With a few months to go until the new data protection legislation comes into effect, we take a look at what impact this may have on software development and testing companies.
The General Data Protection Regulation (GDPR) will come in effect on May 25th 2018 and many companies are not either A) aware of this change, or B) understand the impact it has on its business. Because of the fact that the penalties are huge, for those who do not comply with the regulation (up to 4% of annual turnover or €20 million, whichever is greater), it is important that all business take action now to ensure complicity.
The upcoming EU General Data Protection Regulation (GDPR) will be one of the strictest and most far-reaching data protection regulations ever passed…
- This legislation applies to all companies which process data related to residents of the E.U., regardless of where the company resides globally.
- All data subjects have the “Right to Access” data being stored or processed by a company, as well as an explanation of what purpose this data is being used for.
- Data subjects also have the “Right to be Forgotten”. This means that subjects may withdraw consent for how data is being processed, or request that data is erased completely.
For companies operating in the EU, or indeed non-EU companies which process data regarding EU residents, the GDPR has implications on their software development processes. One such implication is concerning management of test data. It is extremely common to copy production data into development and test environments as input for application verification.
This process will no longer be a nominal task as the following considerations are needed. Firstly, explicit consent is needed from your data subjects in order to use this data for testing purposes. The “Opt-out” model is no longer valid and with these new changes all subjects must “opt-in” to allow companies use their data for testing purposes. This can lead to headaches for companies to keep track of data which are consented and those which are not and therefore steps are needed to remove them out of any data refreshes into Dev or Test environments.
In order to reduce the risk of breach and ensure complicity, it is recommended that companies implement pseudonymisation techniques to ensure that no personal identifiable information is processed through any development or test environment. For example, a name, birth date, address, PPSN…etc. should be replaced with synthetic data.
This is just one small step that all companies should be implementing now ahead of the May 2018 deadline. For other recommendations and guidance on how to protect your company from any breaches, contact us for further consultation.