And It’s Less than a Year Away!
At a time when data breaches are extremely expensive, and user trust level with usage of personal data is low, the European Union’s General Data Protection Regulation (GDPR) is an attempt to protect user personal data, while permitting free, unrestricted data movement across EU member states. The GDPR gives individuals extended control over their personal data and also imposes stricter controls over companies handling such data. Users will have the right to know why personal data is requested, what is done with the data collected, and make requests for (i) obtaining the data in portable format, (ii) erasing data no longer required, and (iii) opting out of data profiling for marketing purpose. GDPR seeks to make way for a safer, more secure, data-connected world. However, for businesses, this gives rise to numerable compliance challenges.
In a typical test environment, many organizations implementing GDPR will face a dilemma while launching software products and releases – ensure adequate test coverage by including all possible scenarios, but at the same time, refrain from using (and compromising) live, personally-identifiable production data for testing.
While preparing test environments for GDPR, strategists must answer the below questions:
- Irrespective of where the processor or controller of data is based, does the data belong to an individual in the European Union?
- How does the concept of ‘explicit consent’ impact data provisioning for QA and testing?
- Can ‘data can be forgotten’ from test environments?
- Can data be transferred to a third country?
- Is it sufficient to ‘pseudonymize’ data to ensure it is safe for movement into the test environment?
Terms such as data flow traceability, data anonymization, and data purge solutions, may sound elementary. However, implementing them in complex business environments comprising of heterogeneous data sources, where data needs to be referentially intact yet completely anonymous, this is easier said than implemented.
Let’s take a quick look at GDPR requirements on data collection and processing, and their impact on the testing function:
- Explicit consent for specific use cases must be obtained from data owners (users). This means that production data cannot be simply copied as-is, for use in test environments.
- Personally identifiable information must be safeguarded through appropriate technical and organizational measures. If production data is sourced for testing, anonymization techniques must be used, to completely and irreversibly mask personally identifiable information.
- Some industries, especially highly regulated ones like life sciences and healthcare, will be impacted by the new definition of personally identifiable information. If your test organization had already implemented a masking mechanism in the past, this is the ideal time to take stock of your anonymization and masking techniques, and determine whether additional controls or masks are needed.
- Users now also have the right to request for their data to be forgotten from data control and processing systems. If your test environment holds personally identifiable data, you must ensure a purge mechanism, to erase the requested data from all data sources. Besides robust data purging solutions, this also calls for good documentation of data flows and data models, and adequate test data profiling.
- With the territorial scope for data, now extended, GDPR requirements apply, irrespective of where the data is collected, stored or processed, as long as the data belongs to EU individuals.
- GDPR also puts the onus of demonstrating appropriate safeguards, on controllers and processors of data – the business organizations that use the data in their enterprise and testing systems. Newer areas too, are required to be validated through data protection impact assessments. GDPR also stresses on the need to safeguard data that gets transferred to countries outside the EU.
There is light at the end of the tunnel – when GDPR states that the principles of data protection do not apply to anonymous information or personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. Organizations will need to put in place mechanisms to comply with GDPR in their test environments. And hence look to solutions that would generate synthetic data, anonymize personally identifiable data through masking solutions. They will also need to put in place data compliance audits to ensure compliance in the longer term
Organizations with a mature Test Data Management (TDM) function, are well versed with these requirements. In my experience these organizations can deal with new regulations such as GDPR in their stride. On the other hand, it is critical that others must now start developing strategic, tactical and technical approaches to source test data that is adequately masked, and irreversibly and completely anonymous. Companies without adequate data privacy and protection measures need to ensure they prepare for the new regulation – because noncompliance attracts heavy financial penalties – up to 20 million Euros or 4% of annual global turnover – whichever is greater.
With time running out, it’s time to initiate measures, because post May 2018, businesses will not have an option – they must demonstrate GDPR compliance. Is your business ready for this new compliance challenge?