How testers should deal with GDPR

Overview of GDPR

Software testing begins with an idea of delivering a product that will help to simplify or improve the quality of a process or task. Software testing should follow a methodology with key activities to ensure that the final product is able to protect private data. There is some technical literature that focuses on security by design as part of testing the software. However, there is less about data protection by design and by default as part of testing the software. An understanding of data protection should be a prerequisite for developing and testing the software. The project team should know what requirements are applicable, what they should look out for, and which tools enables them to convert knowledge of data protection into software that safeguards it.

1. What is GDPR and key features

   With the growing of data sources in digital era, the volume of data created and stored continues to grow at an unpredictable rate. While the primary focus for most organizations is on data gathering and processing, it is important to safeguard the data from corruption, compromise, or loss. 

   A new regulation called GDPR in European Union law had come into force in 2018 with the primary objective of introducing strongest enforcement measures and thereby to improve the trust in the digital economy. It gives more control to individuals to know what information businesses can collect about them and understand how it is handled. It also mandatory for organizations to protect personal data and provide proofing on how the data is protected. Failing to align with GDPR not only attracts penalty but also tarnishes business reputation. There are some key features related to GDPR described as below:

1. Specific permission

   Unless you give permission to an app or website to use your details in a specific way, they can’t use it for any other purpose or sell it to third parties.

2. Privacy by design

   According to this when you sign up for a service, you should not be asked for data that is not directly relevant for the purposes of using that app or service.

3. Data portability

   The right to ask for any data that a company has about you in a readable format so that you can reuse it.

4. Right to be forgotten

   By providing someone your data does not mean they have the right to keep it forever. According to the GDPR you have a right to be forgotten and will be able to ask companies or relevant parties to delete your data. However, the two exceptions are:
   
   a) It will not apply to information that there is a legal requirement to keep, such as medical records.
   
   b) it is also a personal right to forget, where individuals can request that outdated or undesirable information about them be removed from search engines.

5. Definitive consent

   There should be a clear procedure before private data is processed. 

6. Information in clear readable language

   It is the right of the individuals to get and read the information clearly. So, the new rules will put an end to “small print” privacy policies and that information should be given in clear and plain language before any data is collected.

7. Limits on the use of profiling

   Personal data is automatically used to access and analyze personal choices, predict a person’s performance at work, economic situation, health, location, behavior, creditworthiness, etc. Under GDPR, it will be allowed with the consent of the person concerned, where permitted by law or when needed to pursue a contract and requires human intervention.

8. Everyone follows the same law

   The regulation will ensure that everyone follows the same rules.

9. One – Stop Solution

   More beneficial for EU companies as they only need to deal with one regulatory body.

10. Adopting Techniques

    The new GDPR rules provides techniques such as removing personally identifiable information where it is not needed, replacing personally identifiable with artificial identifiers, encoding messages so only those authorized can read the privacy information. 

    Therefore, the new data protection rules not just give individuals a precise and effective information about how their data is being used, they also give businesses the opportunity to innovate and win back trust from consumers.

2. Data Security within GDPR

Let’s find out how data protection is handled by GDPR.

1. Take data protection into consideration at all times, from the moment you started developing the product up to each time data is processed.


2. Encrypt, pseudonymize, or anonymize personal data wherever possible.


3. Create an internal data security policy for your team members and build data awareness about data protection.


4. Know when to conduct a data impact assessment and there should be a proper process implemented for this assessment.


5. Need to have a process to notify the authorities and your data subjects in a situation of data breach.

Focus areas of testing related to GDPR

Having mentioned so much about the need for and importance of GDPR, it becomes even more crucial to validate the application against all the parameters and identify all the requirements are satisfied. Therefore, QA process plays a vital role in testing the functionality, features and behavioral changes in the application complying with the regulatory policies. Some of the possible test areas are:

1)Validate all the policies from requirements:

Testers need to ensure that the privacy policies are easily accessible and are written in a simple language covering all aspects of personal data processing. Privacy policy should clearly state the reasons for processing personal data and should give the user the right to either allow/object to a certain type of processing.

