29 May, 2018

Impacts of GDPR on Software Testing

What is GDPR?

The EU (European Union) passed the General Data Protection Regulation (GDPR) on 14th April 2016. The GDPR assures data protection and privacy to all individuals within the European Union and aims to give people more control over how their personal data is being used by organisations. The GDPR came into effect on 25th May 2018 and companies should now have processes in place to adhere to the stringent rules that GDPR introduces.


How does GDPR affect testing?

Test Data Management (TDM) is the key area where GDPR has a major impact. Test data is a vital component which brings efficiency and accuracy in testing the quality of a product and with stringent GDPR rules, it would need a major process change.

With the new rule of the right of restriction on the use of personal data, production data can no longer be copied into the test environment as it is. Non-conformance to the new rule would result in huge penalties. Production data could only be used if anonymisation techniques are in place on all personal identifiable information such as name, gender, email address, photo, bank details and telephone number, to name but a few. Moreover, the anonymisation techniques must be irreversible. In addition, GDPR also stresses the need for the organisation to set up a mechanism which would ensure deletion of test data once the testing is complete.

Impacts Of GDPR On Software Testing


What key tools and best practices could be adopted to aid effective testing?

Create company-wide awareness on GDPR

Companies should understand the complexity and the challenges that GDPR brings and should have formed core governance bodies and teams to ensure that their business is GDPR compliant. Although a complex process, organisations need to ensure that the data they have been handling is secured in the right way.


Utilise data masking techniques

If usage of real data in testing is unavoidable, data masking is one solution. Data masking would serve the purpose without breaking the GDPR regulations. Data masking techniques could be used to mask user sensitive information such as name gender, address, bank details etc.


Synthetic data creation

Creation of synthetic data could be one of the most practical solutions which would not require any compliance to the regulations. The only issue with synthetic data is in ensuring that it is representative of production data so that it serves the purpose of a good end to end test.


Ongoing database audit

GDPR compliance is not a one-time process but an ongoing one. Therefore, organisations should now have processes in place to ensure regular database audits, as well as protection procedures, which would make sure that data does not get exposed to unauthorised 



The new GDPR is here to stay. So, the only way going forward is to be aware and be ready to embrace the new GDPR challenge!


By Rohini Bhat, Test Consultant at Edge Testing

Back to Blog