Testing using real data of the customer





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







14















Is it common to use real data of the customer to perform testing? What policies companies apply regarding using real data of the customer for testing purposes? Is there any legislations regarding such issues?










share|improve this question

























  • Related: sqa.stackexchange.com/questions/5737/…

    – trashpanda
    May 20 at 9:18






  • 1





    Every single answer so far has misread "data of the customer" to mean "customer data". There is a huge difference. Maybe OP really means "customer data", but "data of the customer" could for example mean that OP is writing software for a customer that has a lot of data about their manufacturing plant's temperature variations, seasonal forest growth, etc.

    – pipe
    May 22 at 9:34




















14















Is it common to use real data of the customer to perform testing? What policies companies apply regarding using real data of the customer for testing purposes? Is there any legislations regarding such issues?










share|improve this question

























  • Related: sqa.stackexchange.com/questions/5737/…

    – trashpanda
    May 20 at 9:18






  • 1





    Every single answer so far has misread "data of the customer" to mean "customer data". There is a huge difference. Maybe OP really means "customer data", but "data of the customer" could for example mean that OP is writing software for a customer that has a lot of data about their manufacturing plant's temperature variations, seasonal forest growth, etc.

    – pipe
    May 22 at 9:34
















14












14








14


2






Is it common to use real data of the customer to perform testing? What policies companies apply regarding using real data of the customer for testing purposes? Is there any legislations regarding such issues?










share|improve this question














Is it common to use real data of the customer to perform testing? What policies companies apply regarding using real data of the customer for testing purposes? Is there any legislations regarding such issues?







quality-assurance documentation test-data






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked May 20 at 7:48









Seeker001Seeker001

1742 silver badges8 bronze badges




1742 silver badges8 bronze badges
















  • Related: sqa.stackexchange.com/questions/5737/…

    – trashpanda
    May 20 at 9:18






  • 1





    Every single answer so far has misread "data of the customer" to mean "customer data". There is a huge difference. Maybe OP really means "customer data", but "data of the customer" could for example mean that OP is writing software for a customer that has a lot of data about their manufacturing plant's temperature variations, seasonal forest growth, etc.

    – pipe
    May 22 at 9:34





















  • Related: sqa.stackexchange.com/questions/5737/…

    – trashpanda
    May 20 at 9:18






  • 1





    Every single answer so far has misread "data of the customer" to mean "customer data". There is a huge difference. Maybe OP really means "customer data", but "data of the customer" could for example mean that OP is writing software for a customer that has a lot of data about their manufacturing plant's temperature variations, seasonal forest growth, etc.

    – pipe
    May 22 at 9:34



















Related: sqa.stackexchange.com/questions/5737/…

– trashpanda
May 20 at 9:18





Related: sqa.stackexchange.com/questions/5737/…

– trashpanda
May 20 at 9:18




1




1





Every single answer so far has misread "data of the customer" to mean "customer data". There is a huge difference. Maybe OP really means "customer data", but "data of the customer" could for example mean that OP is writing software for a customer that has a lot of data about their manufacturing plant's temperature variations, seasonal forest growth, etc.

– pipe
May 22 at 9:34







Every single answer so far has misread "data of the customer" to mean "customer data". There is a huge difference. Maybe OP really means "customer data", but "data of the customer" could for example mean that OP is writing software for a customer that has a lot of data about their manufacturing plant's temperature variations, seasonal forest growth, etc.

– pipe
May 22 at 9:34












9 Answers
9






active

oldest

votes


















16














Depends on your definition of testing, anonymized data is widely used by Microsoft and others for monitoring and testing in production, it's the basis for A/B testing or monitoring for example.



In Europe the GDPR does not allow usage of private data, but the GDPR does not apply to anonymised information and anonymised data can be used without consent. Anonymised data is defined as “data rendered anonymous in such a way that the data subject is not or no longer identifiable.”



Be careful though, you need to be careful on how data is anonymised and make sure it is really irreversible.






share|improve this answer


























  • Why wouldn't the GDPR allow production customer data to be used for testing? They gave consent to use it in production. I can't think of a reason you can't use it for testing, as long you have appropriate measures in place to protect their privacy in the testing environment. What those measures are depends on the context and risks. A bank might take more measures like truly anonymising. datalumen.eu/… While testers of a smaller Content Management System might not anyonmise the email account names of its users.

    – Niels van Reijmersdal
    May 21 at 8:25











  • "In Europe the GDPR does not allow usage of private data" it does with right the consent. So technically you could also ask a sample (or all) of your users to consent to use their data for testing.

    – Niels van Reijmersdal
    May 21 at 8:26













  • Good point, I guess that an explicit consent to use the data in testing should work, but it will burden the company and testers with paperwork, restrictions and procedures to keep the data private and secure. From the top of my mind I would guess that access to this data will be on a need-to-use only, it will have to be as secure as the production environment even to internal accesses and you will need to remove it if the client asks you to.

    – Rsf
    May 21 at 8:49






  • 2





    Yes, but testing might be a valid need-to-use case, for example for reproduction of defects. Companies probably have a "legitimate interest" to use data for testing purposes, you might have to document a legitimate interest assessment. Also I would have measures like clear and documented (shorter) retentions limits for testing data based on real-data.

    – Niels van Reijmersdal
    May 21 at 8:55






  • 1





    @NielsvanReijmersdal I think that you are wrong. GDPR requires privacy by default. I don't think that having a "legitimate interest" means nothing to GDPR. If you search Test Data Management + GDPR you find tons of articles, none suggests that simply adding a checkbox when filling the privacy forms would fix the issue as such I believe that your reasoning is quite naive in this regard. IMHO, from the point of view of an user I don't think that pseunonymization poses an "undue burden" to the company, it's a quite cheap price to pay for a small amount of privacy.

    – Bakuriu
    May 22 at 19:42



















9














I wouldn't say it is common to use real data in testing, although the customer might provide a subset of "real" data in order to facilitate the process.



Apart from the privacy and business issues, there are also the legal ones, e.g. General Data Protection Regulation (GDPR) has been enforced since 25 May 2018 in Europe (but I think every company dealing with another company from the EU should take notice).



GDPR takes a very strict approach (fines) when dealing with personal data (and personal data is practically any data concerning a person - so this is a very broad definition) so it is better to just use test data, at least in this context.






share|improve this answer





















  • 4





    It's more common in Financial Tech as, everywhere I've been, have to use real customer data to test and reproduce customer outcomes. For example, if Mr. Jones received the wrong interest rate in Production, then we'll use his details in a Test environment to see if it triggers the same (incorrect) interest rate. You'll probably find in the Terms and Conditions that you're agreeing to the company using your details in this way :)

    – trashpanda
    May 20 at 8:36






  • 1





    I see that it is hard to fake that kind of data. Also, if you are working with multiple institutions (let us say a credit card company, an internet banking company, and a bank) I guess it would be really hard to agree on a data examples of decent quality .

    – Mate Mrše
    May 20 at 8:41



















6














It depends



In some industries it's not feasible to test without customer data. Sometimes it's not possible to properly anonymize said data - I test software that uses the US social security number for a large number of lookups. That means that any method of anonymization must ensure that the social security number of a given person must produce the same result across multiple tables while retaining the standard social security number format and not violating US regulations on what constitutes a valid social security number. That's just one example of a case where not using real data is somewhere between difficult and infeasible.



Another example - from the same software (which is also legacy software dating from 2002) - is a situation where data syncs between multiple systems. If your application is not the system of record (that is, the master system), you may not be able to anonymize data without losing the ability to sync to the master system. The software I test is a web application that sends updated data to a mainframe and receives updated information from the mainframe. If the data used by the web application differs too much from the data on the mainframe, the mainframe can't work with the data sent by the web application, and the entire sync breaks down.



Another situation where customer data may be necessary is where the customer's configuration is sufficiently unusual/unique enough that it's not feasible to mimic that configuration in order to reproduce a reported bug. In a previous job I had this happen, where there were four separate bugs that produced the same outcome as the customer's actual bug, and I found all of them before I was able to use the customer's data to reproduce the actual bug.



Scalability issues can be challenging without a database the size of a customer one - if the test database is of a modest size while the customer's data set is over a terabyte, it may be impossible to reproduce that customer's problems with the test database. I've seen this happen, and had to sign the non-disclosure agreements that went with the customer mailing us a copy of their database to work with. In those cases, we agreed to user their data only for as long as we needed it to reproduce and fix the problem they were having. That was acceptable with the PCI compliance rules at the time - I don't know if it would be acceptable now since I'm not currently working with software that requires that standard.



That said, email addresses are always changed, usually to one of our internal email addresses so we can test the emails that should be sent to customers, and purge the database of real users whenever we take a copy of the production database to use for testing.






share|improve this answer


























  • feasibility has nothing to do with legality, it's your problem if you can't test something without real data, not the customers. In Europe under the GDPR it's common to anonymize data and not just email addresses see this

    – Rsf
    May 23 at 8:23













  • @Rsf - No argument from me - unfortunately I didn't build the system in question - which is not in any way GDPR-compliant and probably can't be made that way.

    – Kate Paulk
    May 23 at 11:09



















4














Principles related to the processing of personal data




Personal data shall be obtained only for one or more specified and
lawful purposes, and shall not be further processed in any manner
incompatible with that purpose or those purposes.




So as per data protection law applied, production data can’t be processed for ulterior purposes from when it was originally obtained, without explicit permission from the data subject, an unrealistic scenario.






share|improve this answer

































    3














    I would not recommend using real customer data for testing. On argument was already mentioned: unlawful use of customer data.



    Another problem which can arise: leaking confidential business information. Imagine this scenario: due to a bug or misconfiguration, your test system suddenly sends out real email. Real persons now get a newsletter for a new product your company is developing with critical details.



    Better be safe, use dedicated test data with adresses, emails and mobile phone numbers reserved for your testing only.






    share|improve this answer





















    • 1





      You'll probably find a clause buried in the Terms and Conditions somewhere which gives the company your permission to use your personal data for testing purposes - if you're giving them your permission, then it's not unlawful.

      – trashpanda
      May 20 at 12:24











    • See @Nitin Rastogi's answer

      – trashpanda
      May 20 at 12:24



















    2














    There are situations that are almost impossible to fully test without live data of some kind. However, we may not need to use customer data. I have tested with my live credit and debit cards when I needed to do an "End to End" test of a system. There are bugs that show up only in such a test. A small amount used in a test can be written off based on how much the customer is paying for quality software (but talk to accounting first).






    share|improve this answer


























    • This is where having and knowing test credit/debit cards and card numbers can be helpful. Also where you can connect to the provider's test service rather than use the real one for testing. There are still times where their test service will have bugs their live service doesn't, so it will depend on your situation.

      – Kate Paulk
      May 22 at 19:36



















    2














    Others have mentioned the GDPR, but there are also industry specific rules and constraints.



    If you’re dealing with payment data, such as credit cards and cardholder data, the PCI DSS has an explicit prohibition on using actual customer data for testing.



    Also, the US government has developed draft guidelines on this exact topic:
    DPIAC Privacy Recommendations on the Use of Live Data 4 in Research, Testing, or Training (pdf file). They are not official yet, but you can consider them a good starting point.






    share|improve this answer



































      1














      As others have highlighted its definitely a very grey area!



      Most companies I've worked for do use real customer data (with or without the customers knowledge!). Mainly because sometimes with complex systems, certain issues are unable to be reproduced with test data. On numerous occasions i have found issues we are unable to reproduce without using real data.



      We should always try to at least obfuscate/anonymise the data as best as we can






      share|improve this answer

































        0















        Is it common to use real data of the customer to perform testing?




        Yes, in smaller engineering teams this is very common. They just blindly copy production data into a testing environment. In larger corporates hopefully they have pragmatic internal policies to guide this. Certainly if the data is of sensitive personal nature.




        What policies companies apply regarding using real data of the
        customer for testing purposes?





        • A thorough ISO 27001/2 implementation would probably cover how data is available to testers. This article shows depth on the subject, resulting in two conclusions:


          1. Development, testing, and change management require clear written information security policies.

          2. The organization must enforce the policies in all projects and have evidence.





        Is there any legislations regarding such issues?





        • General Data Protection Regulation: https://gdpr-info.eu/

        • The medical and financial industries also have a lot of acts and regulations that might influence this. I think it is much to sum up as each industry has its own standards.


        Data could also be owned by someone else than the owner of the software. You might need formal sign off to use real data in a test environment from a client for example.



        I would suggest you get legal counsel from someone who understand the domain you are building and testing software in. Together research risks, contracts and the law.






        share|improve this answer




























          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "244"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsqa.stackexchange.com%2fquestions%2f39246%2ftesting-using-real-data-of-the-customer%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          9 Answers
          9






          active

          oldest

          votes








          9 Answers
          9






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          16














          Depends on your definition of testing, anonymized data is widely used by Microsoft and others for monitoring and testing in production, it's the basis for A/B testing or monitoring for example.



          In Europe the GDPR does not allow usage of private data, but the GDPR does not apply to anonymised information and anonymised data can be used without consent. Anonymised data is defined as “data rendered anonymous in such a way that the data subject is not or no longer identifiable.”



          Be careful though, you need to be careful on how data is anonymised and make sure it is really irreversible.






          share|improve this answer


























          • Why wouldn't the GDPR allow production customer data to be used for testing? They gave consent to use it in production. I can't think of a reason you can't use it for testing, as long you have appropriate measures in place to protect their privacy in the testing environment. What those measures are depends on the context and risks. A bank might take more measures like truly anonymising. datalumen.eu/… While testers of a smaller Content Management System might not anyonmise the email account names of its users.

            – Niels van Reijmersdal
            May 21 at 8:25











          • "In Europe the GDPR does not allow usage of private data" it does with right the consent. So technically you could also ask a sample (or all) of your users to consent to use their data for testing.

            – Niels van Reijmersdal
            May 21 at 8:26













          • Good point, I guess that an explicit consent to use the data in testing should work, but it will burden the company and testers with paperwork, restrictions and procedures to keep the data private and secure. From the top of my mind I would guess that access to this data will be on a need-to-use only, it will have to be as secure as the production environment even to internal accesses and you will need to remove it if the client asks you to.

            – Rsf
            May 21 at 8:49






          • 2





            Yes, but testing might be a valid need-to-use case, for example for reproduction of defects. Companies probably have a "legitimate interest" to use data for testing purposes, you might have to document a legitimate interest assessment. Also I would have measures like clear and documented (shorter) retentions limits for testing data based on real-data.

            – Niels van Reijmersdal
            May 21 at 8:55






          • 1





            @NielsvanReijmersdal I think that you are wrong. GDPR requires privacy by default. I don't think that having a "legitimate interest" means nothing to GDPR. If you search Test Data Management + GDPR you find tons of articles, none suggests that simply adding a checkbox when filling the privacy forms would fix the issue as such I believe that your reasoning is quite naive in this regard. IMHO, from the point of view of an user I don't think that pseunonymization poses an "undue burden" to the company, it's a quite cheap price to pay for a small amount of privacy.

            – Bakuriu
            May 22 at 19:42
















          16














          Depends on your definition of testing, anonymized data is widely used by Microsoft and others for monitoring and testing in production, it's the basis for A/B testing or monitoring for example.



          In Europe the GDPR does not allow usage of private data, but the GDPR does not apply to anonymised information and anonymised data can be used without consent. Anonymised data is defined as “data rendered anonymous in such a way that the data subject is not or no longer identifiable.”



          Be careful though, you need to be careful on how data is anonymised and make sure it is really irreversible.






          share|improve this answer


























          • Why wouldn't the GDPR allow production customer data to be used for testing? They gave consent to use it in production. I can't think of a reason you can't use it for testing, as long you have appropriate measures in place to protect their privacy in the testing environment. What those measures are depends on the context and risks. A bank might take more measures like truly anonymising. datalumen.eu/… While testers of a smaller Content Management System might not anyonmise the email account names of its users.

            – Niels van Reijmersdal
            May 21 at 8:25











          • "In Europe the GDPR does not allow usage of private data" it does with right the consent. So technically you could also ask a sample (or all) of your users to consent to use their data for testing.

            – Niels van Reijmersdal
            May 21 at 8:26













          • Good point, I guess that an explicit consent to use the data in testing should work, but it will burden the company and testers with paperwork, restrictions and procedures to keep the data private and secure. From the top of my mind I would guess that access to this data will be on a need-to-use only, it will have to be as secure as the production environment even to internal accesses and you will need to remove it if the client asks you to.

            – Rsf
            May 21 at 8:49






          • 2





            Yes, but testing might be a valid need-to-use case, for example for reproduction of defects. Companies probably have a "legitimate interest" to use data for testing purposes, you might have to document a legitimate interest assessment. Also I would have measures like clear and documented (shorter) retentions limits for testing data based on real-data.

