GDPR – the Forgotten Tests – Test 2

Black box testing is quite popular: the tester only has to focus on the functions of the system. There is no need to know about things like programming and other techy things.

“But the box in the picture is not completely black.”
“That is a good observation, because it is part of a black box.

Time for a legal break. After the break a pen test.

Disclaimer

I am not a legal expert. So please have a look at my used sources. Or contact a GDPR expert.

I am just a tester finding test ideas about GDPR. Thanks for joining in advance.

The following story has been sanitised by me. Important details have been changed.

Pen test

My wife had bought a gift and she had also found a better gift. So she gave the second gift. And I had the pleasure to return the first gift to the shop. No problem dear.

I went into the shop straight to the counter. After a few sentences I came to my point.
“I want to get my money back.”,
while showing the first gift and the receipt.

The 2 young men went into action. There was a lot of pressing of keys and a new receipt was shown.
“Would you please sign this receipt?”

This was a standard computer generated receipt without a signature field. And I had to leave my signature here. I signed.

I remembered to explore.
“Why do I need to sign this?”
“This way my manager can control, that a customer is returning an article. And not we.”

I ran a quick scenario of returning articles in my head. This sounded reasonable.

But I was still hesitant to leave my signature in the hands of two young men.
“How long will my signature be saved?”
This question led to puzzled faces.

I scribbled the question on a piece of paper. It would be great to have a written answer, so I left my email address.

Then I got my money back and returned 1 week later.

The young man behind the counter recognised me. He went to a pole and pulled my paper with email address off. This was bad.

He dutifully repeated the story about the signature of a customer actually returning an article. The signature would be saved for 1 month. That was fine.

On my way home I was not convinced about the privacy. I had witnessed a breach of my personal data.

Breakdown

In this breakdown I will point to several articles of General Data Protection Regulation or GDPR.

The penalties can be quite big. Let me quote the worst cases
’20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher’ [Article 83 5].

Let me review the most important steps during my visits again. I wanted to return an article and get a refund. Because money is involved, the request for a signature is good [Article 5 1(b)].

The receipt was a bit confusing for me, because there was no clear signature field. I just had to trust what the young men told me [Article 6 1 (f)].

One of the most important things about data is retention period or how long will it be saved. The check of my signature could be executed within a month and then be destroyed. [Article 5 1(e)]

A signature alone is not special. But if I had paid in the online shop, then it is simple to combine my signature with my name and other personal data. This way it is possible for someone else to write letters on behalf of me. It is criminal, but possible.

The note with my email address on a pole was a personal data breach [Article 4 (12)]. It was not intended, but I could get a lot of mails with false promises.

Tips for testing

  • Test the UX or User Experience of the receipt.
    Is it clear to customers that they have to sign a receipt for a refund?
    Can they be specific about any doubts?
  • Ask the people behind the counter, how they explain the refund procedure. Also how they handle personal data like phone numbers and email addresses.
    There are of course managers who will answer the questions flawlessly. Unfortunately they cannot be present in more than 50 shops at the same time all the time.Receipts with signatures should be stored in the same way as money. I did not see how my receipt was stored.

    Small sidestep: after May 25 2018 there were boxes outside shops to collect receipts of customers. If I put a receipt with my name and phone number in the box, then I could be the lucky winner of some fantastic prize. They were cardboard boxes standing on tables.

  • This is an important lesson for myself. If something strange happens, wait to remember it and mention it.

To be continued