What the GDPR Means for Testers and Test Data

June 05, 2018

Practical Advice for Testing in DevOps 

The digital transformation has delivered a lot of advantages to consumers, but it has also brought a few complications. One big challenge is the need for organizations to protect the personal information that customers share as they pay bills, manage loans, trade stocks, or comparison shop for services. On May 25th, a new EU regulation, entitled GDPR ("General Data Protection Regulation") went into effect. This brings about even more stringent requirements to protect personal identifiable information (PII).

The General Data Protection Regulation (GDPR) mandates that all personal data collected from EU citizens, for any purpose, must be handled according to strict privacy requirements regardless of the geographical location of the company collecting it or where the information is held. The goal here is to give individuals more control of their PII and how it is used. If a data collecting organization fails to comply, it can be fined, with fines up to 20 million EUR or as high as 4% of a company's global annual turnover, whichever is higher.

The GDPR will eventually impact business in all developed nations, so if you're involved in technology, if you market to or process information about EU subjects, your business processes will be impacted by the GDPR regardless of where your company or your customers actually reside.

It is already true in some environments, such as healthcare, but now it will be the norm in all of them. The specific information about an individual that you need to do your job will be available to you. Otherwise, if you don't really need the personal information to do your job, you probably won't have access to it. We must all learn the new requirements.

Compliance with the GDPR is driving operational and process changes to determine if the new technology and process comply, which means there will be extensive requirements for software quality assurance testing. Therefore, testers in particular must understand how to handle PII in the testing process when creating test cases. The rules have changed. Testers will no longer be able to use production data for testing purposes because of the risk that identifiable information will be exposed and shared with those who have no legitimate reason to have it. The GDPR guidelines suggest a couple of ways to handle test data that comply with the requirements, and still allow software testers to perform their jobs.

If a company hands over testing responsibility and real customer data to an outsourced testing service, the organization must still ensure that the outsourced vendor manages test data in compliance with the terms of the GDPR. Companies in the business of developing and testing software may find themselves forced to change their entire software development and testing lifecycle.

Masking Test Data

Compliance with the GDPR makes it prohibitive to use real customer data for testing purposes unless it is rendered anonymous by masking. You could mask data so that it is no longer attributable to the original owner but its effort intensive and very time-consuming and difficult to scale. First you must identify the sensitive nature of some information and where it is stored. Then you must mask, scramble, or otherwise anonymize that sensitive personal information until the underlying real person is no longer identifiable by the remaining data. Finally, you must limit the exposure of the information to those persons who really need to use it.

As you can see, masking is a complicated process that may have unintended consequences and takes a lot of time and effort. Big data testing in particular requires access to reliable big databases, and that surely leads us to the use of synthetic data for those databases, whether you conduct your own software QA or outsource it.

Synthetic Test Data

The better way to comply with the GDPR is to leverage synthetic test data. Synthetic data is useful in functional testing as a replacement for real personal data. Using synthetic data has advantages. Synthetic test data can be easily used to test scalability or for visualization purposes. Then, you can freely share the results as open data. However, the complexity of creating synthetic test data grows with the complexity of the system being tested and the database behind it. It is fairly simple to generate synthetic data that fits one or two features of a population database; however, as you expand features, the complexity of creating matching synthetic data that has the same properties as the real population also grows and this requires testing know how and experience.

Some test vendors believe that they can comply with the GDPR by merely deploying products that assist with data generation, extraction, and masking. But what about enterprise system landscapes with their data redundancy? We believe that the best testing solution requires both the right skills, methodologies and tools for test data management. Indeed, this is especially true in the landscape of those aforementioned enterprise systems. Sixsentix solves this problem by automating the provisioning of synthetic data, which delivers the needed data in compliance and with fast time-to-value.

Sixsentix is already known for innovation in software quality assurance testing and QA Analytics for continuous testing and continuous QA reporting. Now, it offers an innovative approach to synthetic test data generation and management. This approach not only complies with the GDPR, but offers the added advantage of providing the right test data to fit any of the test cases without causing delays in the software testing process. Both on-site and nearshore testing facilities must ensure that outsourced testing services comply with the GDPR and data privacy legislation.

About Sixsentix

Sixsentix is a leading provider of software testing services. We are laser focused on helping enterprises deliver the highest quality software with superior time-to-market. Sixsentix clients include the largest banks, financial services, insurance, and telecom companies along with many other industries.

In 2018, Sixsentix was named among the top 50 most valuable brands. In 2017, Sixsentix ranked 33rd among Europe's 100 fastest growing companies. In 2016, Sixsentix ranked 3rd among the fastest growing Swiss companies, while Sixsentix Serbia was named one of the top small businesses in Serbia.

For more information, visit www.sixsentix.com or follow us on LinkedIn, Xing, Facebook, Instagram, Glassdoor and Twitter.