The document discusses modern privacy regulations, highlighting the increase in data subject complaints and the convergence of data privacy principles globally, including notable laws such as GDPR and CCPA. It outlines best practices for data privacy, including accountability, notice, and security, along with the evolving PCI DSS standards. Additionally, it emphasizes the importance of understanding data flows and implementing effective compliance measures while balancing the opportunities for data use and privacy protection.

1. 1
ÖÄaaz332Ücß4ÖbÄ26zn
ANO3562/高野ブルーノ
as8d7eonb435DB6jk450
АБВГДЕЖЗИЙКЛМAНОПФ
‫צ‬ ‫ץ‬ ‫פ‬ ‫ף‬ ‫נ‬ ‫ן‬ ‫מ‬ ‫חי‬ ‫ד‬ ‫ג‬ ‫ב‬ ‫א‬
New Opportunities & Business
Risks with Evolving Privacy
Regulations
Ulf Mattsson
Chief Security Strategist
www.Protegrity.com

2. 2
PaymentCardIndustry(PCI)
SecurityStandards
Council (SSC):
1. TokenizationTask Force
2. Encryption Task Force, Pointto Point
Encryption Task Force
3. Risk Assessment
4. eCommerce SIG
5. Cloud SIG, Virtualization SIG
6. Pre-Authorization SIG, Scoping SIG
Working Group
Ulf Mattsson
Dec 2019
May 2020
Cloud Security Alliance
Quantum Computing
Tokenization Management and
Security
Cloud Management and Security
ISACA JOURNAL May 2021
Privacy-Preserving Analytics and
Secure Multi-Party Computation
ISACA JOURNAL May 2020
Practical Data Security and
Privacy for GDR and CCPA
• Chief Security
Strategist, Protegrity
• Chief Technology
Officer, Protegrity, Atlantic
BT, and Compliance
Engineering
• Head of Innovation,
TokenEx
• IT Architect, IBM
• Develops Industry Standards
• Inventor of more than 70 issued US Patents
• Products and Services:
• Data Encryption, Tokenization, and Data Discovery
• Cloud Application Security Brokers (CASB) and Web Application
Firewalls (WAF)
• Security Operation Center (SOC) and Managed Security Services
(MSSP)
• Robotics and Applications

3. 3
Agenda
1. Trends in modern privacy regulations & Increase in data subject complaints
2. A growing number of regulations & Convergence of data privacy principles
3. The opportunities to use data are growing
4. California CCPA, EU GDPR and data transfer between US and EU
5. The new PCI DSS version 4
6. Data privacy best practices, Use cases & Data life cycle

4. 4
What is Privacy ?
Privacy is defined in
Generally Accepted Privacy Principles (GAPP)
as
“the rights and obligations of individuals and organizations with
respect to the collection, use, retention, disclosure, and disposal
of personal information.”
"Generally Accepted Privacy Principles (GAPP)", https://www.journalofaccountancy.com/Issues/2011/Jul/20103191.htm
European Union, https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-
organisations/legal-grounds-processing-data/sensitive-data/what-personal-data-considered-sensitive_en

5. 5
Privacy in Practice 2021: Data Privacy Trends, Forecasts and Challenges
Accountable
For
Privacy
ISACA: Privacy-in-Practice-2021_whppip_whp_eng_0121
CISO
CPO
CEO
CIO
CCO
BoD
?
Other

6. 6
A growing number of
regulations around the
world & Convergence of
data privacy principles

7. 7
Privacy Regulations
Sweden, The Data Act, a national data
protection law went into effect in 1974
India is passing a
comprehensive data
protection bill that include
GDPR-like requirements
Finland's Data Protection Act
Japan implements changes to
domestic legislation to
strengthen privacy protection
in the country
Brazil passing a comprehensive
data protection regulation
similar to GDPR
1970, Germany passed the
first national data protection
law, first data protection law
in the world
The New York Privacy Act
was introduced in 2019
Source: Forrester
CCPA's impact is
expected to be
global (12+ %), given
California's status as
the fifth largest
global economy
GDPR's impact is expected to be global

8. 8
TrustArc
Legal and regulatory risks are exploding

9. 9
Examples of Leading Global Data Privacy Regulations
1. GDPR (General Data Protection Regulation) EU
2. GLBA (Gramm Leach Bliley Act) USA
3. PIPEDA (Personal Information Protection and Electronic
Documents Act) Canada
4. COPPA (Children’s On-Line Privacy Protection Act) USA
5. UK-DPA (Data Protection Act) UK
6. EU-US Privacy Shield (replaces Safe Harbor Program,
replaced by GDPR) USA
7. HIPAA (Health Insurance Portability Accountability Act)
USA
8. Australian Privacy Act (1988) includes thirteen Australian
Privacy Principles (APPs)
9. German Bundesdatenschutzgesetz (BDSG) or Federal data
protection act (Germany)
10. MA - 201 CMR 17.00, NY State – Personal Privacy Protection
Law (PPPL), Others USA

10. 10
Privacy in Practice 2021: Data Privacy Trends, Forecasts and Challenges
Regulations
And
Frameworks
ISACA: Privacy-in-Practice-2021_whppip_whp_eng_0121
GDPR
US NIST Privacy F/W
ISO 27002
COBIT
ISO 27001
US NIST SP 800-53
GAPP
ISO 29100
Safe Harbor
ISO 22307

11. 11
IAPP
How many privacy laws are you complying with?
General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data
protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also
addresses the transfer of personal data outside the EU and EEA areas.
California Consumer Privacy Act ( CCPA) is a bill that enhances privacy rights
and consumer protection for residents of California, United States.

12. 12
Trends in modern
privacy regulations &
Increase in data subject
complaints

13. 13
Hype Cycle
for Privacy
(Gartner)

14. 14
The Evolution of Privacy Regulation Continues at an Aggressive Rate

15. 15
Convergence of Privacy Principles 1/2
• Accountability – requires that the entity define, document, communicate, and assign accountability for its
privacy policies and procedures and be accountable for PII under its control.
• Notice – requires that the entity provide notice about its privacy policies and procedures and identify the
purpose for which personal information is collected, used, retained, and disclosed.
• Choice and Consent – requires that the entity describe the choices available to the individual and obtain
implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
• Collection Limitation – requires that the entity collect personal information only for the purposes
identified in the notice.
• Use Limitation – requires that the entity limit the use of personal information to the purpose identified in
the notice and for which the individual has provided implicit or explicit consent.

16. 16
Convergence of Privacy Principles 2/2
• Access – requires that the entity provide individuals with access to their personal information for review
and update.
• Disclosure – requires that the entity disclose personal information to third parties only for the purposes
identified in the notice and only with the implicit or explicit consent of the individual.
• Security – requires that the entity protect personal information against unauthorized access or alteration
(both physical and logical).
• Data Quality – requires an entity maintain accurate, complete, and relevant personal information for the
purposes identified in the notice.
• Enforcement – requires that the entity monitor compliance with its privacy policies and procedures and
have procedures to address privacy-related inquiries and disputes.

17. 17
AICPA/CICA* — Ten Generally Accepted Privacy Principles
1. Management. The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal
information is collected, used, retained, and disclosed.
3. Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect
to the collection, use, and disclosure of personal information.
4. Collection. The entity collects personal information only for the purposes identified in the notice.
5. Use, retention, and disposal. The entity limits the use of personal information to the purposes identified in the notice and for which
the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill
the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
6. Access. The entity provides individuals with access to their personal information for review and update.
7. Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice
and with the implicit or explicit consent of the individual.
8. Security for privacy. The entity protects personal information against unauthorized access (both physical and logical).
9. Quality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
10. Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to
address privacy related complaints and disputes.
* American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants

18. 18
OECD* — Seven Privacy Principles
1. Notice - Individuals must be informed that their data is being collected and how it will
be used. The organization must provide information about how individuals can contact
the organization with any inquiries or complaints.
2. Choice - Individuals must have the option to opt out of the collection and forward
transfer of the data to third parties.
3. Onward Transfer - Transfers of data to third parties may only occur to other
organizations that follow adequate data protection principles.
4. Security - Reasonable efforts must be made to prevent loss of collected information.
5. Data Integrity - Data must be relevant and reliable for the purpose it was collected.
6. Access - Individuals must be able to access information held about them, and correct
or delete it, if it is inaccurate.
7. Enforcement - There must be effective means of enforcing these rules.
* Organisation for Economic Co-operation and Development

19. 19

20. 20
The opportunities
to use data are
growing

21. 21
Global Hadoop Big Data
Analytics Market
(USD Billion)
Real-time data is significant in global
datasphere
Between 2018 and 2025 the size of real-time data
in the global datasphere is expected to expand
tenfold, from five zettabytes to 51 zettabytes.
Statista 2021
Increase in
information
volume of
Real-time
Analytics

22. 22
The advent of big data
era due to the increase
in the information
volume of the whole
world
ResearchGate
Big
Data
AI

23. 23
Opportunities
Controls
Regulations
Policies
Risk Management
Breaches
Balance
Protect data in ways that are transparent to business processes and compliant
to regulations
Source: Gartner

24. 24
Data and Security Governance (DSG) Converge
Source: Gartner

25. 25
Security Compliance
Privacy
Controls Regulations
Policies
Hybrid
Cloud
DevOps. DataOps
and DevSecOps
GDPR
CCPA
Data
Security
PCI DSS
HIPAA
Identity
Management
Application
Security
Risk
Management
Industry
Standards
Find the right Balance
ISO/IEC, NIST, ANSI X9,
FFIEC, COBIT, W3C, IETF,
Oasis
Data
Privacy
Containers and
Serverless
Why, What
and How
Balance

26. 26
CCPA, GDPR
and data transfer
between
US and EU

27. 27
GDPR — Data Protection Principles (Article 5)
• Personal data shall be processed lawfully, fairly and in a transparent manner in
relation to the data subject
• Collected for specified, explicit and legitimate purposes only
• Adequate, relevant and limited to what is necessary in relation to the purposes for
which they are processed (‘data minimization’)
• Accurate and, where necessary, kept up to date, erased or rectified without delay
• Kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed
• Processed in a manner that ensures appropriate security of the personal data
88 Pages (99 Articles) of detailed data protection requirements

28. Source: IBM
GDPR Security Requirements Framework
Encryption and
Tokenization
Discover
Data Assets
Security
by Design

29. 29
Source: Gartner
Basic Security Product Alignment Against Controls

30. 30
Data flow mapping under GDPR
• If there is not already a documented workflow in place in your organization, it can be worthwhile for a team to
be sent out to identify how the data is being gathered.
• This will enable you to see how your data flow is different from reality and what needs to be done
Organizations needs to look at how the data was captured, who is accountable for it, where it is
located and who has access.
Source:
BigID

31. 31
GDPR Privacy by Design
• “Privacy by Design” and “Privacy by Default” have been frequently-discussed topics related to data protection.
• The first thoughts of “Privacy by Design” were expressed in the 1970s and were incorporated in the 1990s into
the RL 95/46/EC data protection directive.
• According to recital 46 in this Directive, technical and organisational measures (TOM) must be taken already at
the time of planning a processing system to protect data safety.
• The term “Privacy by Design” means nothing more than “data protection through technology design.”
• Behind this is the thought that data protection in data processing procedures is best adhered to when it is
already integrated in the technology when created.
• Nevertheless, there is still uncertainty about what “Privacy by Design” means, and how one can implement it.

32. 32
Privacy in Practice 2021: Data Privacy Trends, Forecasts and Challenges
Areas of
Privacy
Skills Gaps
ISACA: Privacy-in-Practice-2021_whppip_whp_eng_0121
Technology
Regulations
Frameworks
Business
Tech
People
Op
Networking

33. 33
Privacy in Practice 2021: Data Privacy Trends, Forecasts and Challenges
Fix
Privacy
Skills
Gaps
ISACA: Privacy-in-Practice-2021_whppip_whp_eng_0121
Basic Training
External
Advanced Training
Credentials
AI
?
?
No gap

34. 34
The
California
CCPA Effect
Regulatory
Activities in
Privacy Since
Jan 2019,
Gartner

35. 35
GDPR and California ConsumerPrivacy Act (CCPA)

36. 36
GDPR and California ConsumerPrivacy Act (CCPA)

37. PCI Vs. GDPR: What’s The Difference?
Source:https://www.securitymetrics.com/blog/pci-vs-gdpr-whats-difference

38. 38
The new PCI DSS
version 4

39. PCI DSS Compliance Issues with breached organizations and PCI DSS v4
Source: Verizon 2019 Payment Security Report
• PCI DSS Requirement 3 is addressing protecting cardholder
data.
• PCI DSS Requirement 10 is addressing network security and
access.
PCI DSS v4 adds a customized approach
• Meeting the security intent of PCI DSS by using security
approaches that may be different than traditional PCI DSS
requirements.
• Compensating controls will be removed

40. The next major evolution of the 15-year old PCI DSS
PCI DSS v.4.0 is the next major evolution of the 15-year old PCI DSS framework since the last significant
revision in 2013:
1. Scoping – Increased testing and documentation will be required for confirmation of the accuracy and
completeness of scope of the cardholder data environment (CDE) and periodic scope validation processes.
2. CHD Protection – Card encryption requirements will be expanded to include all transmissions of CHD instead of
only those across public networks.
3. Security awareness training – Requirements for training of end users will be enhanced to include more
information regarding current threats and phishing, social engineering, etc.
4. Risk assessment – The Council recognizes that the current PCI DSS requirement that a risk assessment be
conducted is not always resulting in useful risk analysis and risk management outcomes. This requirement will
be modified to ensure that the risk assessment is not being treated as a “checkbox exercise” by organizations.
5. Authentication – The new version of the DSS will provide more flexibility for the use of authentication
techniques and solutions within the CDE to align them with industry best practices.
6. Cloud environments – Version 4.0 will evolve all requirements to be more accommodating for the use of
technologies such as cloud hosting services.
7. Sampling – Additional direction for assessors on sampling guidance will be included to verify that controls are
in place consistently across the entire population.
Source: https://www.lbmc.com

41. Source:
PCI SSC
PCI DSS v4.0 Controls Matrix (example)

42. Compliance Program Performance Evaluation Framework Source: Verizon 2019
Payment Security Report
• There are no
significant
concerns about
capacity,
capability,
competence,
commitment or
communication
• The competence
, control risk, does
not exist
• There is
uncertainty
whether the
needed
competence
exists internally

43. Source: Verizon 2019 Payment Security Report
10 Deep questions to ask—and answer—in advancing your
program
1. What data do you have, where is it and how does it flow?
Are you sure you know where all your data is, and who is responsible for it? How do you keep
track of the data you have? Do you know exactly where all the data is that needs to be
protected?
2. Are you secure enough? How confident are you about the
protection of your data?
How do you know your payment card data is secure? Based on what evidence? Which metrics
do you track to answer this question? Does compliance mean your data really is secure?
3. How confident are you that the right controls are
effective and in the right places?
How does your control design process identify the controls that are needed? What evidence do
you have for the effectiveness of your controls? Do you measure control effectiveness for all
controls?
4. How predictable is your Data Protection Compliance Program (DPCP) performance?
With how much confidence can you predict the outcome of your key DPCP objectives, and can
you do so at any point in time?
5. How do you ensure the quality and durability of your key data protection and compliance
processes?
Do you know what those processes consist of? How repeatable and consistent are your key
processes? Can you predict success or failure with a degree of certainty ahead of time?

44. Source: Verizon 2019 Payment Security Report
10 Deep questions to ask—and answer—in advancing your
program
6. How quickly can you detect and respond to policy, standard and procedure deviations?
How do your expectations on event detection and incident response meet reality? What about
your expectations of
response with corrective actions?
7. Do you have controls in place to measure the effectiveness of your DPCP implementation
and maturity strategy?
How well does it align with industry frameworks such as COBIT, COSO or NIST CSF, and is it
able to meet your
control objectives?
8. How do you know that you are prioritizing the right DPCP activities at the right time?
Did you prioritize the correct objectives? With resources being limited, how do you know your
team is spending time on the right tasks?
9. How well are you managing the 5 Constraints of Organizational Proficiency: capacity,
capability, competence, commitment and communication?
Do you have visibility into your organizational ability to manage each of the five constraints?
10. How well do you understand the 9 Factors of Control Protection Effectiveness and
Sustainability?
Do you know where you are with control effectiveness and sustainability, and what your
organization’s capability will be in one year’s time?

45. 45
Pseudonymize - Identifying and payload data shall be separated
Entities in the de-classification process
The separation of identifying and payload data
• Further processing steps will take the identifying part as input and leave the payload
unchanged.
• The pseudonymization process translates the given identifiers into a pseudonym.
Pseudonymization can map a given identifier with the same pseudonym.
• Because the combination of both preservation of linkage between records
belonging to the same identity and the protection of privacy
— map a given identifier with a different pseudonym:
— context dependent (context spanning aspect of a pseudonym)
— time dependent (e.g. always varying or changing over specified time-intervals)
— location dependent
ISO/TS 25237:2008 Health informatics — Pseudonymization
Two types of pseudonymized data
• Irreversible pseudonymization
• Reversible pseudonymization by
applying procedures restricted to
duly authorized users.
U
Tokens
Lookup table
Identifying
data
Payload
data

