Software testing begins with an idea of delivering a product that will help to simplify or improve the quality of a process or task. Software testing should follow a methodology with key activities to ensure that the final product is able to protect private data. There is some technical literature that focuses on security by design as part of testing the software. However, there is less about data protection by design and by default as part of testing the software. An understanding of data protection should be a prerequisite for developing and testing the software. The project team should know what requirements are applicable, what they should look out for, and which tools enables them to convert knowledge of data protection into software that safeguards it.
With the growing of data sources in digital era, the volume of data created and stored continues to grow at an unpredictable rate. While the primary focus for most organizations is on data gathering and processing, it is important to safeguard the data from corruption, compromise, or loss.
A new regulation called GDPR in European Union law had come into force in 2018 with the primary objective of introducing strongest enforcement measures and thereby to improve the trust in the digital economy. It gives more control to individuals to know what information businesses can collect about them and understand how it is handled. It also mandatory for organizations to protect personal data and provide proofing on how the data is protected. Failing to align with GDPR not only attracts penalty but also tarnishes business reputation. There are some key features related to GDPR described as below:
Unless you give permission to an app or website to use your details in a specific way, they can’t use it for any other purpose or sell it to third parties.
According to this when you sign up for a service, you should not be asked for data that is not directly relevant for the purposes of using that app or service.
The right to ask for any data that a company has about you in a readable format so that you can reuse it.
By providing someone your data does not mean they have the right to keep it forever. According to the GDPR you have a right to be forgotten and will be able to ask companies or relevant parties to delete your data.
However, the two exceptions are:
a) It will not apply to information that there is a legal requirement to keep, such as medical records.
b) it is also a personal right to forget, where individuals can request that outdated or undesirable information about them be removed from search engines.
There should be a clear procedure before private data is processed.
It is the right of the individuals to get and read the information clearly. So, the new rules will put an end to “small print” privacy policies and that information should be given in clear and plain language before any data is collected.
Personal data is automatically used to access and analyze personal choices, predict a person’s performance at work, economic situation, health, location, behavior, creditworthiness, etc. Under GDPR, it will be allowed with the consent of the person concerned, where permitted by law or when needed to pursue a contract and requires human intervention.
The regulation will ensure that everyone follows the same rules.
More beneficial for EU companies as they only need to deal with one regulatory body.
The new GDPR rules provides techniques such as removing personally identifiable information where it is not needed, replacing personally identifiable with artificial identifiers, encoding messages so only those authorized can read the privacy information.
Therefore, the new data protection rules not just give individuals a precise and effective information about how their data is being used, they also give businesses the opportunity to innovate and win back trust from consumers.
Let’s find out how data protection is handled by GDPR.
Having mentioned so much about the need for and importance of GDPR, it becomes even more crucial to validate the application against all the parameters and identify all the requirements are satisfied. Therefore, QA process plays a vital role in testing the functionality, features and behavioral changes in the application complying with the regulatory policies. Some of the possible test areas are:
1)Validate all the policies from requirements:
2)Use Masked/synthetic data for Test:
While performing data validations on website forms, third-party integrated components and so on, test data is the key to guarantee that the end-to-end functionalities work properly for all customers. Hence, it is important to use production like test data to validate the business requirements. A copy of the actual production data should be either masked, or a synthetic data must be created by using various data generation tools available.
3)Level of Customer data usage:
Identifying the different levels of data, guarding, and protecting them is necessary as per the GDPR compliance. The information supplied by the customer can confine to a PII(Personally Identifiable Information),however, it might be varying from individual to individual.
4)Disposal of unused/unnecessary data:
Whenever the data is consumed and after a certain period it might not be relevant or needed, the customer might question about what has been done to the previous information that was captured. In this case, it is the responsibility of the company to notify the customer about the data and securely dispose-off all the unnecessary or unused data from the database and all the other sources. Here, the QA must pitch in to check if the unwanted information has been removed from the systems successfully with no impact to the existing customers data .
Ex: If the details such as the customer’s middle name, birthplace, driving license number is not needed to maintain a profile, these must be notified to the customer in advance and should be discarded securely without impacting any other areas while using the application.
5)Data Trust cliff:
One wrong step can cause data breach and completely lead to collapse the reputation of the organization. Not only confidential/restricted but also public information should be protected from the cyber threats. Hence, while gathering or collecting bulks of information from the customers where the risks of data intruders/hackers is unavoidable, the governing of data is even more critical.
Organizations providing customer services should keep a complete record of all the data including current and historical information about the clients. Any necessary information should be identifiable and be easy to access by the clients at any moment. This can help customers if they wish to trace their own details.
Ex: Customers may like to seek information from their past transactions to trace any orders. In such cases, the company should be able to provide all the data the client is looking for without any data loss. QA tests should focus on whether the legacy data is correct, secure, and consistent.
After the introduction of the General Data Protection Regulation (GDPR), a lot has been said and discussed about the use of production data for the testing of software systems and processes. This matter can be discussed under five main questions.
Let’s discuss how to make your test GDPR complaint
1.Document the use of personal data in test environments:
Documenting the personal data should be the first step in your GDPR compliance process. This includes listing down the data in backups and the subsequent replicas that the testers have created for themselves.
2.Develop a smooth test data management process:
A lean and adaptable process is needed to stay in control for a smooth test data management process. As per General Data Protection Regulation, it is important to ensure that no personal data is open to business users, software testers, test managers, and other team members during software development, maintenance, and test phases.
3.Establish a combination of masked data or synthetic data for testing:
Masking test data seems to be the desirable option, but it may not yield right results, especially when you are dealing with test data management at enterprise level where multiple systems with redundant data is involved. Hence, it might be preferred to use a combination of carefully masked data along with synthetic data.
4.A proper review of privacy policies:
Privacy policies must be articulated accurately. There should be a specific reason for collecting, sharing, storing, and using the personal data among third-party processors. Consequently, it is also important that you are reviewing the third-party policies as well to make sure that they also adhere to GDPR compliance.