            – Niels van Reijmersdal
            May 21 at 8:55






          • 1





            @NielsvanReijmersdal I think that you are wrong. GDPR requires privacy by default. I don't think that having a "legitimate interest" means nothing to GDPR. If you search Test Data Management + GDPR you find tons of articles, none suggests that simply adding a checkbox when filling the privacy forms would fix the issue as such I believe that your reasoning is quite naive in this regard. IMHO, from the point of view of an user I don't think that pseunonymization poses an "undue burden" to the company, it's a quite cheap price to pay for a small amount of privacy.

            – Bakuriu
            May 22 at 19:42














          16












          16








          16







          Depends on your definition of testing, anonymized data is widely used by Microsoft and others for monitoring and testing in production, it's the basis for A/B testing or monitoring for example.



          In Europe the GDPR does not allow usage of private data, but the GDPR does not apply to anonymised information and anonymised data can be used without consent. Anonymised data is defined as “data rendered anonymous in such a way that the data subject is not or no longer identifiable.”



          Be careful though, you need to be careful on how data is anonymised and make sure it is really irreversible.






          share|improve this answer













          Depends on your definition of testing, anonymized data is widely used by Microsoft and others for monitoring and testing in production, it's the basis for A/B testing or monitoring for example.



          In Europe the GDPR does not allow usage of private data, but the GDPR does not apply to anonymised information and anonymised data can be used without consent. Anonymised data is defined as “data rendered anonymous in such a way that the data subject is not or no longer identifiable.”



          Be careful though, you need to be careful on how data is anonymised and make sure it is really irreversible.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered May 20 at 8:41









          RsfRsf

          4,6671 gold badge15 silver badges29 bronze badges




          4,6671 gold badge15 silver badges29 bronze badges
















          • Why wouldn't the GDPR allow production customer data to be used for testing? They gave consent to use it in production. I can't think of a reason you can't use it for testing, as long you have appropriate measures in place to protect their privacy in the testing environment. What those measures are depends on the context and risks. A bank might take more measures like truly anonymising. datalumen.eu/… While testers of a smaller Content Management System might not anyonmise the email account names of its users.

            – Niels van Reijmersdal
            May 21 at 8:25











          • "In Europe the GDPR does not allow usage of private data" it does with right the consent. So technically you could also ask a sample (or all) of your users to consent to use their data for testing.

            – Niels van Reijmersdal
            May 21 at 8:26













          • Good point, I guess that an explicit consent to use the data in testing should work, but it will burden the company and testers with paperwork, restrictions and procedures to keep the data private and secure. From the top of my mind I would guess that access to this data will be on a need-to-use only, it will have to be as secure as the production environment even to internal accesses and you will need to remove it if the client asks you to.

            – Rsf
            May 21 at 8:49






          • 2





            Yes, but testing might be a valid need-to-use case, for example for reproduction of defects. Companies probably have a "legitimate interest" to use data for testing purposes, you might have to document a legitimate interest assessment. Also I would have measures like clear and documented (shorter) retentions limits for testing data based on real-data.

            – Niels van Reijmersdal
            May 21 at 8:55






          • 1





            @NielsvanReijmersdal I think that you are wrong. GDPR requires privacy by default. I don't think that having a "legitimate interest" means nothing to GDPR. If you search Test Data Management + GDPR you find tons of articles, none suggests that simply adding a checkbox when filling the privacy forms would fix the issue as such I believe that your reasoning is quite naive in this regard. IMHO, from the point of view of an user I don't think that pseunonymization poses an "undue burden" to the company, it's a quite cheap price to pay for a small amount of privacy.

            – Bakuriu
            May 22 at 19:42



















          • Why wouldn't the GDPR allow production customer data to be used for testing? They gave consent to use it in production. I can't think of a reason you can't use it for testing, as long you have appropriate measures in place to protect their privacy in the testing environment. What those measures are depends on the context and risks. A bank might take more measures like truly anonymising. datalumen.eu/… While testers of a smaller Content Management System might not anyonmise the email account names of its users.

            – Niels van Reijmersdal
            May 21 at 8:25











          • "In Europe the GDPR does not allow usage of private data" it does with right the consent. So technically you could also ask a sample (or all) of your users to consent to use their data for testing.

            – Niels van Reijmersdal
            May 21 at 8:26













          • Good point, I guess that an explicit consent to use the data in testing should work, but it will burden the company and testers with paperwork, restrictions and procedures to keep the data private and secure. From the top of my mind I would guess that access to this data will be on a need-to-use only, it will have to be as secure as the production environment even to internal accesses and you will need to remove it if the client asks you to.

            – Rsf
            May 21 at 8:49






          • 2





            Yes, but testing might be a valid need-to-use case, for example for reproduction of defects. Companies probably have a "legitimate interest" to use data for testing purposes, you might have to document a legitimate interest assessment. Also I would have measures like clear and documented (shorter) retentions limits for testing data based on real-data.

            – Niels van Reijmersdal
            May 21 at 8:55






          • 1





            @NielsvanReijmersdal I think that you are wrong. GDPR requires privacy by default. I don't think that having a "legitimate interest" means nothing to GDPR. If you search Test Data Management + GDPR you find tons of articles, none suggests that simply adding a checkbox when filling the privacy forms would fix the issue as such I believe that your reasoning is quite naive in this regard. IMHO, from the point of view of an user I don't think that pseunonymization poses an "undue burden" to the company, it's a quite cheap price to pay for a small amount of privacy.

            – Bakuriu
            May 22 at 19:42

















          Why wouldn't the GDPR allow production customer data to be used for testing? They gave consent to use it in production. I can't think of a reason you can't use it for testing, as long you have appropriate measures in place to protect their privacy in the testing environment. What those measures are depends on the context and risks. A bank might take more measures like truly anonymising. datalumen.eu/… While testers of a smaller Content Management System might not anyonmise the email account names of its users.

          – Niels van Reijmersdal
          May 21 at 8:25





          Why wouldn't the GDPR allow production customer data to be used for testing? They gave consent to use it in production. I can't think of a reason you can't use it for testing, as long you have appropriate measures in place to protect their privacy in the testing environment. What those measures are depends on the context and risks. A bank might take more measures like truly anonymising. datalumen.eu/… While testers of a smaller Content Management System might not anyonmise the email account names of its users.

          – Niels van Reijmersdal
          May 21 at 8:25













          "In Europe the GDPR does not allow usage of private data" it does with right the consent. So technically you could also ask a sample (or all) of your users to consent to use their data for testing.

          – Niels van Reijmersdal
          May 21 at 8:26







          "In Europe the GDPR does not allow usage of private data" it does with right the consent. So technically you could also ask a sample (or all) of your users to consent to use their data for testing.

          – Niels van Reijmersdal
          May 21 at 8:26















          Good point, I guess that an explicit consent to use the data in testing should work, but it will burden the company and testers with paperwork, restrictions and procedures to keep the data private and secure. From the top of my mind I would guess that access to this data will be on a need-to-use only, it will have to be as secure as the production environment even to internal accesses and you will need to remove it if the client asks you to.

          – Rsf
          May 21 at 8:49





          Good point, I guess that an explicit consent to use the data in testing should work, but it will burden the company and testers with paperwork, restrictions and procedures to keep the data private and secure. From the top of my mind I would guess that access to this data will be on a need-to-use only, it will have to be as secure as the production environment even to internal accesses and you will need to remove it if the client asks you to.

          – Rsf
          May 21 at 8:49




          2




          2





          Yes, but testing might be a valid need-to-use case, for example for reproduction of defects. Companies probably have a "legitimate interest" to use data for testing purposes, you might have to document a legitimate interest assessment. Also I would have measures like clear and documented (shorter) retentions limits for testing data based on real-data.

          – Niels van Reijmersdal
          May 21 at 8:55





          Yes, but testing might be a valid need-to-use case, for example for reproduction of defects. Companies probably have a "legitimate interest" to use data for testing purposes, you might have to document a legitimate interest assessment. Also I would have measures like clear and documented (shorter) retentions limits for testing data based on real-data.

          – Niels van Reijmersdal
          May 21 at 8:55




          1




          1





          @NielsvanReijmersdal I think that you are wrong. GDPR requires privacy by default. I don't think that having a "legitimate interest" means nothing to GDPR. If you search Test Data Management + GDPR you find tons of articles, none suggests that simply adding a checkbox when filling the privacy forms would fix the issue as such I believe that your reasoning is quite naive in this regard. IMHO, from the point of view of an user I don't think that pseunonymization poses an "undue burden" to the company, it's a quite cheap price to pay for a small amount of privacy.