46. 46
Tokenization process
U
System 1
The following are each in scope
1. Systems performing tokenization of data
2. Tokens that are not isolated from the tokenization
processes
3. Tokenized data that is present on a system or media
that also contains the tokenization table
4. Tokens that are present in the same environment as
the tokenization table
5. Tokens accessible to an entity that also has access to
the tokenization table
System 2
System 3 U
System 4
Tokens
U
System 0 The following is NOT in scope
Tokenization
Example for
PCI DSS
Tokens
Lookup table
Lookup table Tokens
Lookup table
pcisecuritystandards.org

47. 47
pcisecuritystandards.org
Encryption
process
Encrypted
Cardholder
data (CHD)
U
Encryption keys
System 1
The following are each in scope for PCI DSS:
1. Systems performing encryption and/or decryption of
cardholder data, and systems performing key
management functions
2. Encrypted cardholder data that is not isolated from
the encryption and decryption and key management
processes
3. Encrypted cardholder data that is present on a system
or media that also contains the decryption key
4. Encrypted cardholder data that is present in the same
environment as the decryption key
5. Encrypted cardholder data that is accessible to an
entity that also has access to the decryption key
System 2
System 3
Encryption keys
Encrypted
Cardholder
data (CHD)
U
System 4
Encrypted
Cardholder
data (CHD)
U
System 0 The following MAY NOT be in scope for PCI DSS
Encryption
Example for
PCI DSS
Encryption keys

48. 48
Data privacy best
practices, Use cases &
Sensitive personal
data life cycle

49. 49
Payment
Application
Payment
Network
Payment
Data
Policy,
tokenization,
encryption
and keys
Gateway
Call Center
Application
Format Preserving Encryption (FPE)
PI* Data
Tokenization
Salesforce
Analytics
Application
Differential Privacy (DP),
K-anonymity model
PI* Data
Microsoft
Election Guard
development
kit
Election
Data
Homomorphic Encryption (HE)
Data
Warehouse
PI* Data
Use-cases of some de-identification techniques
Voting
Application
*: PI Data (Personal information) means information that identifies, relates to,
describes, is capable of being associated with, or could reasonably be linked,
directly or indirectly, with a consumer or household according to CCPA
Dev/test
Systems
Masking
PI* Data

50. 50
Differential
Privacy
(DP)
2-way
Format
Preserving
Encryption
(FPE)
Homomorphic
Encryption
(HE)
K-anonymity
model
Tokenization Static
Masking
Hashing
1-way
Data store
Different data protection techniques
Algorithmic
Random Noise added
Computing on
encrypted data
Format
Preserving
Fast Slow
Very
slow Fast Fast
Format
Preserving
Dynamic Masking

51. 51
Data sources
Data
Warehouse
Complete policy-
enforced de-
identification of
sensitive data across
all bank entities
Example of Cross Border Data-centric Security using Tokenization
• Protecting Personally Identifiable Information (PII),
including names, addresses, phone, email, policy and
account numbers
• Compliance with EU Cross Border Data Protection
Laws
• Utilizing Data Tokenization, and centralized policy,
key management, auditing, and reporting

52. 52
Access to Data Fields
Low High
High -
Low -
I I
Access to more data fields
User Productivity
Find New Opportunities & Business

53. 53
Data protection techniques: Deployment on-premises and clouds
Data
Warehouse
Centralized Distributed
On-
premises
Public
Cloud
Private
Cloud
Vault-based tokenization y y
Vault-less tokenization y y y y y y
Format preserving
encryption
y y y y y
Homomorphic encryption y y
Masking y y y y y y
Hashing y y y y y y
Server model y y y y y y
Local model y y y y y y
L-diversity y y y y y y
T-closeness y y y y y y
Privacy enhancing data de-identification
terminology and classification of techniques
De-
identification
techniques
Tokenization
Cryptographic
tools
Suppression
techniques
Formal
privacy
measurement
models
Differential
Privacy
K-anonymity
model

54. 54
Legal Compliance and Nation-State Attacks
• Many companies have information that is attractive to governments and intelligence services.
• Others worry that litigation may result in a subpoena for all their data.
Securosis, 2019
Multi-Cloud Key Management considerations
Jurisdiction
• Cloud service providers,
especially IaaS vendors,
offer services in multiple
countries, often in more
than one region, with
redundant data centers
• This redundancy is great
for resilience, but
regulatory concerns
arises
SecuPi

