GDPR – The Forgotten Tests – Test 1

General Data Protection Regulation or GDPR is all about privacy. If a company handles privacy in the right way, then it can dodge penalties like 20 million Euro or 4 % of the worldwide revenue.

Time for a legal break. Right after this break some idea.

Disclaimer

I am not a legal expert. So please have a look at my used sources. Or contact a GDPR expert.

I am just a tester finding test ideas about GDPR. Thanks for joining in advance.

The following story has been sanitised by me. Important details have been changed.

Bad idea

The job interview was about an agile tester. I thought I could handle that role. The probing questions from the interviewers were increasing. I tried to stay calm and answer the questions in a friendly way.

Then came the expected question about test cases. They should be written beforehand. Time to explore.
“You never know what you will find.”, I remarked.
“Let me give me an example.”

“Your company sent me this mailing.”
I showed a part of the mail.
“At the bottom of the mail I could say, whether I like this mail.”
There were two pictures: one green thumb up and one red thumb down. There was an orange arrow pointing to the thumb up.

“If I hover above the picture of the green thumb, the URL will be shown in the status bar of the mail.” The URL was contained in a red eclipse.

A sketch of a mail with an orange arrow pointing to a thumb up next to a thumb down. The mail also contains a URL in a red eclipse.

“As you notice: the URL is http. This is not secure. If the mail is intercepted, then the reaction of the customer can easily be determined. This is an email about credit, so you can derive that the customer probably has some debts.”

One of the interviewers politely interrupted me:
“Is it possible to intercept mail?”
I gave a technical answer using normal words.
Okay, I got his attention.

Then the exploratory tester awoke in me. And I could not stop him.
“There is a customer number in the mail. This number can be used to get access to an online account.”
I went in full brainstorm mode and described all kinds of product risks or things which could harm the user. I could find information about correspondence about money.

 

I didn’t get the job, but the mailing was fixed afterwards. Obviously 20 million Euros are not enough to qualify as a tester.

But there are retrospectives for.
[On the melody of ‘That’s What Friends Are For’.]

Breakdown

Most of the time primary systems were and are tested for GDPR and national privacy laws. Sometimes this software did not easily support mailings. An easy solution was to use another system outside the company. Specialised in mailings.

All kinds of data like email addresses, names, and profiles were used for mailings. Technical decisions were taken like http instead of https. Somehow the legal department and testers missed something.

According to GDPR the protection of personal data is a fundamental right [ (1) on page 1]. The economic situation of a person can be used for profiling. In turn this can be used to exclude people to get certain services like mortgage [ (75) on page 15].

My tips for testing:

  • become a customer of your own company and use all available channels. Watch for the legal details like the missing s of https. (See last tip)
  • follow security experts on social media. (You know about the last tip)
  • explain legal and security stuff in normal words.
  • let the owner control the flow of information. I should have send my brainstorm on request.
  • read  ‘Here’s Why Your Static Website Needs HTTPS’ by Troy Hunt, a security researcher. It contains an entertaining 25 minute video with several attacks on an http website.
    For people new to security, just watch the video and focus on what you would not like to happen on your website.

Closing note:
At the moment there are browsers showing whether a website is insecure. This was not the case, when I received this mailing.

To be continued.

Explaining exploratory testing with a table

Tables loaded with food and a class of kids playing on a lawn.

Another dad and I picked an all favourite Dutch subject: work.

“What makes a good tester?” the other parent informed.
“A good tester knows about exploratory testing.”

I saw wrinkles on his forehead. This was a bad start for this subject. I had to switch to his context. He was a police agent. Okay, second try.

“Suppose you ask for a driving license.”
I opened my imaginary jacket and pulled out an imaginary object.
“I place a gun on the table and”
I noticed a sudden sharpness.
“then I show you my driving license.”
This time I retrieved a thin imaginary object between my thumb and index finger.

“Would you be interested in the gun?”
“Yes, of course.”
He was constantly switching attention between my hands and the invisible gun on the table.
I continued with
“I would ask questions like
“Do you not feel safe?” or
“Is this your gun?””
He nodded.

Then I explained that a tester adjusts her or his activities based on observations during exploratory testing.

The focus would be on the gun instead of the driving license.

LS In Conf’rence Land

Greetings to the reader or Lectori Salutem.

Texting and talking about diversity

This spring I was invited to speak at a known Dutch test conference. I had a good proposal, so I only had to say: “Yes”. But I had to ponder this carefully. I had a public promise not to speak at a conference with an all male line up.

I also had obliged myself to say: “No”, if there were too few female speakers. Women look different at tech and they need female role models.

This year several male speakers declined to speak at a conference with an all male line up..

There was only one way to find out. Just ask the program committee. I texted my dilemma and asked for the number of female speakers. There were only 2 female speakers selected out of 3. Selection took place on quality of the presentations, theme, and target audience.

