I'm a proud user of osTicket and I'm excited and can't wait for v1.11.0 rc2 to be released.
I've tested v1.11.0 rc1 it meets my requirements on an Admin side, but I'm worried and couldn't find how GDPR crap is handled so far because my company wants to explain how it would be on a client-side, It requires a knowledge of programming to remake and to be compliant with this crap.
Can someone of developers explain if they plan to implement some methods of GDPR and how this crap would be handled?
I know that this doesn't only depend on developers but I want to know is there any documentation or explanation on this?

Kind regards

    I'll ask one of the devs to post a response to this.

    5 days later

    pwned This isnt the big deal it appears to be.

    GDPR Article 6 requires you to define your lawfulness of processing; if you have gained consent then you have lawfulness. if you're using it for a business need then you could rely on legitimate business but that's the thin end of processing and not meant to be a catch all to ignore complying with the other requirements.
    You will have already complied with Article 30 and have described your use there.

    We're only using osticket internally, so informing the staff that their details are in the system was as far as we needed to go. we rely on previous permissions to process their information on systems we administer directly.

    First off just to be squeaky clean you should do a DPIA under Article 35 which will identify the concerns and from there plug the holes you find.

    The thing we identified was passwords in that they could be brute forced if the database was lost which in turn means that if a user used the same password on another of our systems as they did on Osticket then access to both could be gained. very slim chance i know. Our fix for this was Ldap and centrally administering the passwords.

    Dont forget to do backups, security of processing article 32..

      8 days later
      Write a Reply...