What is PII in the help desk context?

PII (Personally Identifiable Information) is any information that can uniquely identify a specific person. In help desk tickets that includes: full name, national ID number, email, phone number, address, health data, employee number, machine IP address. GDPR defines this as 'personal data' - any information relating to an identified or identifiable natural person.

What is the maximum GDPR fine for failing to protect personal data?

GDPR sets two tiers of administrative fines: up to 10M EUR or 2% of annual global turnover, and - for more serious breaches - up to 20M EUR or 4% of annual global turnover (whichever is higher). The actual fine depends on the nature of the breach and is set individually by the supervisory authority.

How long can I retain data in tickets?

GDPR introduces the 'storage limitation' principle - data must not be kept longer than necessary for the purposes for which it is processed. GDPR does not specify a fixed number of years - the controller defines retention periods in its own policy, taking legal and contractual requirements into account. Documenting that policy for audit purposes is good practice.

Do tickets containing health data require encryption?

Yes. Health data is a special category under Art. 9 GDPR - it requires reinforced safeguards. End-to-end encryption at rest (AES-256) is mandatory. ManageEngine SDP supports encryption of custom fields with RBAC - define which fields are PII and enable encryption.

What do I do when an employee requests access to their data (GDPR right)?

Art. 15 GDPR - Right of Access. You must deliver a copy of all personal data within 30 days. ManageEngine has a built-in 'Data Subject Access Request' report - it filters all tickets concerning a specific person, generates a PDF and exports in a machine-readable format. The audit trail must be immutable.

Data security in the help desk - GDPR and PII

← Back to Blog

Security

Jakub Roszkiewicz · May 2026 · 10 min read

An employee logs into the help desk with a laptop issue - enters a national ID number for identification, mentions health problems that affect their work. The ticket goes to several technicians, gets resolved, and the data stays. Years later it may still be accessible to former employees, may get exported, may sit in backups without access control. That is a real GDPR risk. In this article we show how to define PII in the help desk, what rights users have, and how to configure ManageEngine ServiceDesk Plus so that no one sees the data without a need.

PII

personal data lands in tickets more often than you would expect

GDPR

fines up to 20M EUR or 4% of annual turnover

RBAC

access to sensitive data only for authorized roles

What is PII and why does it appear in tickets?

PII (Personally Identifiable Information) is any information that can uniquely identify, or contribute to identifying, a specific person. In a help desk context that includes:

Identification data: full name, national ID number, passport number, ID card number
Contact data: email, phone number, home address
Technical data: employee IP address, machine MAC address, hostname, AD service identifier
Health data: illnesses, mental health conditions, injuries, hospital stays (SPECIAL CATEGORY - reinforced safeguards required)
Financial data: salary (if it appears in the context of HR system issues), bank account

The problem is that employees often add PII without needing to - "I cannot work because I have a headache" instead of "I cannot work because the laptop will not boot". The technician then sees unnecessary data, which legally drags them into the role of a data processor.

Many companies have no policy for redacting PII from tickets. An employee enters a national ID number, an insurance number or information about a health issue - and that data stays in the system for years, often accessible to former employees and contractors. That is a real GDPR breach risk with potential sanctions attached.

GDPR grants the data subject a number of rights. The most relevant ones for the help desk are:

Art. 15 - Right of Access: the person can request access to all of their data within 30 days. You must deliver a copy in a machine-readable format (CSV, XML).
Art. 17 - Right to Erasure ('Right to be Forgotten'): the person can request deletion of their data. Exception: where the data is required for compliance (audit trail, legal hold).
Art. 20 - Right to Data Portability: the person can request export of their data in a format that can be moved to another system.
Art. 18 - Right to Restrict Processing: the person can restrict the processing of their data (read-only, no analysis, no profiling).

A separate obligation of the controller - not a data subject right - is breach notification: under Art. 33 GDPR a personal data breach must be reported to the supervisory authority without undue delay, where feasible within 72 hours of becoming aware of it.

For the help desk the problem appears when:

An employee leaves - they request deletion of their data from tickets → you must anonymize or delete
An employee moves to a competitor - they invoke Right to Portability → you export the data in a neutral format
Tickets containing PII are breached → breach notification to the supervisory authority + to the data subject within 72 hours

Table - types of PII in tickets and risk level

The "Suggested retention" column shows example, indicative values - GDPR does not impose specific periods, it only requires that data is not kept longer than necessary. Set the actual retention periods in your company policy, taking legal and contractual requirements into account.

