April 4, 2022

Test Data Management in Compliance with the EU-GDPR

AuthorMichael Schwenk

May 25th, 2022 will mark the fourth anniversary of the entry into force of the GDPR. And like any other law or regulation, it is subject to annual changes and adaptations. However, many companies still do not comply with the data protection requirements to the required extent. Especially when it comes to dealing with test data. This is an ideal weak point for auditors during any possible audit. The big dilemma: How to work realistically and GDPR-compliant in the test environments?

Vulnerability test data

Vulnerabilities often arise during an audit due to thetest data, especially in relation to personal data to be deleted or in total, or during the realization of sometimes complex test system landscapes. These can also be extended across national borders.

Often, unfortunately, with the result of serious findings, exposing companies to the risk of high penalties. These penalties amount to up to 20 million euros or up to four percent of global annual turnover - whichever is higher in the end.

Even before the GDPR came into force, the Federal Data Protection Act (BDSG) prohibited the use of personal data for testing purposes (test data). Among many other things, in 2018 the DSGVO also enormously increased the data protection-compliant requirements for the use of test system and thus also generally in the area of test data management. And yet, the using of real data in test environments is still a common practice today. Software solutions such as test data management tools are often used here within companies in order to maintain data protection. (Source)

Identify threats in test data management

In test and development environments, access is often granted to many more people than being the case within the production system. In addition to internal testers and developers, this can include external consultants. One of the biggest challenges for many companies is to prevent unauthorized third parties from accessing the data used. This is especially the case when, as a result of tests, the data flows to third parties, fourth parties, etc. for analysis.

In general, it can be said that the storage and processing of personal and personal-related data is prohibited due to regional legal requirements, such as the GDPR. Nevertheless, there are exceptions, for example, companies make do here with the use of a GDPR-compliant test datamanagement tool. (Source)

What are the exceptions to the processing of personal data?

A typical exception to the processing of personal data is consent for the purpose of fulfilling a business relationship. Common examples include fulfilling an order, providing a service, or sending a newsletter.

In the rarest of cases, companies are likely to use personal data in test environments within their test data management. For this,the respective people must have agreed or consented to this use. If the data was nevertheless used without consent, this initially represents a change of purpose, not to say a misappropriation. If real data (test data) is absolutely required for the test, this must be justified in a water tight manner.

If the data in non-production environments is first anonymized or at least pseudonymized, testers and developers are still able to carry out their activities within legal requirements. Procedures such as anonymization or pseudonymization are performed with the help of a test datamanagement tool. (Source)

This is a way for companies to ensure GDPR-compliant test data management. If the processing of personal data is based on a purpose other than the original one, the GDPR requires in terms of data protection:

"...the existence of appropriate safeguards, which may include encryption or pseudonymization."

(Source: GDPR Article 6(4)(e))

Conversely, this means that the real data must explicitly not be used for testing or similar purposes.

The principles of data avoidance, data economy and data minimization

Prior to the entry into force of the GDPR, the BDSG in its form valid until then already demanded that data be stored sparingly andeven avoided. Even then, the goal for companies was to collect, process and usepersonal data as little as possible.

With the principle of data minimization, the GDPR goes a decisive step further. Article 25, paragraph 1 states:

"Taking into account the state of the art, thecosts of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural people represented by the processing, the controller shall implement appropriate technical and organizational measures - such as pseudonymization - designed to effectively implement data protection principles such as data minimization and to incorporate the necessary safeguards into the processing in order to meet the requirements of this regulation and to protect the rights of data subjects."

(Source: GDPR Article 25(1))

With this regulation come fines. In and of itself, nowadays no company can avoid using software such as Libelle DataMasking. With this test data management tool, the use of corresponding test data can be made legally compliant and a GDPR-compliant test data management can be used. (Source)

Test data management: Not only relevant in the area of data protection

Test data management is not only about data protection, but also about the automated provision of test data, as offered by our dream team Libelle SystemCopy and Libelle DataMasking. Resetting data after it has been used, logging the validity, age andconsumption status of test data are also important parts of test data management.

Read more about this in our blog post on "What is test data management (TDM) actually?" or take the Libelle Data Protection Quick Check for your test data management.

Recommended articles
December 22, 2022 Libelle IT Glossary Part 22: What is DevOps?
December 19, 2022 Anonymized data in the data pipeline

All blog articles