Compliance testing verifies regulatory requirements.
GDPR scenarios:
- Right to access: user requests data; system provides.
- Right to be forgotten: user requests deletion; system anonymises / deletes.
- Lawful basis: consent tracked; processing only with consent.
- Breach notification: 72-hour process verified.
HIPAA scenarios:
- PHI encryption: sensitive fields encrypted.
- Audit logging: every PHI access logged.
- Authorisation: only approved roles access PHI.
- Business Associate Agreement in place.
PCI scenarios:
- Tokenisation: card numbers tokenised, never stored full.
- Encryption: in transit and at rest.
- Access controls: PCI data access logged and restricted.
Tests:
- Permission tests: only approved roles see sensitive data.
- Audit tests: every access logged.
- Encryption tests: data encrypted at rest verified.
- Workflow tests: right-to-be-forgotten works end-to-end.
Documentation:
- Compliance posture document.
- Audit trail evidence.
- Annual reviews / pentests.
Tools:
- Privacy Center for GDPR workflows.
- Field Audit Trail / Event Monitoring for audit verification.
- External pentest firms for compliance certification.
Common pitfalls:
- Compliance untested.
- Documentation insufficient.
- Encryption configured but not validated.
Senior insight: compliance is a binary outcome — passes or fails audit. Testing protects.