          – Bakuriu
          May 22 at 19:42





          @NielsvanReijmersdal I think that you are wrong. GDPR requires privacy by default. I don't think that having a "legitimate interest" means nothing to GDPR. If you search Test Data Management + GDPR you find tons of articles, none suggests that simply adding a checkbox when filling the privacy forms would fix the issue as such I believe that your reasoning is quite naive in this regard. IMHO, from the point of view of an user I don't think that pseunonymization poses an "undue burden" to the company, it's a quite cheap price to pay for a small amount of privacy.

          – Bakuriu
          May 22 at 19:42













          9














          I wouldn't say it is common to use real data in testing, although the customer might provide a subset of "real" data in order to facilitate the process.



          Apart from the privacy and business issues, there are also the legal ones, e.g. General Data Protection Regulation (GDPR) has been enforced since 25 May 2018 in Europe (but I think every company dealing with another company from the EU should take notice).



          GDPR takes a very strict approach (fines) when dealing with personal data (and personal data is practically any data concerning a person - so this is a very broad definition) so it is better to just use test data, at least in this context.






          share|improve this answer





















          • 4





            It's more common in Financial Tech as, everywhere I've been, have to use real customer data to test and reproduce customer outcomes. For example, if Mr. Jones received the wrong interest rate in Production, then we'll use his details in a Test environment to see if it triggers the same (incorrect) interest rate. You'll probably find in the Terms and Conditions that you're agreeing to the company using your details in this way :)

            – trashpanda
            May 20 at 8:36






          • 1





            I see that it is hard to fake that kind of data. Also, if you are working with multiple institutions (let us say a credit card company, an internet banking company, and a bank) I guess it would be really hard to agree on a data examples of decent quality .

            – Mate Mrše
            May 20 at 8:41
















          9














          I wouldn't say it is common to use real data in testing, although the customer might provide a subset of "real" data in order to facilitate the process.



          Apart from the privacy and business issues, there are also the legal ones, e.g. General Data Protection Regulation (GDPR) has been enforced since 25 May 2018 in Europe (but I think every company dealing with another company from the EU should take notice).



          GDPR takes a very strict approach (fines) when dealing with personal data (and personal data is practically any data concerning a person - so this is a very broad definition) so it is better to just use test data, at least in this context.






          share|improve this answer





















          • 4





            It's more common in Financial Tech as, everywhere I've been, have to use real customer data to test and reproduce customer outcomes. For example, if Mr. Jones received the wrong interest rate in Production, then we'll use his details in a Test environment to see if it triggers the same (incorrect) interest rate. You'll probably find in the Terms and Conditions that you're agreeing to the company using your details in this way :)

            – trashpanda
            May 20 at 8:36






          • 1





            I see that it is hard to fake that kind of data. Also, if you are working with multiple institutions (let us say a credit card company, an internet banking company, and a bank) I guess it would be really hard to agree on a data examples of decent quality .

            – Mate Mrše
            May 20 at 8:41














          9












          9








          9







          I wouldn't say it is common to use real data in testing, although the customer might provide a subset of "real" data in order to facilitate the process.



          Apart from the privacy and business issues, there are also the legal ones, e.g. General Data Protection Regulation (GDPR) has been enforced since 25 May 2018 in Europe (but I think every company dealing with another company from the EU should take notice).



          GDPR takes a very strict approach (fines) when dealing with personal data (and personal data is practically any data concerning a person - so this is a very broad definition) so it is better to just use test data, at least in this context.






          share|improve this answer













          I wouldn't say it is common to use real data in testing, although the customer might provide a subset of "real" data in order to facilitate the process.



          Apart from the privacy and business issues, there are also the legal ones, e.g. General Data Protection Regulation (GDPR) has been enforced since 25 May 2018 in Europe (but I think every company dealing with another company from the EU should take notice).



          GDPR takes a very strict approach (fines) when dealing with personal data (and personal data is practically any data concerning a person - so this is a very broad definition) so it is better to just use test data, at least in this context.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered May 20 at 8:10









          Mate MršeMate Mrše

          5923 silver badges26 bronze badges




          5923 silver badges26 bronze badges











          • 4





            It's more common in Financial Tech as, everywhere I've been, have to use real customer data to test and reproduce customer outcomes. For example, if Mr. Jones received the wrong interest rate in Production, then we'll use his details in a Test environment to see if it triggers the same (incorrect) interest rate. You'll probably find in the Terms and Conditions that you're agreeing to the company using your details in this way :)

            – trashpanda
            May 20 at 8:36






          • 1





            I see that it is hard to fake that kind of data. Also, if you are working with multiple institutions (let us say a credit card company, an internet banking company, and a bank) I guess it would be really hard to agree on a data examples of decent quality .

            – Mate Mrše
            May 20 at 8:41














          • 4





            It's more common in Financial Tech as, everywhere I've been, have to use real customer data to test and reproduce customer outcomes. For example, if Mr. Jones received the wrong interest rate in Production, then we'll use his details in a Test environment to see if it triggers the same (incorrect) interest rate. You'll probably find in the Terms and Conditions that you're agreeing to the company using your details in this way :)

            – trashpanda
            May 20 at 8:36






          • 1





            I see that it is hard to fake that kind of data. Also, if you are working with multiple institutions (let us say a credit card company, an internet banking company, and a bank) I guess it would be really hard to agree on a data examples of decent quality .

            – Mate Mrše
            May 20 at 8:41








          4




          4





          It's more common in Financial Tech as, everywhere I've been, have to use real customer data to test and reproduce customer outcomes. For example, if Mr. Jones received the wrong interest rate in Production, then we'll use his details in a Test environment to see if it triggers the same (incorrect) interest rate. You'll probably find in the Terms and Conditions that you're agreeing to the company using your details in this way :)

          – trashpanda
          May 20 at 8:36





          It's more common in Financial Tech as, everywhere I've been, have to use real customer data to test and reproduce customer outcomes. For example, if Mr. Jones received the wrong interest rate in Production, then we'll use his details in a Test environment to see if it triggers the same (incorrect) interest rate. You'll probably find in the Terms and Conditions that you're agreeing to the company using your details in this way :)

          – trashpanda
          May 20 at 8:36




          1




          1





          I see that it is hard to fake that kind of data. Also, if you are working with multiple institutions (let us say a credit card company, an internet banking company, and a bank) I guess it would be really hard to agree on a data examples of decent quality .

          – Mate Mrše
          May 20 at 8:41





          I see that it is hard to fake that kind of data. Also, if you are working with multiple institutions (let us say a credit card company, an internet banking company, and a bank) I guess it would be really hard to agree on a data examples of decent quality .

          – Mate Mrše
          May 20 at 8:41











          6














          It depends



          In some industries it's not feasible to test without customer data. Sometimes it's not possible to properly anonymize said data - I test software that uses the US social security number for a large number of lookups. That means that any method of anonymization must ensure that the social security number of a given person must produce the same result across multiple tables while retaining the standard social security number format and not violating US regulations on what constitutes a valid social security number. That's just one example of a case where not using real data is somewhere between difficult and infeasible.



          Another example - from the same software (which is also legacy software dating from 2002) - is a situation where data syncs between multiple systems. If your application is not the system of record (that is, the master system), you may not be able to anonymize data without losing the ability to sync to the master system. The software I test is a web application that sends updated data to a mainframe and receives updated information from the mainframe. If the data used by the web application differs too much from the data on the mainframe, the mainframe can't work with the data sent by the web application, and the entire sync breaks down.



          Another situation where customer data may be necessary is where the customer's configuration is sufficiently unusual/unique enough that it's not feasible to mimic that configuration in order to reproduce a reported bug. In a previous job I had this happen, where there were four separate bugs that produced the same outcome as the customer's actual bug, and I found all of them before I was able to use the customer's data to reproduce the actual bug.



          Scalability issues can be challenging without a database the size of a customer one - if the test database is of a modest size while the customer's data set is over a terabyte, it may be impossible to reproduce that customer's problems with the test database. I've seen this happen, and had to sign the non-disclosure agreements that went with the customer mailing us a copy of their database to work with. In those cases, we agreed to user their data only for as long as we needed it to reproduce and fix the problem they were having. That was acceptable with the PCI compliance rules at the time - I don't know if it would be acceptable now since I'm not currently working with software that requires that standard.



