pwned This isnt the big deal it appears to be.
GDPR Article 6 requires you to define your lawfulness of processing; if you have gained consent then you have lawfulness. if you're using it for a business need then you could rely on legitimate business but that's the thin end of processing and not meant to be a catch all to ignore complying with the other requirements.
You will have already complied with Article 30 and have described your use there.
We're only using osticket internally, so informing the staff that their details are in the system was as far as we needed to go. we rely on previous permissions to process their information on systems we administer directly.
First off just to be squeaky clean you should do a DPIA under Article 35 which will identify the concerns and from there plug the holes you find.
The thing we identified was passwords in that they could be brute forced if the database was lost which in turn means that if a user used the same password on another of our systems as they did on Osticket then access to both could be gained. very slim chance i know. Our fix for this was Ldap and centrally administering the passwords.
Dont forget to do backups, security of processing article 32..