I got my dilemma back. Is 2 enough? Looking at the last conference it was an increase of 100% in the number of female speakers. But still it bugged me.

The only way for me to improve the diversity was to make suggestions for the keynote speakers. I texted 3 names of female speakers and subjects fitting to the theme. At the end of the same text message I also agreed to give a workshop.

When I saw the final version of the schedule, I could not suppress a smile on my face: one of my proposed keynote speaker candidates was a speaker with my suggested subject. Yes, mind reading is cool. And there was a female co keynote speaker.

During the conference I saw a tweet about testing of blockchain. There were two speakers and the female one could really explain it. That’s why diversity is so important. Just for the record the tweet was sent by an experienced male tester. And it was not me.

Continuing talking about diversity

Same test conference. There was a representative of a European test conference. One thing about the conf this size fits only 1. And I could not resist the urge to talk about diversity. The answer was of course quality. And the programme committee decided about the talks. Also the names of the submitters were not shown to the reviewers of the proposals.

I was not quite convincing. So the woman offered me her email address to send more information. So I sent information about Karoline Sczcur and a link to  A Balanced Conference Card. I received a polite Thank you.

So what went wrong?
Time for a retrospective. Yes it is an agile thing to do.

I had not prepared some talk. So here is the rebound.
As an organiser you can give guidelines to the programme committee. And you can reach out to female speakers in a positive way. Yes it takes time.

More important is to realise what is diversity about. People who think alike come with solutions alike. This means that these people will fall in the same pitfall.

Back to the conference. If there are a lot of white male speakers, then afterwards the attendees will make similar white male speaker errors. A female perspective can add a different and effective approach.

Also. What works for a white male engineer, might not work for a female engineer. A suggestion from her can easily be ignored or stolen. This can be avoided by using number 10 of survival tips for women in tech from Patricia Aas.

What really baffled me, was that lot of these tips also can be used by people of colour. As a man of colour I have to invest a considerable amount of time in finding and talking with allies. To get things tested.

In the Netherlands the campaign #NietGenoeg was started to get more women in tech.

Jez Humble tweeted about diversity in a refreshing way. You can only make good programs with empathy at the core.
“Empathy is _hard_. It means listening openly and deeply to people with very different perspectives, accepting the truth of those perspectives, questioning and changing your deepest assumptions about the world, and changing your behavior.”

Being Sidetracked – Part 5

Just a few sections to end this blog post serie.

Just store it somewhere safe

Now I had a few productive days. I could easily do Test Driven Development with the help of the junior DevOps engineer. But I left out one important step in the development: the use of the version control system.

Looking at the numbers I think that Windows 10 is better than Windows 8.

One of the advantages of version numbers is that I know which platform the user used. And which version I have to use to pinpoint a problem in production. Versions are great for code.

Writing code is like making a story for a movie. If I made an error, then I reverted the change using Undo. Most of the time several people are involved for making the same movie story. There are a lot of people willing to pay 8 $ for a good movie. Coming soon to this cinema

Let’s take an imaginary superhero movie. Pete knows a lot of action scenes. After a while he describes a scene to the other crew members:
“And then she flies in the air.”
“Sorry Pete, but Lightning Buzzword Angel cannot fly.”

“But she is called Angel and angels can fly.”
“You’ve got a point, Pete. But not every woman called Angel can fly.”
“So I have to rewrite the whole scene.””
“Sorry dude.”
“It took me weeks to figure out this scene.”
“It is great, but we have to stick to the character.”

“So you just have to start from version 0.3 of the Supermarket Fight Scene.”
“But I also changed the First Car Ride Scene and the Milkshake Scene because of the bruises made by Oval Owl.”
“Wait, you say bruises.”
“Yep.”
“But then I have to rewrite my scene.” Amy remarks.
“And I the Milkshake Scene.”, another writer joins in.

Making a story for a movie is like writing code. If a programmer or DevOps engineer changes a method or function, then this can have severe consequences for the code. The trick to detect faulty code as early as possible. There’s absolutely nothing wrong with that.

Using Test Driven Development or TDD in a proper way a DevOps engineer knows that the added code is right.
Using a version control system she or he can merge the added code with the code in the repository. The result of all unit tests for this file is an early indicator for the quality.
Then the integration tests would be added, merged, and executed.

Now comes the most interesting part. If a release was made in this particular company, all unit tests and integration tests for the whole code were executed. All the tests from previous TDD or Red Green Refactor cycles were reused again. Of course some tests would fail, but the DevOps engineer would set things right. This could be the code or the test or both. And yes, this could lead to refactoring or restructuring code with an eye for maintenance.

After a few days of TDD a new file could be checked and processed in case of positive checks.