          That said, email addresses are always changed, usually to one of our internal email addresses so we can test the emails that should be sent to customers, and purge the database of real users whenever we take a copy of the production database to use for testing.






          share|improve this answer


























          • feasibility has nothing to do with legality, it's your problem if you can't test something without real data, not the customers. In Europe under the GDPR it's common to anonymize data and not just email addresses see this

            – Rsf
            May 23 at 8:23













          • @Rsf - No argument from me - unfortunately I didn't build the system in question - which is not in any way GDPR-compliant and probably can't be made that way.

            – Kate Paulk
            May 23 at 11:09
















          6














          It depends



          In some industries it's not feasible to test without customer data. Sometimes it's not possible to properly anonymize said data - I test software that uses the US social security number for a large number of lookups. That means that any method of anonymization must ensure that the social security number of a given person must produce the same result across multiple tables while retaining the standard social security number format and not violating US regulations on what constitutes a valid social security number. That's just one example of a case where not using real data is somewhere between difficult and infeasible.



          Another example - from the same software (which is also legacy software dating from 2002) - is a situation where data syncs between multiple systems. If your application is not the system of record (that is, the master system), you may not be able to anonymize data without losing the ability to sync to the master system. The software I test is a web application that sends updated data to a mainframe and receives updated information from the mainframe. If the data used by the web application differs too much from the data on the mainframe, the mainframe can't work with the data sent by the web application, and the entire sync breaks down.



          Another situation where customer data may be necessary is where the customer's configuration is sufficiently unusual/unique enough that it's not feasible to mimic that configuration in order to reproduce a reported bug. In a previous job I had this happen, where there were four separate bugs that produced the same outcome as the customer's actual bug, and I found all of them before I was able to use the customer's data to reproduce the actual bug.



          Scalability issues can be challenging without a database the size of a customer one - if the test database is of a modest size while the customer's data set is over a terabyte, it may be impossible to reproduce that customer's problems with the test database. I've seen this happen, and had to sign the non-disclosure agreements that went with the customer mailing us a copy of their database to work with. In those cases, we agreed to user their data only for as long as we needed it to reproduce and fix the problem they were having. That was acceptable with the PCI compliance rules at the time - I don't know if it would be acceptable now since I'm not currently working with software that requires that standard.



          That said, email addresses are always changed, usually to one of our internal email addresses so we can test the emails that should be sent to customers, and purge the database of real users whenever we take a copy of the production database to use for testing.






          share|improve this answer


























          • feasibility has nothing to do with legality, it's your problem if you can't test something without real data, not the customers. In Europe under the GDPR it's common to anonymize data and not just email addresses see this

            – Rsf
            May 23 at 8:23













          • @Rsf - No argument from me - unfortunately I didn't build the system in question - which is not in any way GDPR-compliant and probably can't be made that way.

            – Kate Paulk
            May 23 at 11:09














          6












          6








          6







          It depends



          In some industries it's not feasible to test without customer data. Sometimes it's not possible to properly anonymize said data - I test software that uses the US social security number for a large number of lookups. That means that any method of anonymization must ensure that the social security number of a given person must produce the same result across multiple tables while retaining the standard social security number format and not violating US regulations on what constitutes a valid social security number. That's just one example of a case where not using real data is somewhere between difficult and infeasible.



          Another example - from the same software (which is also legacy software dating from 2002) - is a situation where data syncs between multiple systems. If your application is not the system of record (that is, the master system), you may not be able to anonymize data without losing the ability to sync to the master system. The software I test is a web application that sends updated data to a mainframe and receives updated information from the mainframe. If the data used by the web application differs too much from the data on the mainframe, the mainframe can't work with the data sent by the web application, and the entire sync breaks down.



          Another situation where customer data may be necessary is where the customer's configuration is sufficiently unusual/unique enough that it's not feasible to mimic that configuration in order to reproduce a reported bug. In a previous job I had this happen, where there were four separate bugs that produced the same outcome as the customer's actual bug, and I found all of them before I was able to use the customer's data to reproduce the actual bug.



          Scalability issues can be challenging without a database the size of a customer one - if the test database is of a modest size while the customer's data set is over a terabyte, it may be impossible to reproduce that customer's problems with the test database. I've seen this happen, and had to sign the non-disclosure agreements that went with the customer mailing us a copy of their database to work with. In those cases, we agreed to user their data only for as long as we needed it to reproduce and fix the problem they were having. That was acceptable with the PCI compliance rules at the time - I don't know if it would be acceptable now since I'm not currently working with software that requires that standard.



          That said, email addresses are always changed, usually to one of our internal email addresses so we can test the emails that should be sent to customers, and purge the database of real users whenever we take a copy of the production database to use for testing.






          share|improve this answer













          It depends



          In some industries it's not feasible to test without customer data. Sometimes it's not possible to properly anonymize said data - I test software that uses the US social security number for a large number of lookups. That means that any method of anonymization must ensure that the social security number of a given person must produce the same result across multiple tables while retaining the standard social security number format and not violating US regulations on what constitutes a valid social security number. That's just one example of a case where not using real data is somewhere between difficult and infeasible.



          Another example - from the same software (which is also legacy software dating from 2002) - is a situation where data syncs between multiple systems. If your application is not the system of record (that is, the master system), you may not be able to anonymize data without losing the ability to sync to the master system. The software I test is a web application that sends updated data to a mainframe and receives updated information from the mainframe. If the data used by the web application differs too much from the data on the mainframe, the mainframe can't work with the data sent by the web application, and the entire sync breaks down.



          Another situation where customer data may be necessary is where the customer's configuration is sufficiently unusual/unique enough that it's not feasible to mimic that configuration in order to reproduce a reported bug. In a previous job I had this happen, where there were four separate bugs that produced the same outcome as the customer's actual bug, and I found all of them before I was able to use the customer's data to reproduce the actual bug.



          Scalability issues can be challenging without a database the size of a customer one - if the test database is of a modest size while the customer's data set is over a terabyte, it may be impossible to reproduce that customer's problems with the test database. I've seen this happen, and had to sign the non-disclosure agreements that went with the customer mailing us a copy of their database to work with. In those cases, we agreed to user their data only for as long as we needed it to reproduce and fix the problem they were having. That was acceptable with the PCI compliance rules at the time - I don't know if it would be acceptable now since I'm not currently working with software that requires that standard.



          That said, email addresses are always changed, usually to one of our internal email addresses so we can test the emails that should be sent to customers, and purge the database of real users whenever we take a copy of the production database to use for testing.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered May 20 at 12:05









          Kate PaulkKate Paulk

          25.9k6 gold badges43 silver badges90 bronze badges




          25.9k6 gold badges43 silver badges90 bronze badges
















          • feasibility has nothing to do with legality, it's your problem if you can't test something without real data, not the customers. In Europe under the GDPR it's common to anonymize data and not just email addresses see this

            – Rsf
            May 23 at 8:23













          • @Rsf - No argument from me - unfortunately I didn't build the system in question - which is not in any way GDPR-compliant and probably can't be made that way.

            – Kate Paulk
            May 23 at 11:09



















          • feasibility has nothing to do with legality, it's your problem if you can't test something without real data, not the customers. In Europe under the GDPR it's common to anonymize data and not just email addresses see this

            – Rsf
            May 23 at 8:23













          • @Rsf - No argument from me - unfortunately I didn't build the system in question - which is not in any way GDPR-compliant and probably can't be made that way.

            – Kate Paulk
            May 23 at 11:09

















          feasibility has nothing to do with legality, it's your problem if you can't test something without real data, not the customers. In Europe under the GDPR it's common to anonymize data and not just email addresses see this

          – Rsf
          May 23 at 8:23







          feasibility has nothing to do with legality, it's your problem if you can't test something without real data, not the customers. In Europe under the GDPR it's common to anonymize data and not just email addresses see this

          – Rsf
          May 23 at 8:23















          @Rsf - No argument from me - unfortunately I didn't build the system in question - which is not in any way GDPR-compliant and probably can't be made that way.

          – Kate Paulk
          May 23 at 11:09





          @Rsf - No argument from me - unfortunately I didn't build the system in question - which is not in any way GDPR-compliant and probably can't be made that way.

          – Kate Paulk
          May 23 at 11:09











          4














          Principles related to the processing of personal data




          Personal data shall be obtained only for one or more specified and
          lawful purposes, and shall not be further processed in any manner
          incompatible with that purpose or those purposes.




