Did you know that you need to pseudonymise test system data?

What is the legal background?

Since the EU GDPR entered into force in May 2018, companies have been required to delete personal data as soon as it is no longer needed. Likewise, personal data is only allowed to be accessible to those employees who need it for their work. The national data protection authorities responsible have already imposed serious fines on violators in the past. With its data protection package, PROMOS has for a long time been offering the possibility of deleting or anonymising personal data after specified timeframes have passed. If required, an information report can also output the data collected about a person. The pseudonymisation tool has now been added to the package. It was developed specifically for using test systems and falsifies any genuine personal data to be found there.

Why is a special solution for test systems needed?

Test systems are always used when new functionalities, solutions or simple changes to customising need to be checked with regard to their effectiveness and manageability. For this purpose, people often simply create a one-to-one copy of the live system, then use this copy to test all possible scenarios. The crux of the matter in terms of data protection law is that the test system now contains the genuine data of all business partners. However, most tests do not require the tester to have any knowledge of the personal information. This can be problematic from a data protection perspective, especially if the test system is used by external parties. On the other hand, the data cannot simply be deleted or replaced by an “X”, as in the case of anonymisation, because it would simply no longer be possible to conduct the testing. In addition, the anonymisation or deletion of data in the test system would need to be performed for the entire data, i.e. including the data of all active business partners. It is obvious, for example, that executing a report for test purposes does not serve the intended purpose if it results in outputting empty data records or data records consisting of “X”s.

And how can we solve the problem?

The PROMOS solution here entails pseudonymising the data records. For example, an automated algorithm replaces the expression “Thomas Müller” by the pseudo-random expression “Ertzu sdfgh”. The data is pseudonymised taking four crucial criteria into account.

1. The converted data for a business partner must be the same at every point in the system. This means that every real expression is always given exactly the same pseudonym wherever it occurs so that the data can be evaluated.
2. It must be impossible to derive the original expression from the translation. It is therefore not permissible to replace every “e” in the system with an “r” and every “l” with an “m”, for example.
3. It must be possible to distinguish the new expressions from one another. Thomas Müller must therefore receive a different pseudonym than Martina Schmidt.
4. The replacements must be of the same form. This means, for example, that an e-mail address must still look like an e-mail address following the translation.

Firstly, tracking these criteria ensures that the data can be tested. The test data can still be evaluated logically, as tables that previously contained a telephone number still do so and sending an e-mail to a pseudonymised e-mail address is technically accepted by SAP^® due to its structure. Secondly, the personal data is falsified in such a way that it is no longer possible to view or misuse it.

How does pseudonymisation work technically?

The pseudonymisation is performed simply by starting the pseudonymisation program as a step when setting up the test system. In contrast to anonymisation in the live system, pseudonymisation does not require you to carry out any technical tests on the data records, for example with regard to any retention periods. Instead, a generic approach is taken. Customising settings define which fields are to be pseudonymised in which tables and how this is to be done. Based on these settings, the program then pseudonymises all data in standard SAP^® tables and in customer-specific tables.

Is pseudonymisation only advisable if the test system is used by third parties?

Usually, nearly every company has a test system that is regularly reconstructed. Here, users can test whether or not a customising setting or an idea for solving a problem actually works. As a rule, however, the authorisations for users of a test system are considerably broader than those for the live system. Finally, testers also need to be able to view the result of their testing. In accordance with the “need-to-know” principle, the protection of personal data must also be ensured when it is used by internal employees. Pseudonymisation is therefore often necessary here too.

And if I really need the genuine data for a test?

Some tests are not possible without genuine data. The PROMOS data protection package offers a special feature for such cases, namely a program that can be used to copy a partner’s data directly from the live system to the test system, overwriting the pseudonymised data. Once the test has been completed, the process of pseudonymising the partner can be restarted, so that data protection is then ensured once again.

The advantages at a glance

The quickest and easiest way to set up a test system is to create a copy of the live system. For data protection reasons, the data that it contains must not be viewed by unauthorised persons. Using the PROMOS pseudonymisation tool to convert the data is a quick and easy way to provide data that can nevertheless be tested and evaluated, while at the same time meeting all the requirements stipulated in the EU GDPR in full.