With such a deluge of content available right now on the introduction of the General Data Protection Regulation, this article has been written for anyone involved in the development, testing and implementation of software within the UK.
First up, I’m going to assume by reading this article you’re aware of the basics. I’m assuming you are aware that from May 25th 2018 the General Data Protection Regulation comes into force and will dramatically change how organisations process and store personal data within the UK. I’m also going to assume you’re aware of the significant fines that will be handed out by the ICO should you fail to comply. Often overlooked are the powers the ICO have to impose a range of corrective powers and sanctions to enforce the GDPR. These include issuing warnings and reprimands; imposing a temporary or permanent ban on data processing; ordering the rectification, restriction or erasure of data; and suspending data transfers to third countries. Obviously this is an important aspect and could very well leads to a significant loss of revenue.
This article does not impart any legal advice. It will, however, brief you on some of the important areas of GDPR that will allow you to undertake your own programme of work to apply the framework to your organisation.
Why is the software delivery team affected?
ICO states “the GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.” This encompasses a wide range of different types of information including email addresses, IP addresses, postal addresses and so on. The software delivery team need to use as close to real life data as possible for Test Data, as well as in many cases architecting the mechanisms in which data is captured in the first place. It is also worth discussing the misconception that business to business data such as business email addresses does not fall within the scope of GDPR – they do!
Tip one: Anonymise your test data!
This one almost goes without saying, but you need to anonymise your test data. If your organisation copies production data into a non-production environment for testing, then you should be taking GDPR seriously.
Moving forwards production data can no longer be copied without anonymisation. Whilst data anonymisation is a fairly simple concept, having a scalable approach that will allow you to meet the
demands of projects whilst at the same time making sure it is as close to real life as technically possible is difficult and often inconsistent. This can be solved in several ways but most commonly by using a data masking or data anonymisation solution which can give predictability and scalability. It is also vital that is not possible to reverse the anonymisation process.
Perhaps the greatest challenge is for those who are already using production data as test data. Untangling this web may be problematic and a project needs to be put in place to audit what personal data is being used, who it's being used by, how it can be replaced and then the plan to implement these changes. nFocus can support with this if you’re finding it particularly challenging.
Tip two: You are now responsible for your third-party suppliers.
The software delivery team will likely work with contractors, consultancies, tool vendors and many other organisations that will have access to personal data. You are now responsible for any breaches of your data from these organisations. This is important!
To understand this area, it’s worth exploring processors and controllers. Put simply, the controller determines the purposes and means of processing personal data whereas the processor is responsible for processing personal data on behalf of a controller. For a detailed insight there is a helpful overview provided by the ICO here. As an example, a software product company processing and storing the data of its users would be a data controller, whereas the payment plugin for the product that captures personal data as part of the payment process would be a data processor on behalf of the controller.
There are specific legal obligations to both processors and controllers but importantly as a controller you are obligated to ensure your contract with your processor complies with GDPR and as a result, would be responsible should the processer have a breach. You will need to undertake an audit of all suppliers who have access to your data, and ensure they are also correctly adopting the principles of GDPR. If you have a large number of suppliers, you should consider an audit/risk assessment solution that can email your suppliers with a consistent survey already designed to assess GDPR readiness-adoption and provide proof further down the line that you have assessed your third party’s.
Tip three: Limit access to personal data to those that really need it
GDPR makes it crystal clear that only those that have a business need to use that data should have access to it. This is simple for the production environment with data anonymisation but if the whole team is responsible for anonymising the data and thus have access to the raw data then you will not be complying with the principle. A small number of the team should be responsible for managing the data anonymisation process.
Along the same lines, does the whole team currently have access to live production data? If so, do they really need it? If not, you need to restrict access.
Tip four: Transferring data outside the EU – be careful
Under the GDPR you are able to transfer data within a set of territories that provide adequate protection for personal data. You can find useful advice on this from ICO here. Permissions should be created to avoid data being transferred to territories outside this list, and alerts to monitor data exports.
Tip five: Create your GDPR Strategy
By now your organisation should be well on its way to producing a GDPR Strategy and will be beginning to roll out new processes to ensure the whole organisation is adopting the principles outlined in the GDPR. If not, you need to be chasing your Data Protection Officer (DPO) or the person/team responsible for data protection to understand where they are in the process. Time is beginning to run short, but it isn’t too late. There are a number of fast track solutions out there to support you – for example we’ve developed a Quick Start Workshop aimed for organisations involved in software development/delivery to investigate existing data practices and deliver a roadmap to overcome any obstacles.
Tip Six: Data Auditing and monitoring post May 25th
GDPR should not be viewed as a one time only project. Complying with the GDPR is an on-going process and the organisation and IT Delivery Team should continually monitor what data is being used, is it still being used for the same reason, do the same people still need access to it, is the retention policy still accurate, and so on and so forth.
GDPR is a time-consuming and challenging process for the whole organisation, and the software delivery and IT function will have a large responsibility for implementing wide-reaching changes to ensure organisations apply the GDPR appropriately. GDPR will have a massive impact to testing and test data and organisations will now have a legal requirement to follow best practice and anonymise test data. Those who already have a spider web of personal data being used in non-production environments will have a huge job ahead to untangle the web and implement the necessary changes. You’re now going to be responsible for third-party access to your data so make sure they are adopting GDPR or risk being fined. Make sure only people who have real business reasons for accessing personal data have access to data. Put processes in place to ensure data is not transferred to territories outside the EU and who are not on the list of safe territories. Your organisation should be creating a GDPR strategy and if you’re not aware of this, you need to be asking why not? And lastly, GDPR is here to stay and not a one-time only activity – put steps in place to continually monitor and review processes to continue to meet the requirements of the GDPR.
I highly recommend you take a read of the ICO “12 Steps to take now” resource. nFocus Testing have also developed a range of services to support you including: