May 23, 2018
GDPR effective on May 25, 2018 -- Learn how it impacts software testing
There has been a lot of discussion about GDPR and its implications on the way companies will be doing their business in compliance with GDPR. General Data Protection Regulation (GDPR) is the new EU legal framework that came into force on 25th May 2018.
So, what exactly is GDPR?
GDPR focuses on the protection, collection, and management of personal data of individuals and gives the regulatory authorities the right to take action against the businesses that violate this new law. It empowers individuals through an extended control over the usage of their personal data and imposes stringent controls over the companies processing the same.
Key Features of GDPR
- Wider Scope
It protects a wider range of personally identifiable information (PII) such as data on ethnicity, race, political preferences, browsing cookies, and biometrics. It applies to all the businesses processing personal data of EU citizens, irrespective of whether the processing takes place in the EU or outside. This means cloud and connected devices wouldn’t be exempted from GDPR enforcement.
Data consent is the core element in GDPR law, which secures the transparency in data usage by companies. This extends the scope of validation for a data controller as the consent of subject personal data must be given in a well-defined format and stated in a clear and simple language.
- Right to Access
The right to access empowers an individual to request the data controller for rectification, erasure, or restriction of processing of his/her personal data. It also gives the individual the right to ask for confirmation in writing for whether his/her personal data is being processed or not, and if yes, then the purpose must be stated.
- Right to be Forgotten
The right to be forgotten secures the personal data of the subject to request the data controller to erase his/her copy of the personal data once the processing of the data is completed. When permissible It prevents the organization from further data processing or sharing the data with third parties.
- Data Portability
The right for data portability further strengthens an individual’s control over their personal data. The data subject has the right to receive his/her personal data in any format which has been provided to the data controller and transmit that data to another controller.
- Privacy by Design
The term “Privacy by Design” means “data protection through technological design.” It protects data by designing then implementing technical and organizational measures.
- Data Protection Officers (DPO)
It is mandatory to appoint a DPO for the companies that operate and control the processing of personal data that includes EU subjects. A DPO is an appointed expert in data protection laws and practices who can be either in-house or external. Failure to appoint a corporate Data Protection Officer is an offense and subject to penalty.
- Data Breach
If any data breach is observed then it must be reported by the data processor without undue delay, and by the data controller within 72 hours of being informed. Any delay in data breach notification is subject to being fined.
The penalty for the most severe violation of GDPR is up to 4 percent of annual global turnover or 20 million Euros, whichever is of higher value.
How to test data by adhering to GDPR guidelines
GDPR has widened its implications for companies worldwide, covering the technological, operational, and organizational aspects of EU citizens. Adhering to the most stringent data protection framework, and with digital transformation, it is critical for companies to run checks with test data to confirm effective GDPR compliancy. With eye-watering fines that can cripple any company, it is highly important that no real or live data is made available to software testers, processors, managers, administrators, developers, or business users while executing the testing process.
Key methods to keep your test data in compliance with GDPR law.
Make sure that you document the processing of individuals’ personal data in all test environments. It helps you to control the data and prevent unauthorized access and data exports. TDM process includes profiling, subsetting, masking, provisioning and creating a repository of data in test environments. Stringent data controls and centralized data access for authorized access points will help a testing team to adopt a GDPR framework seamlessly.
Having an on-going database audit helps to restrict the external users from accessing the personal data. This will rule out any security features that might lead the organization to a data breach. For any test processing data or tools, one must be in compliance with the GDPR law. By creating robust test data management and processes, it helps to control and protect the security and privacy of the data. Regular audits will help to keep your test data secured, preventing inappropriate use of personal test data.
Adopting Synthetic Data
Compared to data masking, synthetic data eliminates the risk of exposing any real personal information to the unauthorized access. Data masking is a process of hiding the specific fields such as first name, last name and address. However, it becomes easy to access the personal details by monitoring the pattern of masking.
Synthetic data framework generates data based on the model, testing rules, and environments created by an organization. With advanced synthetic techniques, you can ensure the maximum test coverage by generating data sets and completing the testing process.
Data anonymization utilizes multiple techniques such as encryption, generalization, pseudonymization, and perturbation to protect the privacy of users’ personal data, making it available for businesses to use without breaching any live data.
With GDPR coming into force on 25th May 2018, companies dealing with real data must pay attention to the security and privacy of the data. The same applies to test data as the testing team uses customers’ personal data from real environments for the testing purpose. Is your test data GDPR compliant?