GDPR Design Guide

This guide provides Appian designers and administrators with the essential technical information they need to consider with respect to personal information managed by Appian applications and stored on the Appian platform itself, as part of their broader GDPR compliance strategy.

Data Storage in Appian

Appian applications typically display and manipulate data from many different sources within the enterprise stack, such as relational databases, cloud services, self-managed legacy systems, etc. The Appian platform itself stores process data, user account information, unstructured data in the news feed and documents, and more.

The design of a successful GDPR compliance strategy starts with laying out a complete map of where protected personal information is stored. To aid in this activity, the following sections describe in detail, locations in the Appian platform where personal information may be stored.

Whether or not personal information is actually stored in any of the locations described here is largely dependent on the design and administration practices adopted by the organization. The information provided here is both in designing and establishing those practices when preparing to design new applications on the Appian platform, and for organizations needing to retrofit existing applications to satisfy GDPR requirements.

External Data Sources

Appian integrates with external data sources through multiple means. The primary means of integrating data in Appian are Data Stores and Connected Systems. Other, less common or legacy ways include plug-ins, built-in connectors, and direct web-service invocations through REST and SOAP connectors.

Appian does not directly control external data sources. Any facility or process around the management of personal information in external data sources must either be built by the Appian designer into the application or managed directly in the external data source outside of Appian. If information about a user is removed from an external data source that Appian calls, that user information will no longer be visible to Appian. However, user information from external sources from previous calls may still exist in processes (as described in the Processes section).      

External Data Considerations

There are general considerations for GDPR compliance that apply when integrating external data sources in Appian applications:

  1. Whenever possible, avoid using personal information as identifiers of external data. Since identifiers are typically used to link information across systems, they are likely to be stored in multiple systems, making comprehensive updates and removal potentially much more complex than necessary.
  2. Since usernames may contain personal information, relying on usernames as identifiers from external systems complicates GDPR compliance. If you must refer to Appian users from external data sources, we recommend creating a single lookup table between usernames and other external identifiers (Appian-provided user UUIDs may be used for this purpose).
  3. Uses of personal information from external data sources should be traced through related Appian objects to understand where else that same data may be stored. For example, a task form may look up personal information from an external data source that then gets saved in process variables upon form submission.
  4. External data sources may or may not offer their own user interfaces to find/update/delete personal information outside of Appian. You may consider using those, or build such capabilities directly into your Appian applications.
  5. Appian applications should be designed so they can handle non-transactional changes and deletions to personal information in records and external systems. For example, wiping personal information from one system that was referenced from other systems should be handled gracefully by an application that integrates data from those systems.

Processes

It is critical to understand and consider the lifecycle of data within the process engine for the purpose of GDPR compliance.

Appian processes hold data in process variables, activity parameters, saved forms, and various process instance configurations. They also maintain a complete auditable log of all state changes in its process history. All of the data for processes is retained for reporting and auditing purposes before and after process completion, until the process is explicitly deleted or archived (manually or automatically). While only the latest state of the process can be reported on through process analytics, process history provides an immutable record of everything that happened throughout the execution of a process. Archived processes retain all of the process state, including its process history, but makes all of it inaccessible within Appian unless and until they are un-archived.

Notably, this means that any and all personal information ever held in process state will be retained until the process is deleted. Archived processes also retain all personal information ever held in process state, unless and until the archived processes are deleted.

The implications of this for GDPR compliance must be carefully considered. GDPR offers provisions to allow the Data Controller to retain personal information records for legitimate interests. Appian customers may determine that personal data may be retained in a process record because it shows the history of a transaction between the customer and a person, creating a legitimate interest in retaining that data.  These provisions must be evaluated on a case by case basis by an Appian customer in establishing a process data retention policy.

As examples, processes that contain personal data should only be archived if justified by legitimate interest; a request to rectify a personal information record should only be implemented by updating a process variable if retaining the outdated record in process history is justified by legitimate interest.