PII type	Example	Risk category	GDPR requirement	Suggested retention
National ID / Tax ID	12345678901	Critical	AES-256 encryption + RBAC	1 year (archive)
Health data	"I have diabetes"	Critical	Encryption + special handling	6 months
Phone number / Email	+48 600 100 200	High	Encryption + RBAC	2 years (archive)
IP / MAC address	192.168.1.100	Medium	RBAC (technician visible)	3 years (audit)
Full name	Jan Kowalski	Low	RBAC (technician visible)	3 years

RBAC and access control - only the technician sees PII

The first line of defense is Role-Based Access Control (RBAC). Not everyone in the company should see a ticket containing PII:

Level 1 (Help Desk): sees ticket Subject + Description (no PII fields)
Level 2 (technician): sees the full ticket including PII fields (GDPR training required)
Manager / Director: sees aggregate reports (ticket counts), but no PII details
HR / Outsourcer: no access to tickets containing PII (read-only access to selected fields without details)

In ManageEngine ServiceDesk Plus this is configured through:

Custom Fields + Field ACL: define PII fields (e.g. national ID, date of birth) and restrict who can see them
Ticket ACL: the technician sees the ticket, the manager sees only a summary
Audit Trail: log of who opened a ticket containing PII and at what time (immutable log)

Anonymization and retention - how long do you keep the data?

GDPR requires: keep data no longer than necessary. The schedule below is an example of good practice - set specific periods in your own retention policy in line with legal and contractual requirements:

Active phase: ticket open and in resolution - full data available to the technician
Archive phase: ticket closed - archive and remove PII (anonymize national IDs, mark health data as [REDACTED])
Compliance hold period: keep the ticket in an anonymized form for audit purposes (ticket counts, categories, resolution time), without PII
After the defined period: permanent deletion of the data

Anonymization procedure in ManageEngine:

Ticket closed for the defined period → automatic workflow trigger
Workflow: "Redact custom fields containing national ID, phone, health data"
Data saved in an encrypted archive (read-only backup)
PII fields replaced: national ID → partial masking (e.g. last digits only for reference)
After the retention period → purge the archive

Encrypting sensitive fields in ManageEngine SDP

ManageEngine ServiceDesk Plus offers encryption at rest (AES-256) for selected custom fields:

Custom Field Encryption:
Define a field (e.g. "Employee_NationalID") as PII → ManageEngine encrypts the value in the database. Only roles with permission can see it.
Audit Trail (immutable log):
Every access to an encrypted field is logged - who, when, how long they viewed it - and cannot be modified.
Data Subject Access Request (DSAR):
Automated report - filters all tickets for a specific person, exports in a GDPR-compliant format, attaches the audit trail.
Right to Erasure Workflow:
An employee requests data deletion → tickets are anonymized or deleted (preserving the audit trail for compliance).

10-point GDPR checklist for the help desk

Before deploying ManageEngine SDP check:

☐ You have defined which ticket fields are PII (national ID, email, phone, health data)
☐ Field ACLs are configured - only authorized roles see PII
☐ AES-256 encryption is enabled for national ID, phone number and health data fields
☐ Audit Trail is active and immutable (logs who saw PII and when)
☐ Anonymization procedure - tickets older than the defined period have redacted PII
☐ Retention policy - automatic deletion of PII after the defined period
☐ DSAR workflow - ability to deliver data for a specific person in machine-readable format within 30 days
☐ Right to Erasure workflow - anonymization procedure for tickets belonging to a specific employee
☐ Data breach procedure - who notifies the supervisory authority within 72 hours in case of a leak
☐ Technician training - they know what PII is and what to do if it appears in a ticket

Frequently asked questions (FAQ)

Can I store a national ID number in tickets?

Yes, but with conditions: encryption, RBAC (access only for authorized roles), anonymization after a defined period and deletion in line with the retention policy. A better practice is not to store the national ID number in the ticket itself, but in a dedicated HR system with stronger access controls.

What do I do if an employee requests access to their data (Art. 15 GDPR)?

You have 30 days. ManageEngine has a built-in DSAR report - it filters all tickets for a specific person, generates PDF/CSV and attaches the audit trail. Send it to the employee, document the access.

Do tickets with health data require encryption?

Yes, absolutely. Art. 9 GDPR - special category data (health, religion, sexual orientation). It requires reinforced safeguards (encryption + RBAC + monitoring).

An employee is leaving and requests deletion of their data - what do we do?

Right to Erasure - anonymize the tickets (full name → "[Unnamed User]", national ID → removed, health data → "[REDACTED]") or delete them entirely if they are not needed for audit. The audit trail stays.

Can an IT outsourcer have access to PII in tickets?

Only if they have a Data Processing Agreement (DPA) with the company and the required GDPR training. Best practice: the outsourcer sees ticket Subject/Category, but no PII fields (separate access control policy).

Jakub Roszkiewicz

CTO · Rotech Group · expert in GDPR, compliance and data security in ITSM

Zero-day and patch management - a 24-hour plan NIS2 - checklist for the IT manager CMDB instead of Excel - 7 signs it is time to switch CMDB for a manufacturing plant - IT and OT assets

Help desk GDPR audit

Does your help desk protect employee personal data?

Rotech Group will review your ManageEngine ServiceDesk Plus configuration against GDPR - encryption, RBAC, audit trail, retention policy. Free assessment, no obligation.

Book a consultation →

Data security in the help desk -GDPR and PII in IT tickets