Just me and the code

During the coding the DevOps engineer mentioned the Boy Scout’s Rule. Now we were not exactly hiking. Not especially with a flatscreen attached to a laptop. The rule basically states that I should leave the place cleaner than when I came. If I found some rubbish, then I would have to put it into a bin.

In case of software it is all about refactoring and adding missing tests. And that was the case. Missing tests could be considered as technical debt. Yes, tests are technical.

There were still some unit tests missing for other input files. And then old patterns emerged again. I started to write Gherkin files and the DevOps engineer was making them operational. After a few days he started to work on a high prio task and I was still fabricating unplugged unit tests. Then I had to turn my attention to a high prio work item. I put all the unit tests in the version control system and almost forgot them.

Just plug and test

“This takes a few weeks.”
This was the initial thought from my scrum master after the request to plug in the remaining unit tests.

Okay, rhyme after me:
I was high
on supply.

There was one simple way to change his view. I put in the whole file with unit tests and the tests were not executable. So I cut a few times until I had only one simple test left over. It was still not usable.

I needed a default input file. My scrum master agreed:
“It takes some time, but it is worthwhile.”
I slowly assembled a file over a few thousands bytes character by character using an ASCII editor. This took a big chunk of one business day. Then I could code to run my first unit test. And I got a successful test, Green.

I slowly added the other unit tests. I was quite pleased with myself until I had a failing test. Red. This must have been a programming error. I checked the knowledge management system. I was right. Next result of the same test was again Red. Of course, because I did not change it a bit. Pun intended.

I slowed down to a crawl. According to the knowledge management I was right. This time I checked the value character by character. Hmm, time for a chat with the Product Owner.

He listened to my story and told me, that my test was right. So I updated the Knowledge Management System. At last a succeeding test. Green.

This happened a few more times.

That’s it?

This serie described my experiences with Test Driven Development or TDD. For me it was often difficult to stick to Red Green Refactor.  I made a lot of errors on my way. These things can happen. Even for experienced testers there are a lot of chances of being sidetracked.

Being Sidetracked – Part 4

Some readers might have noticed that Gherkin is used for unit tests. And this might be strange or unsettling. For me it was normal. In this company the DevOps engineers worked that way. It worked, so as a tester I had to put in more effort to find bugs. Sure no problem.

Me programming

My first action was to write a test to check a business rule for a valid observation date. While I was typing, the Integrated Development Environment aka IDE suggested several options like a search engine like Google. But observation date was not known. So this sentence was highlighted in red. Syntax highlighting is also handy in programming. I don’t mind that at all.

With the help of the DevOps engineer I wrote code in Java, so the IDE could use observation date in Gherkin. The code could be executed, but the test failed. Hey that was bad.

“Now I write the code.” was my next thought.
Of course there was no code, so the test should fail. Definitely Red.
This would be fun.

I had to program in Java and I remembered that the junior DevOps engineer had some useful shortcuts. I looked in the IDE and found the option in a sub menu to add a method. I gave it a name and – yes – I got an empty method in the right class. Now I had to fill in the blanks.

Me writing Gherkin

Months earlier I had written several Gherkin unit tests in the knowledge management system. There were two things wrong with this approach. The tests were not used, so I was high on supply. In plain English I had made something which was not used. On a scale of time it was a waste of time.

The other thing was that it had a web interface. The syntax highlighting did not work. I could make things bold and indent texts, but that slowed me down too much.
The result, the code, was not easily readable.

The dates were in the following format DDMMYYYY. This is programmer s’ language for Day in 2 numbers, followed by Month in 2 numbers, and finished with Year in 4 numbers.
So April 1st 2001 would be written down like 01042001. 01 is the first day of month number 04, which is April. 2001 is of course the year. It is easy to pick good dates like

  • 01042001 (first day of the month),
  • 31032013 (last day of the month), and
  • 29022000 (leap day).

I picked some wrong dates on more rational grounds:

  • 07142011 (for the Americans July 14th 2011),
  • 20132007 (20th day of the 13th month), and
  • 1jan1998 (January 1st 1998 in a hydrated date format.).

After writing date tests for one date field I noticed a pattern. I would check on all these dates again for other dates like expiration date. I thought I was smart. I just copied all the observation date tests and replaced ‘observation date’ by ‘expiration date’. I even copied the tests to a special text file, so I could save time. But I was wrong!
Please read on.

Me at the keyboard again

So I was programming unit tests and on my side was a junior DevOps engineer assisting me. I could finally write a test in Gherkin. In a separate window I opened the knowledge management system. I picked the first right date 01042001.
“Why do you pick this date?”, my personal DevOps engineer informed.
“I want to be sure that the right date is accepted.”
A nod followed by:
“We use Joda-time for that.”

I heard: “Yoda time”
It was not possible for me to link a lightsaber wielding big pointed eared green creature with programming.
“Joda-Time checks on valid dates, so you do not have to test them.”
Java 7 was not safe enough for dates and some programmers made Joda-Time. That saved me a lot of time.

