GDPR and evolving international privacy regulations

1. 1 1 ÖÄaaz332Ücß4ÖbÄ26zn ANO3562/高野ブルーノ as8d7eonb435DB6jk450 АБВГДЕЖЗИЙКЛМAНОПФ ‫צ‬ ‫ץ‬ ‫פ‬ ‫ף‬ ‫נ‬ ‫ן‬ ‫מ‬ ‫חי‬ ‫ד‬ ‫ג‬ ‫ב‬ ‫א‬ GDPR and Evolving International Privacy Regulations

2. 2 2 Agenda • Convergence of data privacy principles, standards and regulations • General Data Protection Regulation (GDPR) • GDPR and California Consumer Privacy Act (CCPA) • What role does technologies play in compliance • Use Cases

3. 3 What is Privacy ? Privacy is defined in Generally Accepted Privacy Principles (GAPP) as “the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information.” "Generally Accepted Privacy Principles (GAPP)", https://www.journalofaccountancy.com/Issues/2011/Jul/20103191.htm European Union, https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and- organisations/legal-grounds-processing-data/sensitive-data/what-personal-data-considered-sensitive_en

4. 4 4 4 Trends in Privacy Regulations

5. 5 5 Privacy Regulations Sweden, The Data Act, a national data protection law went into effect in 1974 India is passing a comprehensive data protection bill that include GDPR-like requirements Finland's Data Protection Act Japan implements changes to domestic legislation to strengthen privacy protection in the country Brazil passing a comprehensive data protection regulation similar to GDPR 1970, Germany passed the first national data protection law, first data protection law in the world The New York Privacy Act was introduced in 2019 Source: Forrester CCPA's impact is expected to be global (12+ %), given California's status as the fifth largest global economy GDPR's impact is expected to be global

6. 6 6 Data and Security Governance (DSG) Converge Source: Gartner

7. 7 7 The Evolution of Privacy Regulation Continues at an Aggressive Rate

8. 8 8 TrustArc Legal and regulatory risks are exploding

9. 9 9 IAPP How many privacy laws are you complying with? General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. California Consumer Privacy Act ( CCPA) is a bill that enhances privacy rights and consumer protection for residents of California, United States.

10. 10 10 General Data Protection Regulation (GDPR)

11. 11 11 Failure to Comply . . . What are the Consequences ? • Companies liable fora fine ofup tofourper cent (4%) oftheir global turnover with a maximum fine of~$25Million USD. This is for non-compliance with no data breach! • The principles ofprotection should apply toany information concerning an identified or identifiable person. • To determine whether a person is identifiable, account should betaken of allthe means likely reasonably to beused either by the controller orby any other person toidentify the individual. • Theprinciples of dataprotection should notapplytodata rendered anonymous in such a way that the datasubject is no longer identifiable. Why What How

12. 12 GDPR — Data Protection Principles (Article 5) • Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject • Collected for specified, explicit and legitimate purposes only • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’) • Accurate and, where necessary, kept up to date, erased or rectified without delay • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed • Processed in a manner that ensures appropriate security of the personal data 88 Pages (99 Articles) of detailed data protection requirements

13. 13 Source: IBM GDPR Security Requirements Framework Encryption and Tokenization Discover Data Assets Security by Design

14. 14 14 Data flow mapping under GDPR • If there is not already a documented workflow in place in your organization, it can be worthwhile for a team to be sent out to identify how the data is being gathered. • This will enable you to see how your data flow is different from reality and what needs to be done Organizations needs to look at how the data was captured, who is accountable for it, where it is located and who has access. Source: BigID

15. 15 15 GDPR and California ConsumerPrivacy Act (CCPA)

16. 16 16 GDPR and California ConsumerPrivacy Act (CCPA)

17. 17 17 The CCPA Effect Regulatory Activities in Privacy Since Jan 2019, Gartner

18. 18 18 Use Cases & Standards

19. 19 19 20889 IS Privacy enhancing de-identification terminology and classification of techniques 27018 IS Code of practice for protection of PII in public clouds acting as PII processors 27701 IS Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines 29100 IS Privacy framework 29101 IS Privacy architecture framework 29134 IS Guidelines for Privacy impact assessment 29151 IS Code of Practice for PII Protection 29190 IS Privacy capability assessment model 29191 IS Requirements for partially anonymous, partially unlinkable authentication Cloud 11 Published International Privacy Standards (ISO) Framework Management Techniques Impact 19608 TS Guidance for developing security and privacy functional requirements based on 15408 Requirements 27550 TR Privacy engineering for system lifecycle processes Process Privacy Standards

20. 20 Differential Privacy (DP) 2-way Format Preserving Encryption (FPE) Homomorphic Encryption (HE) K-anonymity model Tokenization Static Masking Hashing 1-way Data store Different data protection techniques Algorithmic Random Noise added Computing on encrypted data Format Preserving Fast Slow Very slow Fast Fast Format Preserving Dynamic Masking

