On May 25th the European launched GDPR, the General Data Protection Regulation. Penalties for non-compliance are steep with initial fines of 10 Million Euros or 2% of annual revenues. More egregious offenses will be met with fines up to 20 Million Euros or 4% of annual revenues. Even U.S. based multi-national companies need to take GDPR seriously. Even before the recent Facebook data privacy issues, they began rolling out a global privacy center1 in response to GDPR, giving users a single location where they can manage their privacy settings.
Have you ever stopped to think about how much personal data is floating around in your company’s production and pre-production databases? You may have decade’s worth of salaries, ages, addresses, job applications, social security numbers, credit card numbers and on and on. If you factor in social media groups where we’ve freely handed over our personal information for many years, then the amount of personal data stored by companies is incomprehensible! Is any of your data from EU citizens? If so, you will soon be held to a higher standard when managing that personal information. The EU citizen will have more say in how their personal data is managed and where it’s being stored.
GDPR gives EU citizens more control on how their personal information is used, even providing the ability to have their data hidden with the “right to be forgotten” provision. Companies will have to comply if an individual requests that their data not be used for any purpose other than to provide the end user with a product or service. This new rule impacts how data is used for testing purposes.
Compliance Officers, Developers and Testers Take Notice
Are your development teams are using sensitive data when testing? Is the data being masked? A recent survey2 indicates that most companies are woefully unprepared for GDPR, most not even having a plan in place to begin compliance. Having worked in this industry for many years and specifically with compliance products, I know that having some compliance plan in place is better than having no plan. If a breach occurs with any of your databases, even those used for testing, you’re going to attract the attention of regulators from all sides of the globe. If your company is taken to task for a breach, it’s better to show that you have a plan and are moving towards compliance, even if you are not fully compliant.
Compliance is actually a very low bar in terms of data security. Companies need to adopt far stricter controls than what is specified in most compliance regulations. PCI-DSS3, for example, is a banking industry mandate to get companies to provide stricter controls when processing account data, primarily credit card data. GDPR is slightly different in that it gives more power to the owner of the data, the end user. Companies will have no choice but to comply with the desires of EU citizens and how their data is being used for any purpose. This regulation will have a far-reaching impact on any global company, regardless of their geographic location. If your company stores EU citizen’s data, then GDPR affects you.
Where to Begin
First, don’t wait for the EU to come to you. If you haven’t talked to your team about GDPR then talk to them about how GDPR may impact your company. Ask these questions:
- Does your company store EU citizen’s data on any database within your company?
- Where is your sensitive data stored? For example, does your company use a third party provider to store your data and if so, do they have a GDPR plan in place?
The initial challenge with compliance will to be to know where your personally identifiable data (PII) is stored. Most companies have no idea and will need to identify tools that can help them scan their databases for PII data, noting if it’s from EU citizens.
I believe that GDPR is actually an opportunity for companies to put their “test data” houses in order. The new legislation is will pressure companies to know where PII data is stored, how many copies, and what safeguards are in place to protect it. Test data is an appendage to production data and should be managed as carefully as production data. GDPR can be a catalyst for companies to implement a more thorough test data management solution. CA is a leader in the enterprise application test data management solution space and can be integrated with Worksoft Certify to provide a secure and scalable solution.
1 Techcrunch, “Facebook to roll out global privacy settings hub — thanks to GDPR”
2 CFO Innovation, “EY: ONLY 12% OF ASIA PACIFIC FIRMS HAVE GDPR COMPLIANCE PLANS”
3 PCI Security “SECURING THE FUTURE OF PAYMENTS TOGETHER”