So I only had to test on the wrong dates. Easy. I added tests, which succeeded. Green.

There was a `but` coming up.
“You can skip that date.”, while the DevOps engineer referred to ‘1jan1998’.
“Characters are not allowed in the date. ”

The next morning the DevOps engineer showed me a neat table:

Given the file has observation date <date>
When the file is read
Then the file will not be processed


Examples:
| date     |
| 07142011 |
| 20132007 |

He had improved the test code considerably. Refactor. I forgot to use DRY, Don’t Repeat Yourself.

My scrum master said that it was important to know how to program. This way I could structure my tests in a good way.
But the worst was still to come.

To be continued.

Being Sidetracked – Part 3

“At the moment I am writing a serie of blog posts about Test Driven Development.”
I looked to the recruiter. “You can understand it.”
I moved my view to the manager: “You can also understand it.”

Sticky note: let’s stick to the DevOps engineer.

Vegetable As a Service

The DevOps engineer wrote the unit test in Gherkin. The main advantage is that this language is easy to read. Have a try.
Given the version number is 15
When the file is read
Then the file will be processed

It is also easy to write. This example is in English, but it is also possible to use plain Dutch.
Gegeven een versienummer is 15
Als de file wordt gelezen
Dan wordt de file verwerkt

This is easy for people in Dutch companies. Nothing is lost in translation. It is easy to digest. No mindreading skills are needed.
The tool Cucumber provides a way to translate these sentences to a programming language like Java. A programmer has to code, how the sentences are translated.

When this little story is used by the computer, Java is used to execute this test. Yes, it is time for another cup of coffee. Which is the symbol of this language.

There are of course some people, who want to add some details to it. And yes, this is necessary.
Feature:
As an administrator I only want to process the right file list_20180525.txt, so that marketing managers can still process the data and generate reliable reports.

Background: file A

Scenario: 15 right version number
Given file A has version number 15
When file A is read
Then the file will be processed

Scenario: 16 wrong version number
Given file A has version number 16
When file A is read
Then the file will not be processed

All the text is put in 1 file, so all tests are nicely organised. A very important detail is, that file A is a complete valid file. This takes some time and some byte shuffling, but it is worthwhile.
So after 2 cycles of Red Green Refactor two scenarios were added in a feature file. These scenarios could be executed individually or in a group.

Then the cycle continued. The latest test was used frequently to assure, that the code was modified in the right way. The previous tests were used to assure, that the quality was the same. This led to a massive set of tests.

What’s next?

The DevOps engineer looked for the next feature to program. I saw an impressive table of valid values and validation rules.
“Do we have to test all this?”
“No”, he answered.
I could not believe my ears. There were so many places where things could go wrong.
“We will only test things, which can cause problems in our software. [The postman] will check the data.”

I visualised the data flow in my mind. There was a sender, which gave a file to the postman. This program would check every byte of the file. After a successful check the postman would deliver the
file to the receiver or the program under development. In the past I heard, that sometimes some things were not properly checked by the postman. With the speed of computers today extra checks can be done very fast.

The DevOps engineer continued:
“If data can cause problems in the software, these are checked.”
Version number is a good one. And of course begin date and end date of a period are also important.

Another cycle to start

This looked so easy.
It was like the junior DevOps engineer had some mindreading skills.
“Now you try.”
I was silent for a moment.
I repositioned myself after the keyboard and the mouse.
Pair programming. The real stuff.

Okay, let me start.

Read mindfultester[dot]com
My answer in a job interview

To be continued

Being Sidetracked – Part 2

A few weeks ago I told my wife about the picture for this blog post serie. “There is a red light. And a green light. The rest of the picture is fuzzy.” It was about “Red Green Refactor”.

“You should [tidy up with known product name] the picture.”, she suggested.
I liked the fuzziness. This was about Refactor.

Second cycle

We had just finished the first cycle.
The DevOps engineer wrote another test. Ready for the next modification.
O yeah. Test Driven Development.

Let me sanitise me this example. This means so much like “all confidential information is changed”. On purpose. Everybody happy?

A file can only be processed, if the version number is 15, 20, or 31. After the first cycle every version number was accepted. The first test was:
“Is 15 the right version number?”
“Yes”
But this would lead to some bad side effects:
“Is 16 the right version number?”
“Yes”
Or worse:
“Would you please bring me a cup of coffee?”
“Yes”
What about
“Would you please transfer 1 Million Euro to my bank account?”
[Upset face]
[Whispering] “You are supposed to say: “Yes”.”.

Okay, back to the real example.
The first test was to determine whether 15 was a right version number.
The DevOps engineer added a second test to determine whether 16 was a wrong version number. He performed the last test and 16 was a right version number. This was wrong: a failing test. Red.