Process Considerations

A few general strategies may be considered to facilitate compliance with GDPR requirements:

  1. Store personal information in external data sources and use short-lived processes with automatic deletion to make updates to it. This is a common pattern that applies to most applications but is especially beneficial to address personal information retention concerns.
  2. Use an individual process instance to capture data associated with a single, natural person, so that their personal information can be individually deleted by deleting the associated process instance.
  3. If personal information must be captured in long-lived processes, ensure they can be effectively looked up, terminated, and deleted, and carefully consider whether or not archiving is a viable option.
  4. If existing application design does not effectively enable compliance, consider a redesign.

Data Types

Data types in Appian provide a structural definition of data for storage, transfer and manipulation purposes. Understanding where personal information lives in the Appian platform can be aided by understanding the data types used in Appian applications, and the use and meaning of fields within them.

Appian’s impact analysis capabilities make it easy to trace uses of data types that may contain personal information across all application objects. This is an important tool to analyze existing applications. For example, if the dependencies to a data type that contains personal information can be traced to a Datastore or an Integration object, then the corresponding external data sources should be analyzed further (see External Data Sources). If a data type dependency can be traced to a process model, that process model should be analyzed further (see Processes).

However, personal information may also be stored in more dynamic structures like arrays, dictionaries, JSON-encoded text, and untyped fields and variables, hence any analysis based on tracing data-type dependencies is not guaranteed to be exhaustive. Established policies around the use of data types to track personal information may facilitate planning for GDPR-related activities.

User Accounts

Appian user accounts may store personal information; whether this is applicable to an organization’s GDPR compliance strategy depends on the situation or the organization’s established practices.

Appian usernames may capture personal information. For information on how to update usernames see this support article. Updating usernames is not a recommended strategy to comply with GDPR requirements, as it is currently a technically-expensive operation. Instead, we recommend using usernames that do not contain personal information.

User profiles may also contain personal information that may need to be updated and/or made inaccessible in response to GDPR compliance requests. Consider using the Update User Profile Smart Service and the Deactivate User Smart Service to automate these activities. Also, consider leveraging User Profile Visibility options to limit access to personal information in the user profile.

Unstructured Content

News and Social Tasks

Depending on how they are used, the News feed and Social Tasks in Appian Tempo may contain personal information. Administrators in Appian have the ability to delete news items and users may complete tasks from the Appian interface. However, these actions may not result in complete deletion from the Appian data source or search index. In the case of tasks, they may still be visible after completion. Organizations are encouraged to define clear policies around personal information shared in Tempo and to contact Appian Support for further assistance.

Documents

Documents stored in the Appian document management system may contain personal information. If your Appian instance is configured for document indexing, then document search functionality may be used to locate personal information. However, the recommended approach is to make sure that Appian applications manage references to documents so they can be looked up from process or data stores.

Documents uploaded into Appian from other unstructured locations (such as news attachments) are subject to the same limitations mentioned for News. Please contact Appian Support for further assistance.

Designer Objects

Designer objects are stored as metadata in the Appian data source and in the Appian Engines. Designer objects do not typically contain any personal information, and exceptions to this are not considered good practice. Policies against capturing any personal information in rules, constants, or any other design object metadata should be clearly established.

Administrative Records

Logs

During normal operation, the Appian platform outputs many logs. These logs do not typically contain personal information (e.g. usernames), but Appian recommends a conservative data retention policy for logs of less-than-30 days to facilitate GDPR compliance.

Since logs are plain text files, customers may also choose to search for personal information through them and/or manipulate them as part of their GDPR compliance strategy.

Backups

Appian recommends a conservative data retention policy of less-than-30 days for backups to satisfy GDPR requirements.

Process Archives

Process archives should only be retained for a limited time (less than 30 days), or for longer periods of time when there is a legitimate interest in keeping a fully auditable record of process execution. Search, introspection, and manipulation of process archive files are not supported operations and are not considered an effective strategy to aid GDPR compliance.

Transient Data

Appian may occasionally temporarily retain data, which may include personal information, in various transient caches or other temporary storage location. None of these locations are designed to hold data for longer than 30 days. If necessary, contact Appian Support for additional assistance in ensuring immediate removal of all traces of specific personal information.