When logged in as a guest user, if I go into a task and try to assign a task I see all users in the system. This is a security issue that needs to be fixed.
Under GDPR and other data protection regulations users (customers) have to give express permission to disclose their information to other third parties. This breaches this data protection expectations.
This needs to be resolved in a way that guest users are hidden from other guest users by default. This bug currently covers the task assignment option in a task, which loads a drop down with all system users (and their emails).
I am not sure that the solution proposed to hide emails will adequately address disclosure requirements.
Incase the guest user is not satisfied and wishes to remove his information from our system they are free to let us know and as per our GDPR policy we would remove all of their data from our systems.
When it comes to GDPR we have gone a step ahead and allow users to enroll for DPA if they need it.
Please note, just for your information there are softwares like Slack, Asana which follow the same process as we have in place.
I would like to convey here, that we are considering hiding all emails from Guest users which would further strengthening our commitment to privacy.