GDPR Test Data Management Strategy

How to Create Your GDPR Compliant Test Data Management Strategy

Does your company currently view Test Data Management in an environmental capacity? Perhaps copying and masking your production data has been a sufficiently robust strategy for your TDM requirements to date?

~ Written By Lara Irwin

11 Months and Counting

The GDPR, finalised on 14 April last year is set to change all that, and, with a 2-year implementation period, you only have 11 months to comply with the new requirements under the Regulation. The penalties for falling foul of the GDPR range from 2% of your annual revenue or €10 million, whichever is the greater, to 4% or €20 million, depending on the severity of the breach.  Under the GDPR you need to identify all your different types of data, understand who is using it and for how long and what they are doing with it. You’ll also need to put in place special measures to restrict usage only to those who have special authorisation. Copying, masking and even sub-setting may no longer be enough to meet the Regulatory requirements particularly where production data is being used in test environments. So, let’s take a look at different types of data management techniques, the associated challenges, GDPR compliance and the wider business benefits of a strong TDM strategy.

Copying, Masking Encryption & Sub-setting

You are doubtless already copying, encrypting and masking your data to comply with current legislation and you may even be sub-setting your data. This is an excellent starting point on your TDM journey and, if you’re finding the process a little slow, you’ll be glad to know that there is a new generation of innovative data masking tools like CA’s TDM tool, with multiple masking engines, to cloak millions of rows of data with artificial information, in minutes, while still maintaining the integrity required to accurately execute your test strategy. HPE’s SecureData Enterprise enables data encryption and tokenization without changes to data format or integrity and it can help you achieve end-to-end data protection across mainframes and open systems in production, development and test environments, in 60 days or less. If you’re already sub-setting your production data then you should be seeing a reduction in infrastructure costs over time.  

These techniques have been seen to be sufficient so far, although we find a lot of businesses seek our expertise because they are struggling to implement them really well. To add to this challenge, the GDPR introduces a new dimension that ups the ante – data subjects must not be able to be identified at all without additional information stored in a different location from the masked data. This requires a great deal more masking than was previously required for regulatory compliance, so, particularly for clients who hold a large amount of complex data, this can become a time-consuming and expensive task which requires delicate balancing if the data is to remain useful in a test environment. These challenges often result in the masking not being carried out to the necessary level so that the data is not secure or compliant, leaving your business open to penalties and reputational damage in the event of a breach. Poor coverage of production data can also result in projects being delayed, budgets being exceeded, test strategies failing, and a high volume of production defects.

Synthetic Data

Generating synthetic data could be the most time and cost-effective and secure solution for many businesses. Today’s sophisticated tools can integrate directly with APIs, mainframe or relational database systems to quickly create synthetic data of sufficient quality to enable 100% test coverage. In many cases a hybrid combination of masking and synthetic data creation will be the optimal solution, along with copying and sub-setting. However, where the data is extremely complex, your TDM consultant may propose a full transition to synthetic data creation.  

People, Processes & Technology

A successful TDM strategy requires some tactical changes to the 3 pillars of People, Processes and Technology - involved in your data usage. This could involve, for example:


  • Creating a dedicated centralised TDM team to combat challenges caused by silo-ed teams who are provisioning, building and profiling data.

Centralisation prevents situations such as when a person in one team alters a set of data which then has a knock-on effect on all other teams with access to the same data. What we want is centralised, reusable data that retains its integrity for test and development purposes.


  • A centralised data access point for testers and developers
  • Access to data is granted on an as needed basis by project and user requirements. If you’re using Microsoft Azure for example, you may consider using Azure AD Privileged Identity Management;
  • Stricter data version control processes
  • Tools for automated data profiling to remove the pain points in a complex IT landscape.
  • Tools for automated data cloning
  • Virtualisation of legacy systems and hardware


  • Tools for automated data profiling to remove the pain points in a complex IT landscape.
  • Tools for automated data cloning
  • Virtualisation of legacy systems and hardware

GDPR Assessment

If your currently reviewing your processes and technology to review how best to identify all your different types of data, understand who is using it and where you need to put in place special measures to restrict usage then Sogeti’s GDPR Assessment can help you to rethink your GDPR compliance strategy. We offer a specific Kick Start that looks at your test data Management strategy whereby:

Stage 1 is a workshop to help you identify systems, databases and processes where you are managing personal data and a current state analysis to determine the maturity of your IT Security. 

The second “Discovery” stage involves automatic searches across all your databases and file servers to find data that falls under the parameters of the GDPR. There are some excellent tools available for this purpose, for example CA Technologies’ Test Data Manager tool provides a cubed view of your sensitive data across all systems, components and applications with highly effective filters for maximum granularity and makes auditing easy. The Microsoft Azure Information Protection tool helps you to classify all your data and embed labels and permissions, giving you better control over data used both internally for example in a test environment and shared externally over email and in attached or hard copy documentation. 

Stage 3 of the GDPR Assessment is a presentation of the findings of the Workshop and Discovery phases to define a roadmap. 

Beyond the assessment we can offer a pilot or proof of concept. For more information on Sogeti’s GDPR Services you can visit our website here.  Alternatively call us on 0330 588 8200 to discuss the various Microsoft, HPE, CA and IBM tools we use, and the right strategy to ensure that your business is GDPR compliant in 11 months’ time.

  • Sogeti UK
    Sogeti UK
    Make an enquiry
    0330 588 8000