The DevOps looked at the invalid value and added a single condition to the code. If the version number is equal to 15, then return “Yes”. Otherwise return “No”. The second test was executed again: this time 16 was a wrong version number. This was right: a succeeding test. Green.

The code was very simple, so no refactoring was necessary. Refactor.

Then the DevOps engineer executed all or both tests and they were both correct. The second cycle was over.

While blogging, I realized old patterns of thinking were still present in my head. Let me answer a few questions.
Question 1: This code is so simple. Why do you need to write all the tests?
Answer 1: During every step the DevOps engineer can use the written tests to determine, whether the code is still good. This is especially handy for complex code. Failed unit tests can point to where things go wrong.

Question 2: why did the DevOps engineer not add a second test for valid version number 20 or 31?
Answer 2: it would not lead to failing test. In other words the code would not have to be modified because of this test. At that particular moment he would have written a redundant test. That is a waste of time.

Question 3: Do all these tests take a lot of time to execute?
Answer 3: No. The tests are unit tests and fast enough to execute. The hardware has been improved considerably, so these tests are executed within a fraction of second.

Question 4: Would you please continue?
Answer 4: Sure. No problem.

In the previous blog post I wrote about my disability to speak Chinese. That is quite confusing, because I look like a Chinese and not like a Dutchman.
Small recap with the restaurant in China:
“Do you speak English?”
“Yes.”
[Half hour later]
“I would like to order dinner.”
[Blank face] (Red)
“Did you understand me?”
“No.”
[I opened the menu.]
[Waitress approaches me.] (Green)
[I just ordered the dishes using my fingers and the menu.] (Refactor)

What I actually did, was trying to find other ways to order dishes. I could have written down my order, but the waitress could follow my hands. So no refactoring was needed.
No is unpleasant answer, but a lot of frustration was avoided. At least I understood, why hand sign language for numbers was included in the pocket book for frequently used phrases in Chinese.

To be continued.

Being Sidetracked – Part 1

Every story has an expiry date.

So I have to hurry up.

While the junior DevOps engineer was programming aloud, I paid attention to all the steps he took. He used Test Driven Development. It is a cycle of Red, Green, and Refactor.

A small recap: he first made a tiny test, which failed. Red is a favourite colour for failing. Then he made code to let this failing test succeed. Green is that other favourite colour for DevOps, testers, and especially managers.

Then he refactored the code. The code became more maintainable and readable. Even for a tester not fluent in Java.

The first test was to check, whether a business rule failed. He wrote only code to let the test succeed.
Before I could think, the method was ready. It had only one return statement with 1 fixed value.

But this would only be the case for very specific situations. I showed my disbelief and he answered that the code had to pass the new test. Right, you are right.

This was a strange situation for me as a tester with a traditional background. Tests should be executed after the implementation and not before. Somehow my brain had pushed the theory about TDD aside. It felt so unnatural to me that I unconsciously switched back to Program First Test Next.

Anyways, the DevOps had a quick look to the code. I did not think that this could be refactored. One line single statement cannot be refactored.
Yes right again. The first cycle was finished. Red Green Refactor.

A return value from a method is like an answer from a human being. What the DevOps basically asked, was: “Is this value right?”
And the method would always answer with “Yes.”

This was strange to me. Now I realised, that this was the most minimal addition to the program.
Without a method the code would have be repeated multiple times and maintained at the same number of places. A recipe for disaster.

Aw I forgot to look in the right low box in the left corner in the room under the stairs.

Now programmers have a small heuristic for this one:
DRY. Don’t Repeat Yourself.

The fact that the answer was always “Yes”, bothered me. While blogging I remembered asking a restaurant in China, whether they could speak English. The answer was “Yes.” My wife and I were delighted until I ordered. O no.

To be continued

May 2018 Testing

For the interested British reader this is not about politics. It is about testing software so that it complies with the General Data Privacy Regulation or GDPR in May 2018.

For the people who are only concerned about money. It can cost your company 4% of the global annual income of your company or 20 million Euros. That is seriously a lot of money.
Thanks for your attention.

Disclaimer

I am not a legal expert. So please have a look at my used sources. Or contact a GDPR expert.

I am just a tester finding test ideas about GDPR.
Thanks for joining in advance.

Just show it to me

Suppose you have a cinema and a special web site. You can order tickets, drinks, and snacks in advance. This is a unique selling point.

A marketeer has a nice idea:
“Let’s make some profiles. We’ve got lot of sales numbers, so boost those numbers.”
“What do you have a mind?”
“We just tag customers: B movie, Friday night, first week, ..”
“First week?”
“Like ‘I want to see the movie in the first week after release.'”

If I would go to  this specific cinema, all my actions are recorded.
Big Buyer is being watched too. This sounds creepy. This is my alarm bell as a tester.

