GDPR regulations and ALM
Hello, any ideas or suggestions about how to deal with the new GDPR regulations in ALM? Do you have any experience with that already? Are there any official statement or solutions from Microfocus ? Any responses are really appreciated! Thanks!
Could some one provide background of this GDPR regulations and it's impact on our latest version of ALM application?
What all needs to be done on our existing ALM system to make it GDPR complaint?
What all requirements need to be considered in order to validate whether our ALM functionalities are working in accordance to GDPR regulations?
Actually that's not a topic which allows simple answers...
Some thoughts - please understand I am not a lawyer and will simplify. Please contact a lawyer / GDPR consultant if you need the details:
GDPR is relevant for (nearly) any organization in the world which works with personal data of citizens of the European Union. It's not relevant if your data center is in the EU or not, if your legal entity is in the EU or not.
From my personal perspective "GDPR Compliance" is not something any standard software can have by default. Simple example: Any ALM tool allows to attach files or add data in comments, custom fields etc. If your users attach personal data in Excel sheets or put personal data in comment fields they might cause issues. Or they pull data from your ALM system, put that on an USB stick and loose the stick... not trivial to block these cases with technology.
It's important to have the right tools and processes in place - and educate the users.
I've discussed with various customers if their ALM systems are relevant for GDPR - and got very different responses: Some organizations try to avoid any personal data in ALM; users are e.g. trained not to attach screenshots with customer data, attach logfiles with critical data etc. Some of them consider ALM not relevant for GDPR.
Other organizations discuss if e.g. the personal information of the ALM users might be relevant for GDPR - does "right to be forgotten" perhaps also mean we must remove the name of the tester from a defect? Do we perhaps need their consent? Or do we perhaps store real customer names / contact information for defects reported by end users? We might consider all the other GDPR topics like consent management, breach notification etc.
Did you verify with your DPO's if ALM is relevant for GDPR? What kind of personal information do you store & manage in ALM?
Please also have a look at the GDPR Content Pack for the "classic" ALM/QC and ALM Octane at https://marketplace.microfocus.com/appdelivery/content/gdpr-content-pack
You can use the GDPR Content Pack - free of charge! - to import the GDPR into ALM and Octane in any of the 24 languages - and then manage your GDPR projects in ALM. This is very useful since ALM - as you all know - can be used by large organizations, has different roles, automatically creates audit trails, allows reporting, has dashboards. Please have a look at the attached User Guide (also available via the link above).
Thanks a lot! for the explanation & information provided.
Executed "Import Tool - Micro Focus GDPR Content Pack 2018-05-03.xlsm" tool
on a new ALM empty project.
Below are the updates made on new ALM project by GDPR Import tool.
Same updates have been identified in the generated "GDPR Import" log.
Please let me know if I have missed any of the steps.
1. Created list '_GDPR_Products'
2. Created requirement field having database column name 'RQ_USER_01' & field label 'GDPR Products'.
3. Created requirement type 'GDPR'
4. Created test field 'GDPR Products' associated with lookup list '_GDPR_Products'.
5. set icon for requirement type 'GDPR'
6. Created 1062 Requirements and performed requirement traceability.
7. Created 35 Test Plan folders.
8. Created 19 Test Scripts and done requirement coverage.
9. Created 6 Releases
1. In "Import Tool - Micro Focus GDPR Content Pack 2018-05-03.xlsm" excel document,What is the purpose of column names present in worksheets like "Quality","Tests","Products" etc.
Is there a mapping document to understand the association between column names to their respective ALM field labels?
2. Will this tool work in the same way for the Projects that are already have some other Releases,REQ,Test Script data?
For example: If there are existing ALM projects with some other Releases,REQs,Test Scripts data,
in those projects, can we import GDPR related Releases, Requirements ,Test Scripts and establish requirement tracebility & test to requirement coverage using current tool?
3. How to use GDPR Requirements and Test Scripts that are created using Import tool, to manage existing ALM projects & to make them GDPR compliant?
As of now, I could only understand that with this provided GDPR tool, we can create the GDPR requirements, test cases along with their test coverage and requirement tracebility,
I want to understand the next steps that we need to performorm for Product GDPR change implementation.
4. Could you please explain more about HP ALM - GDPR related reports that need to be in place to ensure audit compliance & changes progress for GDPR implementation?
5. Are we importing any data from "USERS" worksheet ? Whats the recommendation provided out of this USERS worksheet data?
Since this thread is more related to a general GDPR question I've started a new thread to discuss topics around the GDPR Content Pack: GDPR Content Pack - Questions and Answers. I've answered some of your more technical questions there - I hope this is ok for you?
Regarding GDPR compliance for ALM: It is very important to understand which personal information your users store & manage in their ALM projects - and discuss with your Data Privacy Officers (DPO), legal or compliance departments how you should implement GDPR based on that information. The GDPR Content Pack supports this since it is much easier to analyze and document your findings and decisions in ALM than for example in Excel: You can use ALM or Octane as your "Single source of truth for GDPR" - but you still need experts to guide your path to GDPR compliance.
And please understand GDPR compliance is not something which is forever like "Y2k compliance" 18 years ago: You need to verify your organization - including ALM, any other system, processes, people - stays compliant: Users might start storing different data in ALM, use the data for new purposes - and the legal interpretation / guidance how GDPR should be implemented might change over time as well. Again this is much easier to manage in ALM or Octane than in Excel.
Thanks Derik! for providing your valuable inputs.
Could you please provide information on GDPR related dashboard reports and their purpose.