Honest question, who can keep the access to production in the eye of GDPR?

Operations staff gets access to production machines with Operations being explicitly forbidden from producing code that runs on the systems.

There are still vectors for bad actors of course, but the idea is to firewall those who write the code from those who run it.

the production team can. it has made very hard to debug. Now the production team has to do most of the debug work, they have to give us anonymised data (and you cant turn personal data in anomymous data. it would be pseudonymous at best) that trigger the bug.

It can be pretty hard if your organization was not organized with this in mind in the first place.

Honest answer, everyone who claims to be GDPR or HIPAA compliant is lying and hopes you never find out.

Is this true? If so, GDPR, like SOX 404 will stink from an actual getting devs to own their own code perspective.

It devolves into a bunch of managers saying no ops person can have any write access to git at all and no dev person can have any read access to prod, let alone deploy code, thus throwing up a wall to have stuff thrown over.

Separation of duties is the worst, stupidest, clumsiest control ever but all the auditors and management types love it because it doesn't require them to think.

IT controls are far less used as the only control as the Phoenix Project alludes and yet the default state for any auditor is "it's all in Sox scope and everything is an IT control, lock it all down" and unless management has a clue and a care, they just do it.

In the process, they contort the CICD pipeline in horrible ways to say that yes, they have obtained the magical way of separation of duties.