We're building the future of Supply Chain Security. View Roles

09) Does your organisation use dummy test data when undergoing testing of systems (and not live production data)?

August 31, 2022 Software Development Test Data

Answer yes if your organisation has made it policy to only use test data (rather than live production data) that contains no personal data when testing its IT systems. If not, please state the reason why and whether or not you have any other mitigating controls in place.

What is the control?

Live production data should never be used in testing environments. It not only means live data has additional exposure in an environment without production controls, but is also generally in violation of GDPR regulations when personal data is involved.

Why should I have it?

Using production data in a testing environment increases the risk to that data in a number of ways. Firstly, it means more people in your organisation are unnecessarily exposed to production data which can contain personal data and other sensitive business data. Secondly, testing environments usually have fewer security controls and are not as scrutinised as production environments.

Finally, processing individuals’ data has to be done under a “legitimate” basis according to GDPR. In this sense, the processing has to be reasonably expected and beneficial to the data owner. Your organisation using their data to test your applications is likely to be neither expected nor beneficial to the data owner and is therefore likely to be in violation of GDPR.

For the above reasons, testing should be performed using randomly generated or anonymised data. This provides assurance that you are not unnecessarily using and exposing client data and are not using it in environments which may have controls inferior to those in production environments.

How to implement the control:

Your organisation should have a policy around test data which stipulates that any test data either be random or fully anonymised in such a way that no production information can be derived from the data and that the anonymisation process cannot be reversed.

There are numerous consultancies or individual consultants that will be able to assist in crafting a policy and implementing technical controls in a way that meets your business and technical requirements. Please message us if you would like a recommendation.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Leave a public comment

Please do not submit your answer on the knowledge base.