A software product must undergo various test phases before it’s put into production, and that requires the use of standardized data that simulates the real-life operation that will come later. To do this, many companies just copy the database out of the productive system and use it as test data. Yet companies are going to have a problem with data protection compliance if any of their data contains personal information.
The European Data Protection Regulation (GDPR) stipulates that data can only be used for the purpose for which it was originally collected and only if the affected person or people have given their consent to that usage. (GDPR Art. 6, Paragraph 4, Section e). In addition, the requirements concerning test data are particularly stringent if it is to be used with specialized or industry-specific software, such as financial services solutions. These requirements include the use of a specific format as well as compliance with strict data protection regulations, such as the Payment Card Industry Data Security Standard (PCI-DSS). In this type of industry, the rules governing the use of test data are extremely strict.
The other side of the coin is that companies still need test scenarios to be as realistic as possible. Many of them get around the problem by using pseudo-entries – but this is a cumbersome and time-consuming solution that doesn’t always offer the testers the flexibility they need. For example, email addresses must still be recognizable as email addresses and dates of birth must be in the usual format so that the application can work with them and not generate error messages.
The areas that often use personal data for testing purposes include CRM applications as well as accounting and recruiting software. But companies need to take care when they develop their own programs too. If they’re using external development resources, they need to comply with strict data protection rules as developers have access to the original data in the course of their work. Since the GDPR came into effect, the golden rule is that companies can only use properly pseudonymized or anonymized data for testing purposes.
Recommended for You