GDPR - Five Things Testers Need to Know

GDPR - Five Things Testers Need to Know

GDPR is the buzzword at the moment, it’s a significant piece of EU legislation, supported by a UK bill currently going through parliament.  It’s hard to do anything of late without a consultant selling you advice on GDPR, but what does it mean for testers?

GDPR is quite wide reaching and it comes into force in May 2018, but why is it causing so much fuss?  It isn’t substantively different to the UK Data Protection Act 1998.  However, the key changes that are getting everyone excited about are:

  • The penalties have significantly increased from £500k to the greater of €20 million, or 4% of global company turnover.  When applied to one of the big tech companies, that could be a very crippling large number.
  • Data Protection statues will no longer apply only to the controller of the data, but to any entity processing personal data, anywhere in the world.  Previously, the penalties and obligations were more focussed on the data controller and EU companies. This is introducing shared accountability.

Because this has increased the scope and the penalties, the number of people interested in data protection has suddenly increased.  As a tester you probably need to know only five things about GDPR:

  1. Everything that was true in DPA1998 is broadly still true, but with more of everything, from scope to penalties.
  2. If you are an IT contractor, you may now have similar statutory data protection obligations as your end client. Be sure to read the guidance carefully.  You may need to appoint a Data Protection Officer if you are receiving personal data, you probably have new record-keeping and reporting obligations.
  3. Systems that gain consent for data processing must ensure it is freely given, specific, informed and unambiguous. I.e. No more opt-in boxes can be ticked by default.  No more confusing double negatives in consent statements!
  4. Systems that hold personal data need to have the ability to delete someone’s personal data without undue delay.  This can be a “manual change” of course, but you may want to add a test to make sure it doesn’t break integration in your environment.
  5. Systems need to provide, on request and to consumers, the ability to export their personal data in a machine-readable format that can be imported by their competitors.  Exactly how they achieve this is up to them - again this could be a manual activity, but needs to be considered carefully to ensure compliance with the new statues.

...and that’s it!  Of course, there is a lot of additional detail in the legislation and guidance notes, especially if you are managing the technical and organisational controls for an organisation - but these are the key takeaways for software testers.


Adam Smith is Piccadilly’s chief technology officer and leads the company’s technology innovation. Adam also has extensive experience leading, driving and solutioning across a range of testing disciplines, including test automation, performance and penetration testing as well as the traditional functional testing.