It’s a tricky balance: what CAN and MAY you test?

01 July 2019
Written by Bas van der Poel | Account Executive in Benelux region

With an education in business economics, Bas started as an SAP MM consultant at the Dutch Hoogovens, currently known as Tata Steel Europe. Thanks to his involvement in several projects at different clients, his expertise developed to SRM, SCM and SAP project management, followed by sales within the SAP ecosystem. Bas has also always played a key role in the Dutch user group organization VNSG (www.vnsg.nl) and considers knowledge-sharing important.

Blog-Images-[Recovered]


You MAY not do testing with personal data...and many people say they CAN not do testing with anonymised data. But there is a balance between the two; you are both allowed to and able to do testing with data which is both realistic and scrambled.

The General Data Protection Regulation (GDPR) that came into effect in May 2018 has changed the world’s view on data privacy. Every organisation that is either doing business with European Union citizens, or based within the EU, has spent many hours on the topic. It has changed the way we think about and act on personal data, from both a personal and business view.

In SAP landscapes, one of the big topics for personal data is about the data stored outside production systems, although SAP’s Data Processing Agreement (DPA) does not allow this. Many organisations create full production copies in their testing systems (SAP Client, or more often System Copies) for testing. These copies would include personal and sensitive data. In some scenarios, you may even have a valid reason for using personal data for testing, but doing this is very risky and totally unnecessary.

Copying only the data you need for testing, and no more than that, would already be a big improvement. Not only in terms of GDPR compliance; in my experience, less data also means a lower Total Cost of Ownership (TCO). And copying less data also means having your test-set or development-set of data when you need it: test data on demand. Which means having real and adequate data when you need it. Ultimately, less data outside production means less risk – something every IT organisation would be very happy with.

Benefits of less and scrambled data in testing and development

  • Firstly, compliance with GDPR. The regulation is clear; you may only use the data for the intended purpose. Ask yourself if you have permission to use personal data for testing, development and training purposes?
  • Being compliant with your SAP DPA; it is your responsibility to be GDPR compliant with the tooling available in the market.
  • Reducing the risk of data disclosure with less and scrambled data outside production.
  • Improving TCO on hosting/hardware.
  • Improving data quality for testing and development via faster and more frequent test data refreshes. This also means better test results and less rework.
  • Improving projects and change quality and timelines.

Going back to the challenge: How do we find the balance in having scrambled data for proper testing?

  1. Copy only the data you need for testing. Less data = less risk
  2. Scramble the data in the SAP data model consistently, meaning ALL the fields that are connected to Personally Identifiable Information (PII)
  3. Refresh your test data frequently according to your Test Data Strategy

Our solutions allow you to do just that!

With Data Sync Manager™ (DSM) you can scramble the sensitive data in your SAP landscape consistently. And DSM will also enable you to subset the required data for testing, and less data means less risk. Data Secure™, part of the DSM suite, will take care of scrambling the data. The product has been used in the market for 22 years and has an extensive set of rules to cater for different scrambling needs.

Watch James Watson’s webinar on Data Secure and data scrambling for GDPR


"The quality of testing and the quality of test data are inextricably linked
.
When the latter is compromised, the cost of projects invariably rises."

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act POPIA SAP Data Security SAP GDPR SAP data privacy and compliance Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Client Sync Data Protection Day Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP S/4HANA SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data Sync Manager (DSM) Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Proportional Data Protect personal employee data Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP RISE SAP SuccessFactors SAP access risk simulations SAP data SAP data encryption SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security for SAP. Live Sensitive HCM data South African data privacy legislation Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: