Imagine that your test system holds details of an individual’s bank account balance and, for testing purposes, you have made the account overdrawn. What happens when that individual requests details of the information you hold about them? Will they be happy to learn that, in one of your systems, their account is showing a negative balance? More importantly, have they given you permission to use that data for testing purposes?
It has generally been accepted that ‘live’ data should not be used for testing, and in some cases, this has effectively been mandated (HIPAA in the US, for example). With GDPR it is wholly inappropriate to use data that can be used to identify an individual for testing purposes. GDPR refers to Pseudonymisation, a process that transforms personal data in such a way as it cannot be attributed to a real person. Pseudonymised data can “no longer be attributed to a specific data subject without the use of additional information”, according to GDPR legislation. That means that you need to limit the potential exposure and pseudonymise the data.
Focusing on your production systems for a minute, you are, inevitably, going to need to make changes to your systems to comply with GDPR. This means testing, potentially lots of testing. You are going to need test data and that data needs to be compliant.