My simple question is:
Is profiling allowed?
More accurately, is profiling of European citizens allowed for this cinema web site according to General Data Protection Regulation?

What makes someone a European citizen?

sketchnote with cradle, parents passport and database

Obvious candidates are:  parents, place of birth, passports.  I just stick to Citizenship Administration. I found this one while doodling in my head.

Let me give you a royal example. The Dutch queen has the Dutch nationality, but had Argentine parents and was born in Argentina.

Let me show some graphs:

  • European Union
  • People with no nationality
  • People with 1 nationality
  • People with 2 nationalities

I could make these 2D graphs:

One chart of part of Europe and three coloured graphs about number of nationalities

I could try to stack them and squeeze them afterwards:

One more try:

3D graph made of a chart of a piece of Europe and pieces of sticky notes depicting the number of nationalities

So the best way to define an European citizen is that she or he is registered as an EU citizen in a Citizenship Administration in the EU. Now comes the difficult part: as a web site owner I have no access to this administration. Well. That is a good one.

How can I determine whether an European citizen is in my database?
In most cases I don’t. Because nationality or EU citizenship is not always registered.

“Is an address not sufficient?”
“What about An American in Paris?”
“Okay, email address.”
“What about american@home-in.nl or william-to-be-married@my-awesome-wedding.com?”
“The nationality is registered.”
“Good. What about EU citizens with two nationalities? ”

Looking at the context: if no nationality or EU citizenship has been registered, then I would suggest to look at GDPR. Otherwise definitely use it.

But this is a premature advice. This is a warning. Please read on.

Finding GDPR

If there is one thing I hate about learning, it is memorising information for the sole purpose of memory. I like to have some fun in a good sense of humour.

Here’s where deliberate practice comes in.
Determine a strange situation and look it up.

On my search for the official GDPR document I quickly determined that my target was:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Yes, it takes some time to read it.
And a natural person is human being. Like you and me.

I am well aware that English is not everyone’s native language. Now the EU has this little nice webpage with links to GDPR in your favourite language. Hopefully.
No Chinese, but maybe French?

Profiling and data subjects

Profiling can take place after informing the data subject, who has agreed to these terms for data processing. [GDPR 32, 42]
That is a lot of info.

Let’s go a step back to nationality. I warned you for this.
I am not familiar with the American laws. Remember I am not a legal expert.
Suppose profiling of natural persons is legal according to the American law. For example ‘s sake.

Take a case of an American woman who starts buying action movie tickets. My guess is that her new boyfriend is lucky. Piece of case.

It is very easy to make a profile of her boyfriend. Now this lucky guy happens to be British. And has some royal blood. It rhymes on What?!.

There is still no problem, because it cannot be traced back to some palace. Unless I would couple the data with the email address of a fortunate American actress. Oops intended.

Chain of Gift

The American woman is a data subject. All kind of data is collected, but there is an unpleasant side effect: her boyfriend or fiancee also ended up as a data subject. I doubt whether he would have given any permission. No thank you.

Actrice gives something to a prince.

The Chain of Gift leads to interesting doodles. In orange is the American woman and in blue an European Citizen wearing something called a crown.

Quick explanation for the colours: the European flag is a blue flag with yellow stars. So the EU citizen is blue. For the American woman the colours white and red remain. Somehow these are not appropriate. So I chose orange.

So there is a difference between buyer and user. A man can buy movie tickets and give them to his children. ‘Finding Marlin’ and ‘Monsters Unlimited’ seem quite innocent pieces of data to share.

Dad gives movie tickets to children.

Is it possible to determine the birthdays of the children just based on his cinema visits?
Not based on the movie titles. There is a better chance looking at the number of bought children tickets.

“When are we going to the cinema with my friends?”
“What do you think?”
“On my birthday?”
“Good girl.”
[Big smile]

Birhday party

Another interesting case: a man who buys gifts for his  grandchildren. Depending on the gifts I could guess gender, age, and hobbies. If those grandchildren live in the EU, you might have a major problem.

Man gives gift to daughter, who gives it to her children.

With a low number of children per family it is relatively easy to make a family tree.
I can guess that princess cookies are for 5 year old grand granddaughter and that superhero suit with XS size is for …
You get my points.

My best guess is to make a GDPR compliant approach for my whole customer base. There is no way to determine which European people you are profiling.

Permission granted
Scenario 1
Suppose I am in the living room and one of my kids tries to sneak out of the room. I look in the right direction and get eye contact. The door is opened and closed.

A few days later a man is at my front door with a box of 20 tablets. You know those fancy computer things.
The name of my kid is on the box. O oo O.

Scenario 2
Suppose I am in the living room and one of my kids tries to sneak out of the room. I ask:
“What are you up to?”
“I gonna hack. You don’t mind?”
“Yes, but”
The door is opened and closed.