          So as per data protection law applied, production data can’t be processed for ulterior purposes from when it was originally obtained, without explicit permission from the data subject, an unrealistic scenario.






          share|improve this answer






























            4














            Principles related to the processing of personal data




            Personal data shall be obtained only for one or more specified and
            lawful purposes, and shall not be further processed in any manner
            incompatible with that purpose or those purposes.




            So as per data protection law applied, production data can’t be processed for ulterior purposes from when it was originally obtained, without explicit permission from the data subject, an unrealistic scenario.






            share|improve this answer




























              4












              4








              4







              Principles related to the processing of personal data




              Personal data shall be obtained only for one or more specified and
              lawful purposes, and shall not be further processed in any manner
              incompatible with that purpose or those purposes.




              So as per data protection law applied, production data can’t be processed for ulterior purposes from when it was originally obtained, without explicit permission from the data subject, an unrealistic scenario.






              share|improve this answer













              Principles related to the processing of personal data




              Personal data shall be obtained only for one or more specified and
              lawful purposes, and shall not be further processed in any manner
              incompatible with that purpose or those purposes.




              So as per data protection law applied, production data can’t be processed for ulterior purposes from when it was originally obtained, without explicit permission from the data subject, an unrealistic scenario.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered May 20 at 12:00









              Nitin RastogiNitin Rastogi

              3,1211 gold badge15 silver badges41 bronze badges




              3,1211 gold badge15 silver badges41 bronze badges


























                  3














                  I would not recommend using real customer data for testing. On argument was already mentioned: unlawful use of customer data.



                  Another problem which can arise: leaking confidential business information. Imagine this scenario: due to a bug or misconfiguration, your test system suddenly sends out real email. Real persons now get a newsletter for a new product your company is developing with critical details.



                  Better be safe, use dedicated test data with adresses, emails and mobile phone numbers reserved for your testing only.






                  share|improve this answer





















                  • 1





                    You'll probably find a clause buried in the Terms and Conditions somewhere which gives the company your permission to use your personal data for testing purposes - if you're giving them your permission, then it's not unlawful.

                    – trashpanda
                    May 20 at 12:24











                  • See @Nitin Rastogi's answer

                    – trashpanda
                    May 20 at 12:24
















                  3














                  I would not recommend using real customer data for testing. On argument was already mentioned: unlawful use of customer data.



                  Another problem which can arise: leaking confidential business information. Imagine this scenario: due to a bug or misconfiguration, your test system suddenly sends out real email. Real persons now get a newsletter for a new product your company is developing with critical details.



                  Better be safe, use dedicated test data with adresses, emails and mobile phone numbers reserved for your testing only.






                  share|improve this answer





















                  • 1





                    You'll probably find a clause buried in the Terms and Conditions somewhere which gives the company your permission to use your personal data for testing purposes - if you're giving them your permission, then it's not unlawful.

                    – trashpanda
                    May 20 at 12:24











                  • See @Nitin Rastogi's answer

                    – trashpanda
                    May 20 at 12:24














                  3












                  3








                  3







                  I would not recommend using real customer data for testing. On argument was already mentioned: unlawful use of customer data.



                  Another problem which can arise: leaking confidential business information. Imagine this scenario: due to a bug or misconfiguration, your test system suddenly sends out real email. Real persons now get a newsletter for a new product your company is developing with critical details.



                  Better be safe, use dedicated test data with adresses, emails and mobile phone numbers reserved for your testing only.






                  share|improve this answer













                  I would not recommend using real customer data for testing. On argument was already mentioned: unlawful use of customer data.



                  Another problem which can arise: leaking confidential business information. Imagine this scenario: due to a bug or misconfiguration, your test system suddenly sends out real email. Real persons now get a newsletter for a new product your company is developing with critical details.



                  Better be safe, use dedicated test data with adresses, emails and mobile phone numbers reserved for your testing only.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered May 20 at 8:25









                  globalwormingglobalworming

                  3499 bronze badges




                  3499 bronze badges











                  • 1





                    You'll probably find a clause buried in the Terms and Conditions somewhere which gives the company your permission to use your personal data for testing purposes - if you're giving them your permission, then it's not unlawful.

                    – trashpanda
                    May 20 at 12:24











                  • See @Nitin Rastogi's answer

                    – trashpanda
                    May 20 at 12:24














                  • 1





                    You'll probably find a clause buried in the Terms and Conditions somewhere which gives the company your permission to use your personal data for testing purposes - if you're giving them your permission, then it's not unlawful.

                    – trashpanda
                    May 20 at 12:24











                  • See @Nitin Rastogi's answer

                    – trashpanda
                    May 20 at 12:24








                  1




                  1





                  You'll probably find a clause buried in the Terms and Conditions somewhere which gives the company your permission to use your personal data for testing purposes - if you're giving them your permission, then it's not unlawful.

                  – trashpanda
                  May 20 at 12:24





                  You'll probably find a clause buried in the Terms and Conditions somewhere which gives the company your permission to use your personal data for testing purposes - if you're giving them your permission, then it's not unlawful.

                  – trashpanda
                  May 20 at 12:24













                  See @Nitin Rastogi's answer

                  – trashpanda
                  May 20 at 12:24





                  See @Nitin Rastogi's answer

                  – trashpanda
                  May 20 at 12:24











                  2














                  There are situations that are almost impossible to fully test without live data of some kind. However, we may not need to use customer data. I have tested with my live credit and debit cards when I needed to do an "End to End" test of a system. There are bugs that show up only in such a test. A small amount used in a test can be written off based on how much the customer is paying for quality software (but talk to accounting first).






                  share|improve this answer


























                  • This is where having and knowing test credit/debit cards and card numbers can be helpful. Also where you can connect to the provider's test service rather than use the real one for testing. There are still times where their test service will have bugs their live service doesn't, so it will depend on your situation.

                    – Kate Paulk
                    May 22 at 19:36
















                  2














                  There are situations that are almost impossible to fully test without live data of some kind. However, we may not need to use customer data. I have tested with my live credit and debit cards when I needed to do an "End to End" test of a system. There are bugs that show up only in such a test. A small amount used in a test can be written off based on how much the customer is paying for quality software (but talk to accounting first).






                  share|improve this answer


























                  • This is where having and knowing test credit/debit cards and card numbers can be helpful. Also where you can connect to the provider's test service rather than use the real one for testing. There are still times where their test service will have bugs their live service doesn't, so it will depend on your situation.

                    – Kate Paulk
                    May 22 at 19:36














                  2












                  2








                  2







                  There are situations that are almost impossible to fully test without live data of some kind. However, we may not need to use customer data. I have tested with my live credit and debit cards when I needed to do an "End to End" test of a system. There are bugs that show up only in such a test. A small amount used in a test can be written off based on how much the customer is paying for quality software (but talk to accounting first).






                  share|improve this answer













                  There are situations that are almost impossible to fully test without live data of some kind. However, we may not need to use customer data. I have tested with my live credit and debit cards when I needed to do an "End to End" test of a system. There are bugs that show up only in such a test. A small amount used in a test can be written off based on how much the customer is paying for quality software (but talk to accounting first).







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered May 22 at 19:05









                  DaveDave

                  211 bronze badge




                  211 bronze badge
















                  • This is where having and knowing test credit/debit cards and card numbers can be helpful. Also where you can connect to the provider's test service rather than use the real one for testing. There are still times where their test service will have bugs their live service doesn't, so it will depend on your situation.

                    – Kate Paulk
                    May 22 at 19:36



















                  • This is where having and knowing test credit/debit cards and card numbers can be helpful. Also where you can connect to the provider's test service rather than use the real one for testing. There are still times where their test service will have bugs their live service doesn't, so it will depend on your situation.

                    – Kate Paulk
                    May 22 at 19:36

















                  This is where having and knowing test credit/debit cards and card numbers can be helpful. Also where you can connect to the provider's test service rather than use the real one for testing. There are still times where their test service will have bugs their live service doesn't, so it will depend on your situation.

                  – Kate Paulk
                  May 22 at 19:36





                  This is where having and knowing test credit/debit cards and card numbers can be helpful. Also where you can connect to the provider's test service rather than use the real one for testing. There are still times where their test service will have bugs their live service doesn't, so it will depend on your situation.

                  – Kate Paulk
                  May 22 at 19:36











                  2














                  Others have mentioned the GDPR, but there are also industry specific rules and constraints.



                  If you’re dealing with payment data, such as credit cards and cardholder data, the PCI DSS has an explicit prohibition on using actual customer data for testing.



