GDPR & Software Delivery | Why Didn't You Test That?

0:00 Introduction.

0:29 How GDPR affects the development process.

0:50 Welcome Tom Pryce, Communication Manager, Curiosity Software.

1:31 Tom Pryce introduces his interest in GDPR: Working with Huw Price since 2014, which is nearly the same length of time as the GDPR legislation has existing, GDPR was introduced in 2012.

1:56 GDPR Defined: Emails on the implementation date of May 25^th 2018, after being ratified in 2016 in law, would have been the initial push of the GDPR at a base level of companies desperately asking for affirmative opt-in for marketing information.

2:35 GDPR goals to unify regulation across the EU block: Directives and legislation got aligned. But also to strengthen regulation in response to changes in technology. This for the UK moved on from its 1990s Data Protection Act. Also, to make people more aware of how their data gets used and control. Huw and Tom started looking at the impact of GDPR in 2014.

3:37 Compliance and why the Gambler and Sceptic were both wrong: Data protection legislation and laws are being implemented worldwide. Amongst these are the California Consumer Privacy Act. In Brazil, it’s the LGPD. Also in Chile, India. It’s beyond a blip and has become a trend. The Brexit version of GDPR is a cut-and-paste version.

6:49 Data minimisation and process limitation, particularly for software testing and delivery: What’s legitimate use? Who is using your data and for how long, but also the volume i.e. provisioning of data, of which there are 6 grounds based around both storing but also using data. Applied to testing may circle on consent as an affirmative action, explicit and tightly defined, but also the fulfilment of a service, or legitimate interest. This is along the principle of data minimisation.

9:29 Impact on the IT Estate: Avoid using as much data as you can! Align the number of test cases with the limitation of a number of rows.

10:37 In terms of risk of future proofing a service.

11:05 Huw Price to Tom: What happens not using data for testing and development? How might this impact on production data?

13:29 Rich Jordan: How does an organisation demonstrate a delist has been fulfilled?

15:06 Rich Jordan: Data flow and data systems related to breaches and uses of synthetic data: It’s less about punishing companies but more about how they can improve.

17:23 Huw Price: The shortfall of in the features in ERP giving accidental access to data for developer or tester and its impact on release cycles of patches and upgrades. Anywhere from 10 to 90% of organisations have ERP systems. What’s the difference between the data subject and the data processor? How useful are manual scripts written to anonymise the data?

22:03 Tom Price: The specificity of health data, PII and protected characteristics.

23:21 Rich Jordan: Conduct Risk as in financial services system migrations. The way in which legitimate interest as a term has been misappropriated and applied. June 2021 the migration to the cloud had caused a leak of the data of Norwegian sports candidates. The federation of sport was fined on the ground of: no legitimate basis for using the data, a breach of data minimisation for testing. The Norwegian DPA posed the fine could have been mitigated with the use of synthetic data and less production data.

27:50 Rich Jordan: Yes it’s a data problem but can focus more on conversations around an organisation’s risk regime.

28:15 Huw Price: Visceral pushback about the need to test requirements. At Eurostar conference, 70% of people in the room said we are using production data.

30:25 Pseudo-anonymising and masking of data as a high bar.

31:20 T-ing up the next episode: Going down the synthetic versions rabbit hole.

32:31 Huw Price: Outro and Bank of India using a fake bank for exploring development data as part of a system under test.