The people who view reports already have

[rakibhasan]

legitimate access to all the data (e.g. the company has its own development team) – bug reporting is irrelevant.

b) Reported data is anonymous or pseudonymous (so much so that, in a reasonable time and with sensible means, they cannot be de-anonymized). This way of reporting bugs is the best way to provide all the necessary data for the QA team and it meets the requirements of GDPR.

c) Reports contain personal data and bulk mobile database we outsource the development team. In this case, the external company must become an entity that processes personal data, as defined by GDPR, or the reports must be filtered and possibly anonymized before transferring them.

10. Are my development team and QA team obligated to have any certificates or training on personal data protection?
No, they do not have to. The only person who is required to have specialist knowledge on this subject is the Data Protection Officer. As we mentioned above, he or she doesn’t even have to be a team member.

Of course, it will be highly advantageous for your business if your Dev and QA team have some knowledge about GDPR, as they can deliver compliant products faster and without violating GDPR rulings.