GDPR: recording personal information in Asana tasks

tasks

#1

Pre GDPR we often recorded basic personal data in Asana without a user’s consent - simply for logical/practical reasons/ease of reference around related tasks, e.g. ‘Contact Joe on 05784 566 555 or email joe@joe.com to write up case study’.

Not looking for iron clad legal assurances, just an understanding and any tips on how Asana themselves see this OR (more practically) how other customers approach the issue?

FYI a GDPR expert suggested we can’t do this so instead should refer to such contacts as ‘User 14 on spreadsheet X’ which would be a nightmare, as we’d have to then go trawling a database for their info?!

Thanks.