A few days later a man is at my front door with a box of 20 tablets. The name of my kid is on the box.
“Where can I place the other 500 boxes in my truck?”

Scenario 3
Suppose I am in the living room and one of my kids tries to sneak out of the room. I ask:
“What are you up to?”
“Just read this legal document and you will be just fine.”
“It has more than 10 pages.”
“Can I go now?”
“Okay.”
The door is opened and closed.

A few days later a man is at my front door with a box of tablets. The name of my kid is on the box.
“There are three extra trucks coming with tablets. Where can we unload the four trucks?”

Let me finish the three scenarios at the same time.

A box, one truck and a group of 4 trucks on the way to a finish

“Excuse me, I have to call someone.
Would you please wait outside?”
I close the door and the mobile phone is in my left hand instantly. My kid picks up the phone right away.
“A package arrived for you.”
“The tablet arrived?”
“You can better say: ‘Tablets.’”
“Huh, those are the most expensive tablets on the world. They cost a fortune.”
“That’s why I am calling you. How can you afford these things?”

“You know dad, I needed some purpose in a life.”
“Yes?”
“So I learned to hack.”
“O no.”
“It’s worse.”
“Huh?”
“Legal hackers don’t get paid much. I had my eyes on this tablet. So I said: ‘You pay me in Those Tablets.’
If I got one extra, I could always give it to my Best Friend.”
You’ve got a friend in me.

Websites sometimes are like kids. Scenario 1 would look like:
A window where no permission is asked but just taken
No permission is asked, just taken.

Scenario 2 would lead to the following picture:
A window with a default permission for profiling
A very fast designer filled in a preference.

Scenario 3:
A window with unreadable text with a request to accept these conditions
O yeah. The legal stuff one.
At least the checkbox for the conditions has not been filled. But I cannot install the program, unless I agree with them. Hmm.

GDPR forbids all these three options. They lack the support for the user who wants to protect her or his privacy. Website 1 must use transparency, website 2 a default for no profiling. And finally website 3 must use concise and plain language. [GDPR 32]

Thanks for jumping in

For the interested British reader this is not about politics. It is about testing software so that it complies with the General Data Privacy Regulation or GDPR in May 2018. Déjà vu.

There might be readers in my audience who had another association with May 2018. I know that Harry is a major export product for the UK. And I am not writing about the scarred man who has been featured in a lot of books, movies and a theme park.

Some people are more interested in an upcoming royal wedding of Harry. That might have some impact on your online Harry product web shop. For the people interested in performance tests here are some nice blog posts about performance test and Q&A. From yours Mindfully.

Some research notes

A lot of you who are reading this can still follow me. What you actually missed, is my nonlinear search. For the answer on my question: Is profiling of an EU citizen allowed according to GDPR?

The first thing I did was to download all relevant legislation. With a search engine a legal document could easily be found. Then my inner critic voiced his concerns: where are you basing this blog post on?

What I needed, were traceable sources for my research. The more EU the better. Again I am not writing about politics.
I found some links to some non EU websites. But my main target was the GDPR on an official EU website. This took me some browsing. At last I downloaded the wanted document and saw no differences with the other document on first sight.

I took no risk and started to use the official document as main source for this blog post. There was one big but. BUT the document was a pdf. This format is widely supported by all kinds of apps, but not search friendly. A search takes a while on my smartphone.

I converted the document to epub. Now I had a significant win in time. There was no more interruption in my flow of thoughts.

Let them flow.
[On the melody of Let it go.]

So I sought on the word child and hit my next obstacle: the word article. Now are articles quite common in laws, but to my dismay I had not encountered this word before.

I did another search: article. My references to this document were obviously wrong. So I was referring to numbers between parentheses. I switched back to the pdf document to find exact starting point of the first article. It was roughly at the same spot: 38.6 % of the document. Apparently I was referring to some notes in the introduction. And that is not a problem. I think.

Kids, definitions and laws

Of course there are some exceptions. And exceptions on exceptions. This is a great playground for testers. For sure. For ever.
Because people tend to change their minds. This is my most political statement BTW.

Writing about kids reminds me about the definitions debates which pop up every now and then.
“Children have special protection.”
“What do you mean?”
“You need the permission or consent of the people who take care of the child.” [GDPR 38, article 8]

“And the exceptions are…”
“services for prevention and counseling. In these cases you need consent of the child after asking it in a way easily understandable for child. It is not about child proof but about child friendly.”
“What is a child according to GDPR?”
“A person who is not older than 16 years.” [GDPR Article 8]
“No exception?”
“Of course. Glad you asked. Some national laws can set the limit on 13 years.” [GDPR Article 8]

The first time I read about laws. I thought about stacking them like this.

national privacy law stacked on GDPR

A few weeks later I came up with this.