                  Also, the US government has developed draft guidelines on this exact topic:
                  DPIAC Privacy Recommendations on the Use of Live Data 4 in Research, Testing, or Training (pdf file). They are not official yet, but you can consider them a good starting point.






                  share|improve this answer
































                    2














                    Others have mentioned the GDPR, but there are also industry specific rules and constraints.



                    If you’re dealing with payment data, such as credit cards and cardholder data, the PCI DSS has an explicit prohibition on using actual customer data for testing.



                    Also, the US government has developed draft guidelines on this exact topic:
                    DPIAC Privacy Recommendations on the Use of Live Data 4 in Research, Testing, or Training (pdf file). They are not official yet, but you can consider them a good starting point.






                    share|improve this answer






























                      2












                      2








                      2







                      Others have mentioned the GDPR, but there are also industry specific rules and constraints.



                      If you’re dealing with payment data, such as credit cards and cardholder data, the PCI DSS has an explicit prohibition on using actual customer data for testing.



                      Also, the US government has developed draft guidelines on this exact topic:
                      DPIAC Privacy Recommendations on the Use of Live Data 4 in Research, Testing, or Training (pdf file). They are not official yet, but you can consider them a good starting point.






                      share|improve this answer















                      Others have mentioned the GDPR, but there are also industry specific rules and constraints.



                      If you’re dealing with payment data, such as credit cards and cardholder data, the PCI DSS has an explicit prohibition on using actual customer data for testing.



                      Also, the US government has developed draft guidelines on this exact topic:
                      DPIAC Privacy Recommendations on the Use of Live Data 4 in Research, Testing, or Training (pdf file). They are not official yet, but you can consider them a good starting point.







                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited Jun 11 at 9:55









                      Bulat

                      2963 silver badges8 bronze badges




                      2963 silver badges8 bronze badges










                      answered May 21 at 12:49









                      John DetersJohn Deters

                      1611 bronze badge




                      1611 bronze badge


























                          1














                          As others have highlighted its definitely a very grey area!



                          Most companies I've worked for do use real customer data (with or without the customers knowledge!). Mainly because sometimes with complex systems, certain issues are unable to be reproduced with test data. On numerous occasions i have found issues we are unable to reproduce without using real data.



                          We should always try to at least obfuscate/anonymise the data as best as we can






                          share|improve this answer






























                            1














                            As others have highlighted its definitely a very grey area!



                            Most companies I've worked for do use real customer data (with or without the customers knowledge!). Mainly because sometimes with complex systems, certain issues are unable to be reproduced with test data. On numerous occasions i have found issues we are unable to reproduce without using real data.



                            We should always try to at least obfuscate/anonymise the data as best as we can






                            share|improve this answer




























                              1












                              1








                              1







                              As others have highlighted its definitely a very grey area!



                              Most companies I've worked for do use real customer data (with or without the customers knowledge!). Mainly because sometimes with complex systems, certain issues are unable to be reproduced with test data. On numerous occasions i have found issues we are unable to reproduce without using real data.



                              We should always try to at least obfuscate/anonymise the data as best as we can






                              share|improve this answer













                              As others have highlighted its definitely a very grey area!



                              Most companies I've worked for do use real customer data (with or without the customers knowledge!). Mainly because sometimes with complex systems, certain issues are unable to be reproduced with test data. On numerous occasions i have found issues we are unable to reproduce without using real data.



                              We should always try to at least obfuscate/anonymise the data as best as we can







                              share|improve this answer












                              share|improve this answer



                              share|improve this answer










                              answered May 23 at 0:03









                              jagradangjagradang

                              111 bronze badge




                              111 bronze badge


























                                  0















                                  Is it common to use real data of the customer to perform testing?




                                  Yes, in smaller engineering teams this is very common. They just blindly copy production data into a testing environment. In larger corporates hopefully they have pragmatic internal policies to guide this. Certainly if the data is of sensitive personal nature.




                                  What policies companies apply regarding using real data of the
                                  customer for testing purposes?





                                  • A thorough ISO 27001/2 implementation would probably cover how data is available to testers. This article shows depth on the subject, resulting in two conclusions:


                                    1. Development, testing, and change management require clear written information security policies.

                                    2. The organization must enforce the policies in all projects and have evidence.





                                  Is there any legislations regarding such issues?





                                  • General Data Protection Regulation: https://gdpr-info.eu/

                                  • The medical and financial industries also have a lot of acts and regulations that might influence this. I think it is much to sum up as each industry has its own standards.


                                  Data could also be owned by someone else than the owner of the software. You might need formal sign off to use real data in a test environment from a client for example.



                                  I would suggest you get legal counsel from someone who understand the domain you are building and testing software in. Together research risks, contracts and the law.






                                  share|improve this answer






























                                    0















                                    Is it common to use real data of the customer to perform testing?




                                    Yes, in smaller engineering teams this is very common. They just blindly copy production data into a testing environment. In larger corporates hopefully they have pragmatic internal policies to guide this. Certainly if the data is of sensitive personal nature.




                                    What policies companies apply regarding using real data of the
                                    customer for testing purposes?





                                    • A thorough ISO 27001/2 implementation would probably cover how data is available to testers. This article shows depth on the subject, resulting in two conclusions:


                                      1. Development, testing, and change management require clear written information security policies.

                                      2. The organization must enforce the policies in all projects and have evidence.





                                    Is there any legislations regarding such issues?





                                    • General Data Protection Regulation: https://gdpr-info.eu/

                                    • The medical and financial industries also have a lot of acts and regulations that might influence this. I think it is much to sum up as each industry has its own standards.


                                    Data could also be owned by someone else than the owner of the software. You might need formal sign off to use real data in a test environment from a client for example.



                                    I would suggest you get legal counsel from someone who understand the domain you are building and testing software in. Together research risks, contracts and the law.






                                    share|improve this answer




























                                      0












                                      0








                                      0








                                      Is it common to use real data of the customer to perform testing?




                                      Yes, in smaller engineering teams this is very common. They just blindly copy production data into a testing environment. In larger corporates hopefully they have pragmatic internal policies to guide this. Certainly if the data is of sensitive personal nature.




                                      What policies companies apply regarding using real data of the
                                      customer for testing purposes?





                                      • A thorough ISO 27001/2 implementation would probably cover how data is available to testers. This article shows depth on the subject, resulting in two conclusions:


                                        1. Development, testing, and change management require clear written information security policies.

                                        2. The organization must enforce the policies in all projects and have evidence.





                                      Is there any legislations regarding such issues?





                                      • General Data Protection Regulation: https://gdpr-info.eu/

                                      • The medical and financial industries also have a lot of acts and regulations that might influence this. I think it is much to sum up as each industry has its own standards.


                                      Data could also be owned by someone else than the owner of the software. You might need formal sign off to use real data in a test environment from a client for example.



                                      I would suggest you get legal counsel from someone who understand the domain you are building and testing software in. Together research risks, contracts and the law.






                                      share|improve this answer














                                      Is it common to use real data of the customer to perform testing?




                                      Yes, in smaller engineering teams this is very common. They just blindly copy production data into a testing environment. In larger corporates hopefully they have pragmatic internal policies to guide this. Certainly if the data is of sensitive personal nature.




                                      What policies companies apply regarding using real data of the
                                      customer for testing purposes?





                                      • A thorough ISO 27001/2 implementation would probably cover how data is available to testers. This article shows depth on the subject, resulting in two conclusions:


                                        1. Development, testing, and change management require clear written information security policies.

                                        2. The organization must enforce the policies in all projects and have evidence.





                                      Is there any legislations regarding such issues?





                                      • General Data Protection Regulation: https://gdpr-info.eu/

                                      • The medical and financial industries also have a lot of acts and regulations that might influence this. I think it is much to sum up as each industry has its own standards.


                                      Data could also be owned by someone else than the owner of the software. You might need formal sign off to use real data in a test environment from a client for example.



                                      I would suggest you get legal counsel from someone who understand the domain you are building and testing software in. Together research risks, contracts and the law.







                                      share|improve this answer












                                      share|improve this answer



                                      share|improve this answer










                                      answered May 23 at 8:31









                                      Niels van ReijmersdalNiels van Reijmersdal

                                      23.1k2 gold badges34 silver badges85 bronze badges




                                      23.1k2 gold badges34 silver badges85 bronze badges

































                                          draft saved

                                          draft discarded




















































                                          Thanks for contributing an answer to Software Quality Assurance & Testing Stack Exchange!


                                          • Please be sure to answer the question. Provide details and share your research!