55. 55
A Data Security Gateway can protect sensitive data in Cloud and On-premises

56. 56
Protect data before landing
Enterprise
Policies
Apps using de-identified
data
Sensitive data streams
Enterprise on-prem
Data lifted to S3 is
protected before use
S3
• Applications can use de-
identified data or data
in the clear based on
policies
• Protection of data in
AWS S3 before landing
in a S3 bucket
Protection of data
in AWS S3 with
Separation of Duties
• Policy Enforcement Point (PEP)
Separation of Duties
• Encryption Key Management

57. 57
Protection throughout the lifecycle of data
in Hadoop
Big Data Protector
tokenizes or
encrypts sensitive
data fields
Enterprise
Policies
Policies may be managed
on-prem or Google Cloud
Platform (GCP)
• Policy Enforcement Point
Protected data fields
U
U
U
Big Data Protection with Granular Field Level
Protection for Google Cloud
Separation of Duties
• Encryption Key Managem.

58. 58
Securosis, 2019
Consistency
• Most firms are quite familiar with their on-premises encryption and key management systems, so they often prefer to
leverage the same tool and skills across multiple clouds.
• Firms often adopt a “best of breed” cloud approach.
Multi-Cloud Considerations
Trust
• Some customers simply do not trust their vendors.
Vendor Lock-in and Migration
• A common concern is vendor lock-in, and an
inability to migrate to another cloud service
provider.
• Some native cloud encryption systems do not
allow customer keys to move outside the system,
and cloud encryption systems are based on
proprietary interfaces.
• The goal is to maintain protection regardless of
where data resides, moving between cloud
vendors.
Cloud Gateway
Google Cloud AWS Cloud Azure Cloud

59. 59
20889 IS Privacy enhancing de-identification terminology and
classification of techniques
27018 IS Code of practice for protection of PII in public clouds acting
as PII processors
27701 IS Security techniques - Extension to ISO/IEC 27001 and
ISO/IEC 27002 for privacy information management - Requirements
and guidelines
29100 IS Privacy framework
29101 IS Privacy architecture framework
29134 IS Guidelines for Privacy impact assessment
29151 IS Code of Practice for PII Protection
29190 IS Privacy capability assessment model
29191 IS Requirements for partially anonymous, partially unlinkable
authentication
Cloud
11 Published International Privacy Standards (ISO)
Framework
Management
Techniques
Impact
19608 TS Guidance for developing security and privacy functional
requirements based on 15408
Requirements
27550 TR Privacy engineering for system lifecycle processes
Process
Privacy Standards

60. 60
20547 IS Big data reference architecture - Part 4 - Security and privacy
23491 IS Security techniques - IoT security and privacy - Guidelines for IoT domotics
27006-2 (formerly 27558 IS) TS Information security, cybersecurity and privacy protection
- Requirements audit and certification of privacy information management systems
27030 IS Security and Privacy for the Internet of Things
27045 IS Big data security and privacy - processes
27046 IS Big data security and privacy - Implementation guidelines
27402 IS IoT security and privacy - Device baseline requirements
27551 IS Requirements for attribute-based unlinkable entity authentication
27555 IS Guidelines on Personally Identifiable Information Deletion
27556 IS User-centric framework for the handling of personally identifiable information
(PII) based on privacy preferences
27557 IS Organizational privacy risk management
27559 IS Privacy-enhancing data de-identification framework
27560 TS Privacy technologies – Consent record information structure
27570 TS Privacy Guidelines for Smart Cities
29184 IS Online privacy notices and consent
31700 IS Consumer Protection - Privacy-by-design for consumer goods and services
Privacy Standards
Big Data
Framework
Risk
Design
Consent and
Deletion
Smart Cities
IoT
Authentication
Audit
16 International Privacy Standards in development (ISO)

61. 61
ÖÄaaz332Ücß4ÖbÄ26zn
ANO3562/高野ブルーノ
as8d7eonb435DB6jk450
АБВГДЕЖЗИЙКЛМAНОПФ
‫צ‬ ‫ץ‬ ‫פ‬ ‫ף‬ ‫נ‬ ‫ן‬ ‫מ‬ ‫חי‬ ‫ד‬ ‫ג‬ ‫ב‬ ‫א‬
Thank You!
Ulf Mattsson
Chief Security Strategist
www.Protegrity.com