A pyramid with the following layers from the bottom up; Human rights, GDPR, National privacy law, Region law, and Place law

Yes, another test pyramid.
Why? Because the lower the law, the bigger the impact of the law.
And this model is dead wrong.
Small reminder: it is my model, which is wrong.
Next is my proof.

Let me focus on two layers of this pyramid: GDPR and a national privacy law. If I am a judge judging about a privacy case in Belgium, this is my route: GDPR, Belgian privacy law.
Sign with GDPR pointing pointing to sign with Belgian Privcay Law

Time to add some complexity. You know exception on exception. I have to judge a person with two nationalities.

Sign with GDPR pointing to signs with Belgian Privcay Law and Spanish privacy lawas pointing in the same direction

This is my route: GDPR, Belgian privacy law. and Spanish Privacy law.
I am really lucky. Both laws lead to the same judgement.
Now people will say:
“Hey. I can still use the pyramid?”
“I can make it a camel case”
[Pun intended]
GDPR block with two smalls blocks on top: Belgian privacy law and Spanish Privacy Law

“What about this?”
Sign with GDPR pointing to signs with Belgian Privcay Law and Spanish privacy lawas pointing in the different directions

Summarised: the test pyramid uses impact instead of direction, which is rather complicating things.

Finders fixers

The one, who finds a problem, solves it. This is common practice in my DevOps team. I made a model for testing purposes and found a fault in it, so I have to correct it. Fair enough.

When I was looking for the best law to apply, I thought about the strongest law. Something with the most articles and most severe penalties.

I looked on the internet and found a page in Wikipedia about Conflict of laws. My children are quite sceptical about Wikipedia. “My teacher told me that you cannot trust Wikipedia, because everyone can edit the page.”

A flag, a house, and an arrow pointing to a big dot

Anyways, the following laws seem proper candidates: the law of the country where you live or the law of one of the nationalities or the proper law.
So my mental picture of the signs is the right one. Sign intended.

Writing about signs. I could make a model like this:

A sign which points to 2 signs, which in turn point to 2 signgs
But this model is also too simple. The Benelux, a union of 3 countries, is more complex than this model. The Netherlands is part of the Benelux and has 12 regions. It is difficult to show this in a 2D figure.

A few sticky notes, which hold smaller sticky notes, which in turn hold smaller sticky notes.

But frankly this is even for me confusing. So I rebuilt this 3D by using sticky notes with blue lines:

Sticky notes with 3 blue vertical lines on them

Then I put a sticky note with curly red lines to one sticky:

Sticky notes with verticla blue lines and one has a ticky note with red curly lines.

An then I connect some very small sticky notes with a single orange lines to the last attaches sticky note:

Sticky notes with verticla blue lines and one has a ticky note with red curly lines, which have sticky notes on it with orange line

This model gives me a more appropiate way to handle the laws.

Also on Wikipedia there is a page which described how to determine the right law.  There is basically a set of rules which a judge must follow.

And yes, I do mind the warnings of my kids and their teachers. Kids are like websites: sometimes I cannot ignore them.

If your company is GDPR compliant, then there is no time to rest. You still have to browse through the national laws. [GDPR 8]

This might sound complicated. Let’s take a huge example: the United States of America. If you live in Florida, you have to stick to the laws which are used for all states and the Florida State Law.

What now?

So have a chat about GDPR with the people from the legal department. They can become your best friends in the coming months. And beyond.

To boldly go where no techie has gone before.

January Testing

Somehow I ended up with this test term or test type. Actually is a subset of boundary value analysis. But I got your attention.

That’s my right

It was the second day of the year 2018. I was about to place a new post on my web site. I just knew something was wrong.

I went to the web site lay out. It took me a few clicks to open the footer. Then I changed the text to
“2014 – 2018. Mindful Tester. All rights reserved.”

Now I could add my post.

It is my right
for which I fight

That’s my audit input

The same week.
For the audit I ran a query in the defect registration system. The number of items on the list was startling low: 0. My query was wrong. That bugged me. Last year it gave the right results. Actually a few weeks earlier.

I had a look to the query and noticed:
StartOfYear()
I don’t know all the commands, but I could make a good guess.
This year started at January 1st 2018. I was one year off.
The report was about 2017 and not about 2018.

A few hours later I had to go to my boss. He still used the same old query. It was easily explained.

It is not the query
I marry

A test idea approach

Let me generate some test ideas:

  • Is there a checklist for things to be updated in the new year?
  • If yes, so when is it updated?
  • Are queries based on fixed dates instead of relative dates?
  • Are there changes in laws which I have to pay attention to?

Still wondering about the pic with door?

Janua is the Latin word for door.

What about May 2018 testing? Excuse me GDPR testing.
Do you know what the effects of the General Data Protection Regulation are? An European customer has the right to be forgotten. But what about payments?