A survey carried out by Compuware in co-operation with the National Initiative for Internet Security (NIFIS) revealed that 64 percent of IT decision makers use real client data for application tests thereby taking risks of having to pay fines or being punished otherwise according to the provisions of the Federal Data Protection Act (BDSG). This law prohibits companies from using real data for purposes other than those for which they had been collected in the first place. The survey was carried out among more than 100 German IT executives.
36 percent of IT executives said that they were not comprehensively familiar with this law. Therefore no wonder that a majority of those interviewed are running risks of violating the BDSG by using real client data for application tests without paying any attention to data protection laws.
Gerald Pfeiffer, Manager Solutions Delivery with Compuware warns: “If companies do not have appropriate protective procedures in place, they risk customer data to get into the hands of third parties in an unnoticed manner. Test environments are by nature insecure places for the processing of real customer data, also because print-outs and test sheets are left unattended next to computers during tests. If customer data filtrate to the outside world, companies are bound to fines. The possible damage to their image, however, may even be worse.”
Another reason for data protection becoming an ever more important topic is the fact that many companies have outsourced corresponding services to external service providers. Thus, it cannot be ruled out that employees of outsourcing companies pass on confidential data. However, 53 percent of those surveyed say that when placing orders for software testing with external partners they sign so-called non disclosure agreements.
“In order to fully observe data protection rules a gradual approach is necessary. During the test phase no real data, but special test data are to be used. Only when the quality of the software tested is ensured and tested, trials using real data are allowed, if the provisions of the Federal Data Protection Act are adhered to at the same time”, says Dr. Thomas Lapp, managing director of NIFIS e.V.
An approach suggesting itself would be not to use customer data at all for test purposes, but this is not that easy. Unless companies can make use of extensive data pools, which enable them to test an application thoroughly under “real conditions”, the probability of software flaws during future “real life operation” is very high. For that reason companies have to decide between either to create time and money consuming test data pools which are suitable for the purpose of the application to be engineered or to de-sensibilize data which may, however, lead to some data fields not being valid. As a consequence the application test would be incomplete.
One possibility of solving this problem would be to transform data into an anonymous form. By replacing known values such as addresses with other values customer data can be made anonymous so that the person in question cannot be traced any more, but can still be processed by the computer network in the entire company. Thus, important data fields such as postal code can be kept in place. This whole process can be automated in order to rule out human error. 