Common IT practices in application test and QA, pre-production, and training environments are now under particular scrutiny under the GDPR. The duplication of live production data (including sensitive information) into test and other environments has the advantage of producing more realistic test data, thus improving the accuracy of the testing activity. However, this technique increases the exposure of personal data and the risk of a data leak. In the context of the GDPR, additional anonymisation techniques are essential to achieve compliance.

What is new with the GDPR is the notion of “privacy by design and default”.  In choosing to include these as key principles, the legislator has acknowledged that privacy cannot be ensured by means of legislation alone, but it must be incorporated in the design and maintenance of information systems. Under Article 25 of the GDPR, a data controller is required to implement protective measures both at the “time of determination of the means for processing, and at the time of the processing itself”. Such measures include data anonymisation, pseudonymisation or other privacy-enhancing technologies.

One of the fundamental changes with the GDPR is that companies that provide services to other companies – known under the legal term of “data processors” – will also face the same hefty fines, which will affect technology service providers in particular.

An independent survey of large company CIOs showed that 52% of US companies possess data on EU citizens, making them subject to the GDPR. Primary concerns for these companies are the ability to know where customer data is at all times, and proper concealment of customer data used in testing. Interestingly, the vast majority of this customer data actually resides on back-end systems.  In this context, test data privacy solutions will place a major role in compliance.

Other key findings from US respondents to this survey include:

• 83% use live customer data in test systems when testing applications, because they believe the use of live data ensures reliable testing and accurately represents their production environment

• 83% provide customer data to outsourcers for testing purposes and 78 percent agree that outsourcing makes it more difficult to pinpoint instances of customer personally identifiable information (PII)

• 71% believe the emergence of mobile technologies is one factor making it more difficult to track customer data as it moves through the enterprise

The adoption of DevOps and agile approaches and their reliance on continuous testing actually increases the criticality of test data protection, as the pace and frequency of software rollout is increased. With more modern 3-tier applications (particularly mobile) ultimately connecting through the back-end application, test data anonymization tools (such as DOT-Anonymizer, which is both platform and database agnostic) are an effective solution to mask sensitive customer data throughout the application testing process.

For more information, read our Data Protection White Paper.


By Olenka Van Schendel, vice president of strategic marketing & business development at Arcad Software

GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at

comments powered by Disqus