There’s a new-ish law in Denmark and the rest of EU. GDPR (General Data Protection Regulation). It contains requirements for how companies are to protect and process personal data.
Among other things, companies has to formally describe how they take care of personal data, before they start working with that data. Subsequently, it must also be ensured that they handle their own processes in practice.
Some companies take it very serious. Maybe a little too serious. That led to some rather interesting rules in a project where I worked with personal data – as testers often do.
Our test customers were copies of production data. That means that I worked with real peoples’ very real social security numbers.
One day, one of my team members wanted me to go through a flow with a specific customer. The problem was that we didn’t know how I could get the customer’s social security number from her.
She wasn’t allowed to send me the number over email.
She couldn’t print it or write it down, since papers with personal information weren’t allowed on our desks. I would also not be able to store the piece of paper somewhere, because I as a consultant wasn’t allowed to have a cabinet or other kinds of furniture.
She couldn’t say it out loud since we were sitting in an open office.
We ended up with a very elegant solution.
She sent me the numbers in an encrypted Excel file. She then proceeded to mime the encryption key for me (And the rest of the project group).
From this experience I learned that it takes a long time to decode mimed passwords that are made up of random letters and numbers.
I also learned that holding up one finger can mean a lot of other things than simply the number “1”.