                                          But avoid



                                          • Asking for help, clarification, or responding to other answers.

                                          • Making statements based on opinion; back them up with references or personal experience.


                                          To learn more, see our tips on writing great answers.




                                          draft saved


                                          draft discarded














                                          StackExchange.ready(
                                          function () {
                                          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsqa.stackexchange.com%2fquestions%2f39246%2ftesting-using-real-data-of-the-customer%23new-answer', 'question_page');
                                          }
                                          );

                                          Post as a guest















                                          Required, but never shown





















































                                          Required, but never shown














                                          Required, but never shown












                                          Required, but never shown







                                          Required, but never shown

































                                          Required, but never shown














                                          Required, but never shown












                                          Required, but never shown







                                          Required, but never shown







                                          Popular posts from this blog

                                          Færeyskur hestur Heimild | Tengill | Tilvísanir | LeiðsagnarvalRossið - síða um færeyska hrossið á færeyskuGott ár hjá færeyska hestinum

                                          He _____ here since 1970 . Answer needed [closed]What does “since he was so high” mean?Meaning of “catch birds for”?How do I ensure “since” takes the meaning I want?“Who cares here” meaningWhat does “right round toward” mean?the time tense (had now been detected)What does the phrase “ring around the roses” mean here?Correct usage of “visited upon”Meaning of “foiled rail sabotage bid”It was the third time I had gone to Rome or It is the third time I had been to Rome

                                          Slayer Innehåll Historia | Stil, komposition och lyrik | Bandets betydelse och framgångar | Sidoprojekt och samarbeten | Kontroverser | Medlemmar | Utmärkelser och nomineringar | Turnéer och festivaler | Diskografi | Referenser | Externa länkar | Navigeringsmenywww.slayer.net”Metal Massacre vol. 1””Metal Massacre vol. 3””Metal Massacre Volume III””Show No Mercy””Haunting the Chapel””Live Undead””Hell Awaits””Reign in Blood””Reign in Blood””Gold & Platinum – Reign in Blood””Golden Gods Awards Winners”originalet”Kerrang! Hall Of Fame””Slayer Looks Back On 37-Year Career In New Video Series: Part Two””South of Heaven””Gold & Platinum – South of Heaven””Seasons in the Abyss””Gold & Platinum - Seasons in the Abyss””Divine Intervention””Divine Intervention - Release group by Slayer””Gold & Platinum - Divine Intervention””Live Intrusion””Undisputed Attitude””Abolish Government/Superficial Love””Release “Slatanic Slaughter: A Tribute to Slayer” by Various Artists””Diabolus in Musica””Soundtrack to the Apocalypse””God Hates Us All””Systematic - Relationships””War at the Warfield””Gold & Platinum - War at the Warfield””Soundtrack to the Apocalypse””Gold & Platinum - Still Reigning””Metallica, Slayer, Iron Mauden Among Winners At Metal Hammer Awards””Eternal Pyre””Eternal Pyre - Slayer release group””Eternal Pyre””Metal Storm Awards 2006””Kerrang! Hall Of Fame””Slayer Wins 'Best Metal' Grammy Award””Slayer Guitarist Jeff Hanneman Dies””Bullet-For My Valentine booed at Metal Hammer Golden Gods Awards””Unholy Aliance””The End Of Slayer?””Slayer: We Could Thrash Out Two More Albums If We're Fast Enough...””'The Unholy Alliance: Chapter III' UK Dates Added”originalet”Megadeth And Slayer To Co-Headline 'Canadian Carnage' Trek”originalet”World Painted Blood””Release “World Painted Blood” by Slayer””Metallica Heading To Cinemas””Slayer, Megadeth To Join Forces For 'European Carnage' Tour - Dec. 18, 2010”originalet”Slayer's Hanneman Contracts Acute Infection; Band To Bring In Guest Guitarist””Cannibal Corpse's Pat O'Brien Will Step In As Slayer's Guest Guitarist”originalet”Slayer’s Jeff Hanneman Dead at 49””Dave Lombardo Says He Made Only $67,000 In 2011 While Touring With Slayer””Slayer: We Do Not Agree With Dave Lombardo's Substance Or Timeline Of Events””Slayer Welcomes Drummer Paul Bostaph Back To The Fold””Slayer Hope to Unveil Never-Before-Heard Jeff Hanneman Material on Next Album””Slayer Debut New Song 'Implode' During Surprise Golden Gods Appearance””Release group Repentless by Slayer””Repentless - Slayer - Credits””Slayer””Metal Storm Awards 2015””Slayer - to release comic book "Repentless #1"””Slayer To Release 'Repentless' 6.66" Vinyl Box Set””BREAKING NEWS: Slayer Announce Farewell Tour””Slayer Recruit Lamb of God, Anthrax, Behemoth + Testament for Final Tour””Slayer lägger ner efter 37 år””Slayer Announces Second North American Leg Of 'Final' Tour””Final World Tour””Slayer Announces Final European Tour With Lamb of God, Anthrax And Obituary””Slayer To Tour Europe With Lamb of God, Anthrax And Obituary””Slayer To Play 'Last French Show Ever' At Next Year's Hellfst””Slayer's Final World Tour Will Extend Into 2019””Death Angel's Rob Cavestany On Slayer's 'Farewell' Tour: 'Some Of Us Could See This Coming'””Testament Has No Plans To Retire Anytime Soon, Says Chuck Billy””Anthrax's Scott Ian On Slayer's 'Farewell' Tour Plans: 'I Was Surprised And I Wasn't Surprised'””Slayer””Slayer's Morbid Schlock””Review/Rock; For Slayer, the Mania Is the Message””Slayer - Biography””Slayer - Reign In Blood”originalet”Dave Lombardo””An exclusive oral history of Slayer”originalet”Exclusive! Interview With Slayer Guitarist Jeff Hanneman”originalet”Thinking Out Loud: Slayer's Kerry King on hair metal, Satan and being polite””Slayer Lyrics””Slayer - Biography””Most influential artists for extreme metal music””Slayer - Reign in Blood””Slayer guitarist Jeff Hanneman dies aged 49””Slatanic Slaughter: A Tribute to Slayer””Gateway to Hell: A Tribute to Slayer””Covered In Blood””Slayer: The Origins of Thrash in San Francisco, CA.””Why They Rule - #6 Slayer”originalet”Guitar World's 100 Greatest Heavy Metal Guitarists Of All Time”originalet”The fans have spoken: Slayer comes out on top in readers' polls”originalet”Tribute to Jeff Hanneman (1964-2013)””Lamb Of God Frontman: We Sound Like A Slayer Rip-Off””BEHEMOTH Frontman Pays Tribute To SLAYER's JEFF HANNEMAN””Slayer, Hatebreed Doing Double Duty On This Year's Ozzfest””System of a Down””Lacuna Coil’s Andrea Ferro Talks Influences, Skateboarding, Band Origins + More””Slayer - Reign in Blood””Into The Lungs of Hell””Slayer rules - en utställning om fans””Slayer and Their Fans Slashed Through a No-Holds-Barred Night at Gas Monkey””Home””Slayer””Gold & Platinum - The Big 4 Live from Sofia, Bulgaria””Exclusive! Interview With Slayer Guitarist Kerry King””2008-02-23: Wiltern, Los Angeles, CA, USA””Slayer's Kerry King To Perform With Megadeth Tonight! - Oct. 21, 2010”originalet”Dave Lombardo - Biography”Slayer Case DismissedArkiveradUltimate Classic Rock: Slayer guitarist Jeff Hanneman dead at 49.”Slayer: "We could never do any thing like Some Kind Of Monster..."””Cannibal Corpse'S Pat O'Brien Will Step In As Slayer'S Guest Guitarist | The Official Slayer Site”originalet”Slayer Wins 'Best Metal' Grammy Award””Slayer Guitarist Jeff Hanneman Dies””Kerrang! Awards 2006 Blog: Kerrang! Hall Of Fame””Kerrang! Awards 2013: Kerrang! Legend”originalet”Metallica, Slayer, Iron Maien Among Winners At Metal Hammer Awards””Metal Hammer Golden Gods Awards””Bullet For My Valentine Booed At Metal Hammer Golden Gods Awards””Metal Storm Awards 2006””Metal Storm Awards 2015””Slayer's Concert History””Slayer - Relationships””Slayer - Releases”Slayers officiella webbplatsSlayer på MusicBrainzOfficiell webbplatsSlayerSlayerr1373445760000 0001 1540 47353068615-5086262726cb13906545x(data)6033143kn20030215029