21. 21 21 Data protection techniques: Deployment on-premises and clouds Data Warehouse Centralized Distributed On- premises Public Cloud Private Cloud Vault-based tokenization y y Vault-less tokenization y y y y y y Format preserving encryption y y y y y Homomorphic encryption y y Masking y y y y y y Hashing y y y y y y Server model y y y y y y Local model y y y y y y L-diversity y y y y y y T-closeness y y y y y y Privacy enhancing data de-identification terminology and classification of techniques De- identification techniques Tokenization Cryptographic tools Suppression techniques Formal privacy measurement models Differential Privacy K-anonymity model

22. 22 22 Data sources Data Warehouse Complete policy- enforced de- identification of sensitive data across all bank entities Example of Cross Border Data-centric Security using Tokenization • Protecting Personally Identifiable Information (PII), including names, addresses, phone, email, policy and account numbers • Compliance with EU Cross Border Data Protection Laws • Utilizing Data Tokenization, and centralized policy, key management, auditing, and reporting

23. 23 23 Shared responsibilities across cloud service models Source: Microsoft The Customer is Responsible for the Data across all Cloud Service Models

24. 24 24 A Cloud Security Gateway (CASB) can protect sensitive data in Cloud (SaaS) • Example of protocols include HTTP, HTTPS, SFTP, and SMTP • Based on configuration instead of programming • Secures existing web services or REST API calls • See and control where sensitive data travels 1. Install the Cloud Security Gateway in your trusted domain 2. Select the fields to be protected 3. Start using Salesforce with enhanced security • Policy Enforcement Point (PEP) Protected data fields U • Encryption Key Management Separation of Duties

25. 25 25 Protect data before landing Enterprise Policies Apps using de-identified data Sensitive data streams Enterprise on- prem Data lifted to S3 is protected before use S3 • Applications can use de- identified data or data in the clear based on policies • Protection of data in AWS S3 before landing in a S3 bucket Protection of data in AWS S3 with Separation of Duties • Policy Enforcement Point (PEP) Separation of Duties • Encryption Key Management

26. 26 26 Protection throughout the lifecycle of data in Hadoop Big Data Protector tokenizes or encrypts sensitive data fields Enterprise Policies Policies may be managed on-prem or Google Cloud Platform (GCP) • Policy Enforcement Point Protected data fields U U U Big Data Protection with Granular Field Level Protection for Google Cloud Separation of Duties • Encryption Key Managem.

27. 27 27 Securosis, 2019 Consistency • Most firms are quite familiar with their on-premises encryption and key management systems, so they often prefer to leverage the same tool and skills across multiple clouds. • Firms often adopt a “best of breed” cloud approach. Multi-Cloud Considerations Trust • Some customers simply do not trust their vendors. Vendor Lock-in and Migration • A common concern is vendor lock-in, and an inability to migrate to another cloud service provider. • Some native cloud encryption systems do not allow customer keys to move outside the system, and cloud encryption systems are based on proprietary interfaces. • The goal is to maintain protection regardless of where data resides, moving between cloud vendors. Cloud Gateway Google Cloud AWS Cloud Azure Cloud

28. 28 28 Major Financial Institution Global Use Case

29. 29 29 Where does data protection technology play ? GDPRandmore 1. Think “Privacy byDesign” and building dataprivacycontrols into all application development 2. Createacontinuity/actionplanfordatabreaches 3. Ensuringaccountabilityfordatabreachesisunderstoodbyallemployees/contractors 4. Design dataprivacy into products and services 5. Consider the legal basis of how you use PII 6. Create or Update appropriateprivacy notices and policies 7. PrepareforsubjectdatarequestsfromanyoneprovidingPII 8. Formalizingwhoisresponsiblewhendataistransferredorprocessed 9. Setting up a framework that ensures you have a legitimate reason for transferring PII to countries with less stringent dataprotection rules 10. Review Generally Accepted PrivacyPrinciples, startadhering to them in everything youdo 11. HireorAssignaDataProtectionOfficer(DPO)

30. 30 30 ÖÄaaz332Ücß4ÖbÄ26zn ANO3562/高野ブルーノ as8d7eonb435DB6jk450 АБВГДЕЖЗИЙКЛМAНОПФ ‫צ‬ ‫ץ‬ ‫פ‬ ‫ף‬ ‫נ‬ ‫ן‬ ‫מ‬ ‫חי‬ ‫ד‬ ‫ג‬ ‫ב‬ ‫א‬ Thank You!

GDPR and evolving international privacy regulations

Vous êtes en train de lire un aperçu.

Consultez-les par la suite

GDPR and evolving international privacy regulations

Plus De Contenu Connexe

Diaporamas pour vous (20)

Similaire à GDPR and evolving international privacy regulations (20)

Plus par Ulf Mattsson (20)

Plus récents (20)