If a company is using production data in Test activities to ensure software quality, then It is a Data Processor and hence required to safeguard Personal data under GDPR.
4. 6 % Completely prepared
60 % “Somewhat prepared”
15 % “Slightly prepared”.
Diginomica UK government research – 94% of FTSE 350 under prepared for GDPR
10 % Totally compliant
44 % They didn’t know how close
crn.com Survey Shows Customers Are Behind, Misinformed On GDPR Compliance
GDPR - Awareness
Khurram Bhatti / DPOrganizer - Talk
on GDPR and Software Quality
5. 2012 – Proposed
2016 – Finalized
2018 – Enforced
Replaces
Data Protection Directive 1995
Up to €20 million or 4% of global annual turnover
Khurram Bhatti / DPOrganizer - Talk
8. WHY – GDPR?
130 million
Cost of informing 28 DPAs – old system
2.3 billion
Economic benefits - GDPR
One Law
Customer Confidence
Boost Business
Khurram Bhatti / DPOrganizer - Talk
on GDPR and Software Quality
9. Personal
Data
1. Who you are?
2. Why you are processing data?
3. How long will it be stored?
4. Who receives it?
Product/Service
Database
Communication
Consent
Right to be forgotten
Breech-72H
Data transfer outside EU
Portability
Processor A
Other RecipientsǸ
Controller
Khurram Bhatti / DPOrganizer - Talk
on GDPR and Software Quality
12. (Consent Art 4, Art 13 and Art 7)
86 % Testers routinely use real customer data
extracted from production systems
43% Don’t anonymize test data at all, or are
unsure if they do
53% Securing Consent permissions as one of the
biggest hurdles in GDPR compliance
Global CIO survey
Test
Data
Khurram Bhatti / DPOrganizer - Talk
on GDPR and Software Quality
13. “Data rendered anonymous
in such a way that the data
subject is not or no longer
identifiable.”
Recital 26/GDPR
“The processing of personal data in
such a way that the data can no
longer be attributed to a specific
data subject without the use of
additional information.”
Article 4(5), Art 25 /GDPR
Anonymization
Pseudonymisation
ȣ
Test
Data
What do we mean?
De-identified data separate from “additional information”
It is permitted to process pseudonymised data for uses beyond the
purpose for which the data was originally collected. (Article 6(4)(e) )
Khurram Bhatti / DPOrganizer - Talk
on GDPR and Software Quality
15. 87 percent of Americans can be
identified by three unique
identifiers (gender, date of birth
and zip code)
Latanya Sweeney, “Simple Demographics Often Identify People Uniquely,” Carnegi
Mellon University, 2000
Masking
Synthetic data generation
ǁ
Hybrid-Approach
Test
Data
What to do?
Khurram Bhatti / DPOrganizer - Talk
on GDPR and Software Quality