Ex: If a client’s ask is to develop a privacy policy that is GDPR compliant, the requirements should be very detailed about the law and acceptance criteria should be clear and concise. QA should perform various tests to assure the application adheres to the terms compliant, without any deviation from the expected requirements.

2)Use Masked/synthetic data for Test:

While performing data validations on website forms, third-party integrated components and so on, test data is the key to guarantee that the end-to-end functionalities work properly for all customers. Hence, it is important to use production like test data to validate the business requirements. A copy of the actual production data should be either masked, or a synthetic data must be created by using various data generation tools available. 

3)Level of Customer data usage:

 Identifying the different levels of data, guarding, and protecting them is necessary as per the GDPR compliance. The information supplied by the customer can confine to a PII(Personally Identifiable Information),however, it might be varying from individual to individual.

4)Disposal of unused/unnecessary data:

Whenever the data is consumed and after a certain period it might not be relevant or needed, the customer might question about what has been done to the previous information that was captured. In this case, it is the responsibility of the company to notify the customer about the data and securely dispose-off all the unnecessary or unused data from the database and all the other sources. Here, the QA must pitch in to check if the unwanted information has been removed from the systems successfully with no impact to the existing customers data .

 Ex: If the details such as the customer’s middle name, birthplace, driving license number is not needed to maintain a profile, these must be notified to the customer in advance and should be discarded securely without impacting any other areas while using the application.

 5)Data Trust cliff:

One wrong step can cause data breach and completely lead to collapse the reputation of the organization. Not only confidential/restricted but also public information should be protected from the cyber threats. Hence, while gathering or collecting bulks of information from the customers where the risks of data intruders/hackers is unavoidable, the governing of data is even more critical.

6)Historical data:

Organizations providing customer services should keep a complete record of all the data including current and historical information about the clients. Any necessary information should be identifiable and be easy to access by the clients at any moment. This can help customers if they wish to trace their own details.

Ex: Customers may like to seek information from their past transactions to trace any orders. In such cases, the company should be able to provide all the data the client is looking for without any data loss. QA tests should focus on whether the legacy data is correct, secure, and consistent.

Steps to make your test GDPR compliant

After the introduction of the General Data Protection Regulation (GDPR), a lot has been said and discussed about the use of production data for the testing of software systems and processes. This matter can be discussed under five main questions.

1. Can you use production data related to personally identifiable information for software development and testing or not?


2. If you request permission from your customers to use their personal data for software development and testing purposes by including it in your terms and conditions, will they allow it?


3. What about an act or temporary exemption? To what extent can an act be given for these purposes?


4. Is there any accepted way to anonymize the test data?


5. Can you place responsibility for the loss of data with the processor via a processing agreement.

Let’s discuss how to make your test GDPR complaint

1.Document the use of personal data in test environments:

Documenting the personal data should be the first step in your GDPR compliance process. This includes listing down the data in backups and the subsequent replicas that the testers have created for themselves. 

 2.Develop a smooth test data management process:

A lean and adaptable process is needed to stay in control for a smooth test data management process. As per General Data Protection Regulation, it is important to ensure that no personal data is open to business users, software testers, test managers, and other team members during software development, maintenance, and test phases.

3.Establish a combination of masked data or synthetic data for testing:

Masking test data seems to be the desirable option, but it may not yield right results, especially when you are dealing with test data management at enterprise level where multiple systems with redundant data is involved. Hence, it might be preferred to use a combination of carefully masked data along with synthetic data.

 4.A proper review of privacy policies:

Privacy policies must be articulated accurately. There should be a specific reason for collecting, sharing, storing, and using the personal data among third-party processors. Consequently, it is also important that you are reviewing the third-party policies as well to make sure that they also adhere to GDPR compliance.

Rachini Perera

Senior Quality Assurance Engineer