Skip to content

Update to Personal Data Section of Orange data classification

Eugene McCrann requested to merge emccrann-master-patch-57723 into master

Why is this change being made?

Privacy would like to add more detail to the Personal Data bullet under the Orange data classification. Privacy has encountered situations where it's believed that only a little Personal Data or Personal Data being compiled from public sources renders the classification level below Orange. However, any Personal Data being processed should set the classification at Orange due to strict data privacy laws, some of which don't carve out an exemption for Personal Data processed from public sources.

Situations where GitLab or a third-party are collating impressions in a database from social media profiles or creating contact lists from public LinkedIn profiles would fall under the purview of GDPR and other data privacy laws, particularly since we don't know if such profiles remain public indefinitely.

I have discussed these clarifications with Security Assurance in Slack. One example of where this clarification would improve our processes is in Coupa. Currently, we link to the Data Classification Levels in Coupa where requestors are asked questions predicated on choosing the proper data classification level. This MR makes the Personal Data bullet of the Orange classification more clear so that there is less ambiguity as to when Security/Privacy reviews are needed for third-parties processing data for GitLab.

Author Checklist

  • Provided a concise title for the MR
  • Added a description to this MR explaining the reasons for the proposed change, per say-why-not-just-what
    • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added.
  • Assign reviewers for this change to the correct DRI(s)
    • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the "Maintained by" section in on the page being edited.
    • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies.
  • If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR.
    • If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.
Edited by Eugene McCrann

Merge request reports