QA Financial Forum Chicago | 9 April 2024 | BOOK TICKETS
Search
Close this search box.

New EU data protection rules carry clout

pauline-brace-1569423521

 

Pauline Brace, Ultima Risk Management

Pauline Brace, Ultima Risk Management

 

Software developers who use customer’s personal data in test environments should get to know the European Union’s General Data Protection Regulation (GDPR), which has now been approved by the European Parliament.

The GDPR is designed to protect the privacy of consumer data gathered by firms operating in the EU and, while European regulators already have similar guidelines in place, these have not had the force of law behind them, which will have an impact on what kind of data is used in test environments. As a result, some firms have not been careful in how they have used customer personal data for testing purposes, said Pauline Brace, senior information security consultant at Ultima Risk Management, a Reading, UK-based security risk consultancy. The new legislation carries with it a real incentive for compliance: companies in breach of the regulations will be subject to fines of up to 4% of annual worldwide turnover.

The GDPR replaces the EU’s 1995 data protection directive, which was designed in a different era of internet use, and does not account for the way technology and data is used today or make any mention of anonymisation techniques.

The new regulation details companies’ obligations in managing personal data and also includes the right for individuals to have their data deleted and sent to a new organisation, the need for clear and affirmative consent before a company processes private data and the right to be informed when their personal data is compromised.

For software testers, a key consideration is that the GDPR makes it a legal requirement to ensure that personal data used by companies for testing purposes cannot be traced back to customers. In order to minimise the risk of violations of customer privacy, quality assurance teams must make use of data that is pseudoanonymised. The regulation defines this process for the first time in European legislation: it means selectively changing certain fields in the data — an obvious example being the name of the customer — to protect the identities of individuals.  

“The European regulation is really just restating requirements that we already have in major European states,” said Ultima Risk Management’s Brace. “What the GDPR does is clarify the obligations and gives them legal backing.” And that will likely entail significant changes for financial firms. A survey by data specialist firm Delphix found that around that 90% of the data used in non-production environments, including testing environments, is not currently masked,

“There is a lack of understanding,” said Brace. “Test managers will download live data and use it for testing. They don’t know that it needs to be pseudoanonymised. The GDPR will go some way to creating an incentive for firms to close that knowledge gap.”

EU member states now have two years to pass laws enforcing the GDPR.