Testing software with data from your production environment? If this data contains personal data, you must have specific permission from the users for this [1]. Now there has been a legal ruling that gives counterparts to this argument more leeway [2]. But does this ruling change anything? Not as far as we are concerned. After all, testing with personal data is never wise.
Testing all scenarios
To test software, you want to use scenarios that match reality as closely as possible. A set of "dummy data" quickly falls short because it is difficult to include all edge scenarios here. Using production data provides the most relevant results, but this also comes with many snags. One of these is that users often only give permission to use their personal data for the main purposes of the application. This ruling indicates that testing with production data may well be compatible with the original collection purpose of the data.
The risks of testing with production data
Even if the use of production data were allowed without specific permission from the users, there are many drawbacks:
- Copying production data into the test environment increases the chances of hacking, misplacing or stealing personal data.
- The use of production data can lead to unintended actions, such as a test email reaching users.
- Users finding out that their data is being used for testing purposes can lead to loss of face.
In addition, the same requirements still apply to the use of personal data. Thus, the test environment will have to comply with the same management measures as the production environment.
Production data anonymization
The best solution to test applications properly is to anonymize the production data. During testing, the meaning of the individual data is not important, only the relationship between the data is needed for testing. By anonymizing the data, this relationship remains, but the meaning of the data itself is rendered unusable. For example, it is not possible to accidentally send emails to real users, and the data is virtually useless should it fall into the hands of third parties.
Nestor data mask
To make use of masked production data in your test environment, we have developed the Nestor Data Mask. This tool transfers anonymized data from your production environment into your test environment. For more information please visit our Data mask page or request a demo.