Addressing GDPR data privacy requests

The FootPrints product provides capabilities that help administrators address the personal data protection and privacy requirements associated with the General Data Protection Regulation (GDPR). The GDPR is a set of rules and principles governing the handling of personal data of individuals located in the European Union (EU).

Note

This BMC document provides general information about the General Data Protection Regulation (GDPR) and GDPR key requirements. It is not intended to provide any legal advice. The GDPR can be found at https://ec.europa.eu/info/law/law-topic/data-protection_en. Under this new Regulation, any organization handling personal data of European Union residents, regardless of its location, needs to understand which GDPR requirements apply to its organization and accordingly devise a plan for adjusting its systems and processes and for educating its people. Although BMC is not in the business of data privacy compliance software, some of the features of the FootPrints product can help customers meet some requirements of the GDPR. For more information about how BMC solutions can help achieve the requirements of the GDPR, see https://www.bmc.com/it-solutions/gdpr-compliance.html.

To comply with the GDPR requirements, you might need to perform the following actions:

Locating personal data

Perform the following steps to locate a customer's personal data:

Create a unique customer identifier that you can use to search for their personal data. We recommend that you use their email address or userID.
Perform a quick search of the address books for all contact records associated with the customer by using the unique identifier. For more information, see Searching-in-FootPrints.
If you don't have a unique identifier, perform a manual search of each contact record.
Perform a quick search for all tickets associated with the customer, by using the unique identifier or the following information:

- Name
- Phone number
- Organization
For more information, see Searching-in-FootPrints.
If you don't have a unique identifier or other the other information about the customer, perform a manual search of each ticket.

After you have located the customer's personal data, you can export it as follows:

Create a saved search based on the quick search results.
From Service Analytics, build a report and export it in XLSX or PDF format. For more information, see Configuring-reports.

To check if you hold a customer log-in credential for FootPrints, navigate to Administration > Users, and use the unique identifier in the User name or Name columns to filter the list.

Deleting and purging personal data

After locating a customer's personal data in contact records and tickets, you can delete them from the application as follows:

In the Number of Records per page field at the bottom of the search grid, enter the number of records. You can delete up to 500 records at one time.
Press the Ctrl or Shift key to select the records to delete.
Click Delete.

Deleting records from the application prevents anyone viewing them, but they are still available in the database. To purge deleted records from the database, ask your database administrator to remove the ticket and contact rows.

To learn about the FootPrints database schema, see Planning.

For more information, contact BMC Support.

Anonymizing personal data

To delete only personal data but not the tickets that contain personal data, you can remove personal data or replace it with generic information by performing one of the following procedures:

After locating the tickets associated with a customer, manually remove the data or replace it with generic information.
Perform the following steps:

Make a note of the fields that contain the personal data.
Contact your database administrator.
Find all personal data in the tickets and replace it with generic information. You can use the following SQL scripts to perform this operation across the FootPrints database:

If there is a user account associated with the customer in the system, replace the account name with a generic name and then delete the account. The customer's actions still appear in the ticket history, but the account appears as a deleted account with a generic account name (for example, Anonymous User).