Test data management according to EU GDPR

marks the fourth anniversary of the entry hooked on the force of the GDPR. And like any other law or regulation, it is subject to annual changes and adjustments. However, many companies motionless do not comply with data protection requirements to the required extent. Especially once it comes to handling test data. This is an ideal weak spot for auditors during a potential audit. The big dilemma: How do you work realistically and GDPR-compliant in test environments?

vulnerability test data

Weaknesses often arise during an audit from test data, mainly concerning personal data to be deleteor complete, or when carrying out test system scenarios that are sometimes complex. These can also extend beyond national borders.

Unfortunately, often with severe findings that expose companies to the risk of high penalties. These penalties are up to 20 million euros or up to four per cent of the annual global turnover, whichever is more significant in the finish.

Even before the GDPR came into power, the Central Data Protection Act (BDSG) prohibited using personal data for test purposes (test data). Among other things, the GDPR 2018 has also significantly increased the data protection requirements for the use of the test system and, thus, in general, in the area of ​​test data management. And yet using accurate data in test environments is still common practice today. Companies often use software solutions such as test data management tools to protect data. (Font)

Identify threats in test data management

In test and development environments, many more people have access than in the manufacturing system. In addition to internal testers and designers, this can also include external advisors. One of the most extensive tests for many companies is to stop illegal third parties from accessing the data used. This is chiefly the case if data is move to third parties, rooms, etc., based on tests, for your analysis.

Generally, it can be said that the storage and processing of personal data and related personal information are base on regional legal requirements, such as, e.g., B. the GDPR is prohibited. However, there are exceptions; for example, companies are content with using a GDPR-compliant test data management tool. (Font)

What are the exclusions to the processing of private data?

Consent to conduct a business relationship is a typical exception to processing personal data. Examples are fulfilling an order, providing a service, or sending a newsletter.

In rare cases, companies are likely to use personal data in test environments as part of their test data management. For this purpose, the respective persons must have consented to such use. However, if the data was used without consent, this initiative represents a change of purpose, not to say a misappropriation. This must be irrefutably justified if the actual data (test data) is necessary for the test.

In this way, companies ensure GDPR-compliant test facts management. If the dispensation of personal data is based on a purpose other than the original, the RGPD, with data protection, requires:

 

Instead, the actual data should not be used explicitly for testing or similar drives.

The principles of data avoidance, data cheap, and data economy

Even before the GDPR came into strength, the BDSG in its previously valid form required economical storage and data avoidance. Even then, companies’ goal was to collect, process, and use as little personal data as possible.

With the principle of data economy, the GDPR takes a decisive step. Article 25(1) states:

If data in non-production environments are initially anonymize or at least pseudonymize testers and developers can continue to carry out their activities within the framework of the legal requirements. Procedures such as anonymization or pseudonymization are carry out with the help of a test data management tool. (Font)

Test data organization: not only relevant in the area of information protection

Test data organization is not only about data guard but likewise near the automated provision of test data, as offered by our dream squad Libelle SystemCopy and Libelle DataMasking. Restoring data after it has been used and recording the validity, age, and consumption status of test data are also essential components of test data supervision.

 

Leave a Reply

Your email address will not be published. Required fields are marked *