The document discusses evolving international privacy regulations, focusing on the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). It notes that many countries are passing new privacy laws influenced by GDPR. Technologies like data tokenization, encryption, and anonymization play an important role in complying with these regulations by protecting personal data throughout its lifecycle. The document provides examples of how technologies can be deployed across on-premises and cloud environments to ensure consistent privacy protection of data.

1. 1
1
ÖÄaaz332Ücß4ÖbÄ26zn
ANO3562/高野ブルーノ
as8d7eonb435DB6jk450
АБВГДЕЖЗИЙКЛМAНОПФ
‫צ‬ ‫ץ‬ ‫פ‬ ‫ף‬ ‫נ‬ ‫ן‬ ‫מ‬ ‫חי‬ ‫ד‬ ‫ג‬ ‫ב‬ ‫א‬
GDPR and Evolving International
Privacy Regulations

2. 2
2
Agenda
• Convergence of data privacy principles, standards and
regulations
• General Data Protection Regulation (GDPR)
• GDPR and California Consumer Privacy Act (CCPA)
• What role does technologies play in compliance
• Use Cases

3. 3
What is Privacy ?
Privacy is defined in
Generally Accepted Privacy Principles (GAPP)
as
“the rights and obligations of individuals and organizations with
respect to the collection, use, retention, disclosure, and disposal
of personal information.”
"Generally Accepted Privacy Principles (GAPP)", https://www.journalofaccountancy.com/Issues/2011/Jul/20103191.htm
European Union, https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-
organisations/legal-grounds-processing-data/sensitive-data/what-personal-data-considered-sensitive_en

4. 4
4
4
Trends in
Privacy
Regulations

5. 5
5
Privacy Regulations
Sweden, The Data Act, a national data
protection law went into effect in 1974
India is passing a
comprehensive data
protection bill that include
GDPR-like requirements
Finland's Data Protection Act
Japan implements changes to
domestic legislation to
strengthen privacy protection
in the country
Brazil passing a comprehensive
data protection regulation
similar to GDPR
1970, Germany passed the
first national data protection
law, first data protection law
in the world
The New York Privacy Act
was introduced in 2019
Source: Forrester
CCPA's impact is
expected to be
global (12+ %), given
California's status as
the fifth largest
global economy
GDPR's impact is expected to be global

6. 6
6
Data and Security Governance (DSG) Converge
Source: Gartner

7. 7
7
The Evolution of Privacy Regulation Continues at an Aggressive Rate

8. 8
8
TrustArc
Legal and regulatory risks are exploding

9. 9
9
IAPP
How many privacy laws are you complying with?
General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data
protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also
addresses the transfer of personal data outside the EU and EEA areas.
California Consumer Privacy Act ( CCPA) is a bill that enhances privacy rights
and consumer protection for residents of California, United States.

10. 10
10
General Data Protection
Regulation (GDPR)

11. 11
11
Failure to Comply . . . What are the Consequences ?
• Companies liable fora fine ofup tofourper cent (4%) oftheir global turnover with a maximum fine of~$25Million USD. This is for non-compliance with no
data breach!
• The principles ofprotection should apply toany information concerning an identified or identifiable person.
• To determine whether a person is identifiable, account should betaken of allthe means likely reasonably to beused either by the controller orby any
other person toidentify the individual.
• Theprinciples of dataprotection should notapplytodata rendered anonymous in such a way that the datasubject is no longer identifiable.
Why What How

12. 12
GDPR — Data Protection Principles (Article 5)
• Personal data shall be processed lawfully, fairly and in a transparent manner in
relation to the data subject
• Collected for specified, explicit and legitimate purposes only
• Adequate, relevant and limited to what is necessary in relation to the purposes for
which they are processed (‘data minimization’)
• Accurate and, where necessary, kept up to date, erased or rectified without delay
• Kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed
• Processed in a manner that ensures appropriate security of the personal data
88 Pages (99 Articles) of detailed data protection requirements

13. 13
Source: IBM
GDPR Security Requirements Framework
Encryption and
Tokenization
Discover
Data Assets
Security
by Design

14. 14
14
Data flow mapping under GDPR
• If there is not already a documented workflow in place in your organization, it can be worthwhile for a team to
be sent out to identify how the data is being gathered.
• This will enable you to see how your data flow is different from reality and what needs to be done
Organizations needs to look at how the data was captured, who is accountable for it, where it is
located and who has access.
Source:
BigID

15. 15
15
GDPR and California ConsumerPrivacy Act (CCPA)

16. 16
16
GDPR and California ConsumerPrivacy Act (CCPA)

17. 17
17
The CCPA
Effect
Regulatory
Activities in
Privacy Since
Jan 2019,
Gartner

18. 18
18
Use Cases
&
Standards

19. 19
19
20889 IS Privacy enhancing de-identification terminology and
classification of techniques
27018 IS Code of practice for protection of PII in public clouds acting
as PII processors
27701 IS Security techniques - Extension to ISO/IEC 27001 and
ISO/IEC 27002 for privacy information management - Requirements
and guidelines
29100 IS Privacy framework
29101 IS Privacy architecture framework
29134 IS Guidelines for Privacy impact assessment
29151 IS Code of Practice for PII Protection
29190 IS Privacy capability assessment model
29191 IS Requirements for partially anonymous, partially unlinkable
authentication
Cloud
11 Published International Privacy Standards (ISO)
Framework
Management
Techniques
Impact
19608 TS Guidance for developing security and privacy functional
requirements based on 15408
Requirements
27550 TR Privacy engineering for system lifecycle processes
Process
Privacy Standards

20. 20
Differential
Privacy
(DP)
2-way
Format
Preserving
Encryption
(FPE)
Homomorphic
Encryption
(HE)
K-anonymity
model
Tokenization Static
Masking
Hashing
1-way
Data store
Different data protection techniques
Algorithmic
Random Noise added
Computing on
encrypted data
Format
Preserving
Fast Slow
Very
slow Fast Fast
Format
Preserving
Dynamic Masking

21. 21
21
Data protection techniques: Deployment on-premises and clouds
Data
Warehouse
Centralized Distributed
On-
premises
Public
Cloud
Private
Cloud
Vault-based tokenization y y
Vault-less tokenization y y y y y y
Format preserving
encryption
y y y y y
Homomorphic encryption y y
Masking y y y y y y
Hashing y y y y y y
Server model y y y y y y
Local model y y y y y y
L-diversity y y y y y y
T-closeness y y y y y y
Privacy enhancing data de-identification
terminology and classification of techniques
De-
identification
techniques
Tokenization
Cryptographic
tools
Suppression
techniques
Formal
privacy
measurement
models
Differential
Privacy
K-anonymity
model

22. 22
22
Data sources
Data
Warehouse
Complete policy-
enforced de-
identification of
sensitive data across
all bank entities
Example of Cross Border Data-centric Security using Tokenization
• Protecting Personally Identifiable Information (PII),
including names, addresses, phone, email, policy and
account numbers
• Compliance with EU Cross Border Data Protection
Laws
• Utilizing Data Tokenization, and centralized policy,
key management, auditing, and reporting

23. 23
23
Shared
responsibilities
across cloud
service models
Source: Microsoft
The Customer is
Responsible for the
Data across all
Cloud Service
Models

24. 24
24
A Cloud Security Gateway (CASB) can protect sensitive data in Cloud (SaaS)
• Example of protocols include HTTP, HTTPS, SFTP, and SMTP
• Based on configuration instead of programming
• Secures existing web services or REST API calls
• See and control where sensitive data travels
1. Install the Cloud Security Gateway in your
trusted domain
2. Select the fields to be protected
3. Start using Salesforce with enhanced security
• Policy Enforcement Point (PEP)
Protected data fields
U
• Encryption Key Management
Separation of Duties

25. 25
25
Protect data before landing
Enterprise
Policies
Apps using de-identified
data
Sensitive data streams
Enterprise on-
prem
Data lifted to S3 is
protected before use
S3
• Applications can use de-
identified data or data
in the clear based on
policies
• Protection of data in
AWS S3 before landing
in a S3 bucket
Protection of data
in AWS S3 with
Separation of Duties
• Policy Enforcement Point (PEP)
Separation of Duties
• Encryption Key Management

26. 26
26
Protection throughout the lifecycle of data
in Hadoop
Big Data Protector
tokenizes or
encrypts sensitive
data fields
Enterprise
Policies
Policies may be managed
on-prem or Google Cloud
Platform (GCP)
• Policy Enforcement Point
Protected data fields
U
U
U
Big Data Protection with Granular Field Level
Protection for Google Cloud
Separation of Duties
• Encryption Key Managem.

27. 27
27
Securosis, 2019
Consistency
• Most firms are quite familiar with their on-premises encryption and key management systems, so they often prefer to
leverage the same tool and skills across multiple clouds.
• Firms often adopt a “best of breed” cloud approach.
Multi-Cloud Considerations
Trust
• Some customers simply do not trust their vendors.
Vendor Lock-in and Migration
• A common concern is vendor lock-in, and an
inability to migrate to another cloud service
provider.
• Some native cloud encryption systems do not
allow customer keys to move outside the system,
and cloud encryption systems are based on
proprietary interfaces.
• The goal is to maintain protection regardless of
where data resides, moving between cloud
vendors.
Cloud Gateway
Google Cloud AWS Cloud Azure Cloud

28. 28
28
Major Financial Institution Global Use Case

29. 29
29
Where does data protection technology play ?
GDPRandmore
1. Think “Privacy byDesign” and building dataprivacycontrols into all application development
2. Createacontinuity/actionplanfordatabreaches
3. Ensuringaccountabilityfordatabreachesisunderstoodbyallemployees/contractors
4. Design dataprivacy into products and services
5. Consider the legal basis of how you use PII
6. Create or Update appropriateprivacy notices and policies
7. PrepareforsubjectdatarequestsfromanyoneprovidingPII
8. Formalizingwhoisresponsiblewhendataistransferredorprocessed
9. Setting up a framework that ensures you have a legitimate reason for transferring PII to countries with less stringent dataprotection rules
10. Review Generally Accepted PrivacyPrinciples, startadhering to them in everything youdo
11. HireorAssignaDataProtectionOfficer(DPO)

30. 30
30
ÖÄaaz332Ücß4ÖbÄ26zn
ANO3562/高野ブルーノ
as8d7eonb435DB6jk450
АБВГДЕЖЗИЙКЛМAНОПФ
‫צ‬ ‫ץ‬ ‫פ‬ ‫ף‬ ‫נ‬ ‫ן‬ ‫מ‬ ‫חי‬ ‫ד‬ ‫ג‬ ‫ב‬ ‫א‬
Thank You!