Importance of GDPR Testing

                      With the growing number of data sources in digital era, the volume of data created and stored continues to grow at an unprecedented rate. While the primary focus for most organizations is on data acquisition and processing, it is paramount to safeguard the data from corruption, compromise or loss. The earlier data protection laws, prior to 2018, had become obsolete due to revolutionary changes in technology and hence a need had arisen to strengthen data privacy and processing policies.

A new regulation GDPR in EU law had come into force in 2018 with the primary objective of introducing tougher enforcement measures and thereby improve trust in the digital economy. It gives more control to individuals to know what information businesses can collect about them and understand how it is handled. It also mandates organizations to diligently protect personal data and provide proof on how the data is protected. All the businesses dealing with EU subjects should need to know how to define and store personal data and ensure that they all adhere to GDPR regulations. Failing to comply to GDPR not only attracts handsome penalty but also tarnishes business reputation.

Role of Tester

Quality Assurance is the most critical area to evaluate whether applications comply to GDPR in terms of collecting, processing and storing personal data of customers. It is extremely essential for a QA tester to understand all PII elements, well in advance, before testing and validate that the sensitive information should not be exposed in lower environments. PII data stored in test instances should be either encrypted or scrambled in such a way that it could not be deciphered by unintended users. Also, QA testers need to ensure that the data privacy policies are well defined in web forms to be GDPR complaint while capturing PII data. If a company hands over testing responsibility and real customer data to an outsourced testing service, the organization must still ensure that the outsourced vendor manages test data in compliance with the terms of the GDPR. Companies in the business of developing and testing software may find themselves forced to change their entire software development and testing lifecycle.

Focus areas for testing

Having mentioned so much about the need and importance of GDPR, it becomes even more crucial to validate the application against all the parameters and identify all the requirements are satisfied. Therefore, QA process plays a vital role in testing the functionality, features and behavioural changes in the application complying with the regulatory policies. Some of the possible test areas are:

1)Validate all the policies from requirements:

Testers need to ensure that the privacy policies are easily accessible and are written in a simple language covering all aspects of personal data processing. Privacy policy should clearly state the reasons for processing personal data and should give the user the right to either allow/object to a certain type of processing.

Ex: If a client’s ask is to develop a privacy policy that is GDPR compliant and satisfy the law say Article 12, the requirements should be very detailed about the law and acceptance criteria should be clear and concise. QA should perform various tests to assure the application adheres to the terms compliant, without any deviation from the expected requirements.

2)Use Masked/synthetic data for Test:

While performing data validations on  website forms, third-party integrated components and so on, test data is the key to guarantee that the end-to-end functionalities work properly for all customers. Hence, it is important to use production like test data to validate the business requirements. A copy of the actual production data should be either masked, or a synthetic data must be created by using various data generation tools available in the market. Free test data generator tools like Mockaroo and IBM DB2 Test data generator can be used to automate test data.

3)Level of Customer data usage:

Identifying the different levels of data, guarding and protecting them is necessary as per the GDPR compliance. The information supplied by the customer can confine to a PII(Personally Identifiable Information),however, it might be varying from individual to individual.

Ex: Name of a customer say “John” might not be a PII , but the combination of full name, date of birth might fall under the PII, which is a private information about the client that cannot be exposed to public. In short, to what level the data must be used and secured is an important factor in testing GDPR compliance.

4)Disposal of unused/unnecessary data:

 Whenever the data is consumed and after a certain period it might not be relevant or needed, the customer might question about what has been done to the previous information that was captured. In this case, it is the responsibility of the company to notify the customer about the data and securely dispose-off all the unnecessary or unused data from the database and all the other sources. Here, the QA must pitch in to check if the unwanted information has been removed from the systems successfully with no impact to the existing customers data .

 Ex: If the details such as the customer’s middle name, birthplace, driving license number is not needed to maintain a profile, these have to be notified to the customer in advance and should be discarded securely without impacting any other areas while using the application.

 5)Data Trust cliff:

More and more data might be shared by the customers while viewing number of features, offers and businesses within an application. This creates a huge bridge of trust with the partnering company. However, one wrong step can cause data breach and completely leads to collapse of the reputation. Not only confidential/restricted but also public information should be protected from the cyber threats. Hence, while gathering or collecting bulks of information from the customers where the risks of data intruders/hackers is unavoidable, the governing of data is even more critical.

Ex: “Contact us” forms contain personal data and if the information is sent in a plain text (http instead of https), there is a great chance of data breach. QA team needs to conduct security testing to ensure that all such potential threats are identified, and all necessary security controls are in place during testing.

6)Historical data:

Organizations providing customer services should keep a complete record of all the data including current and historical information about the clients. Any necessary information should be identifiable and be easy to access by the clients at any moment. This can help customers if they wish to trace their own details.

Ex: Customers may like to seek information from their past transactions to trace any orders. In such cases, the company should be able to provide all the data the client is looking for without any data loss. QA tests should focus on whether the legacy data is correct, secure and consistent.

Steps to make your Testing GDPR compliant

 1.Document the use of personal data in test environments:

Documenting the personal data should be the first step in your GDPR compliance process. This includes listing down the data in backups and the subsequent replicas that the testers have created for themselves. This step might expose uncomfortable surprises, like huge amounts of personal data in test database tables.

2.Develop a smooth test data management process:

A lean and adaptable process is needed to stay in control for a smooth test data management process. Properly analysing and tracking the document from where the real data is coming, and where it is going is important. As per General Data Protection Regulation (EU) 2016/679 regulation, it is important to ensure that no personal data is open to business users, software testers, test managers, and other team members during software development, maintenance and test phases.

3.Employ a combination of masked data or synthetic data for testing:

Masking  test data seems to be the desirable option but it may not yield right results, especially when you are dealing with test data management at enterprise level where multiple systems with redundant data is involved. Hence, it might be prudent to use a combination of carefully masked data along with synthetic data.

4.A proper review of privacy policies:

Privacy policies must be articulated accurately. There should be a specific reason for collecting, sharing, storing, and using the personal data among third-party processors. Consequently, it is also important that you are reviewing the third-party policies as well to make sure that they also adhere to GDPR compliance.


QA team’s initial focus is to gain complete understanding on GDPR requirements and prepare robust test strategy covering all the above discussed areas, well before the start of testing . QA team needs to collaborate with both business and technical teams  to understand about data classification, processing and storage and prepare a validate checklist that would help them to thoroughly test front end, back end and application security for GDPR compliance.

About The Author