understanding this correctly it's not a GDPR non-compliance issue.

I can go back to our legal team for specifics if you think I'm misunderstanding? Also I will raise it as a feature request, but let's at least make sure we're seeing this the same way and I'll try to chase it up.

There is some misunderstanding between us, because in my case all people from the Jira instance can see all customers EMAILS.

It is your decision if you do something with it or not.

The first answer from Atlassian is that this is the expected result!

The situation that all employees have access to all customers emails and nothing can be done with that is expected?

What about https://www.atlassian.com/trust

Privacy

We are committed to protecting the privacy of your data and your customers' data, and preventing it from unauthorized access with industry best-practices such as GDPR and Privacy Shield.

Is the above a joke?

@Erika Fisher  you wrote in your blog "Our developers really care about our customers, and they come up with way better solutions than the law requires." Are you sure these words are still valid?