Slides from my May 6 webinar "Evolving international privacy regulations and cross border data transfer 2021"

1. 1
1
Evolving International Privacy
Regulations and Cross Border
Data Transfer
- GDPR under "Schrems II"

2. 2
Agenda
1. Convergence ofdataprivacyprinciples,standardsandregulations
2. General DataProtectionRegulation(GDPR)
3. GDPRandCaliforniaConsumerPrivacyAct (CCPA)
4. Whatroledoestechnologiesplayin compliance
5. Use Cases

3. 3
This is What Your Peers AreSaying

4. 4
Risk AversionIs Common

5. 5
What is Privacy?
Privacy
/ˈprīvəsē/
Definedin Generally AcceptedPrivacyPrinciples (GAPP)as
“therightsandobligationsofindividualsandorganizationswithrespect tothecollection, use, retention,disclosure, and disposal of
personal information.”

6. 6
Organization’s Top PrivacyRisk Concerns

7. 7
Lessons Learned

8. 8
Source:Gartner
Balance
Protect datain ways that are transparent tobusiness processes and compliant toregulations
Opportunities
Risk Management
Policies Balance Breaches
Regulations
Controls

9. 9
9
Governance Trends
Source:Gartner
Data SecurityGovernanceFramework
Data &Security GovernanceMust Converge

10. 10
10
Organization’sRisk Context of Privacy
Source:Gartner

11. 11
11
What Are Others Spending on Security?

12. 12
12
Trends in Privacy
Regulations

13. 13
Which of the FollowingAspects of Data Privacy AreYou Particularly
Concerned About?
13
FTI Consulting—Corporate
Data Privacy Today, 2020

14. 14
FactorsImpactingInformation SecurityFunctions in Three to Five
Years
14

15. 15
Legal andRegulatory Risks are Exploding
15

16. 16
PrivacyRegulations
Sweden, TheDataAct, a nationaldataprotectionlaw wentinto effectin
1974
India is passinga comprehensivedataprotectionbill that
includeGDPR-likerequirements
Finland's Data ProtectionAct
Japanimplementschangesto domesticlegislationto strengthen
privacy protectionin thecountry
Brazil passinga comprehensivedataprotectionregulation
similarto GDPR
1970, Germany passedthe firstnationaldataprotection
law, firstdataprotectionlaw in the world
TheNew York PrivacyAct wasintroducedin 2019
Source:Forrester
CCPA'simpact is expectedto beglobal
(12+ %), given California'sstatusasthe
fifth largestglobal economy
GDPR'simpactis expectedtobeglobal

17. 17
Data and SecurityGovernance(DSG) Converge
Source:Gartner

18. 18
The Evolution of Privacy Regulations at an AggressiveRate

19. 19
How Many Privacy Laws Are You Complying With?
Source:IAPP
GeneralDataProtectionRegulation(EU) 2016/679(GDPR)isaregulationin EU lawondataprotectionandprivacyintheEuropeanUnion(EU)
andtheEuropeanEconomic Area(EEA). ItalsoaddressesthetransferofpersonaldataoutsidetheEU and EEA areas.
CaliforniaConsumerPrivacyAct ( CCPA)isabill thatenhancesprivacyrightsandconsumerprotectionforresidents
ofCalifornia,UnitedStates.
By Region

20. 20
20
General DataProtection
Regulation (GDPR)

21. 21
GDPR Year 1: Numbers

22. 22
Failureto Comply . . .
What are the Consequences ?
• Companies liable fora fine ofup tofourper cent (4%) oftheir global turnover with a maximum fine of~$25Million USD. This is for non-compliance with no
data breach!
• The principles ofprotection should apply toany information concerning an identified or identifiable person.
• To determine whether a person is identifiable, account should betaken of allthe means likely reasonably to beused either by the controller orby any
other person toidentify the individual.
• Theprinciples of dataprotection should notapplytodata rendered anonymous in such a way that the datasubject is no longer identifiable.
Why What How

23. 23
GDPR — Data ProtectionPrinciples(Article5)
• Personal data shall beprocessed lawfully, fairly and in a transparent mannerinrelation to the data subject
• Collected for specified, explicit and legitimate purposes only
• Adequate, relevant and limited to what is necessary in relation to thepurposes for which theyareprocessed (‘data minimization’)
• Accurateand, wherenecessary, kept up to date, erased or rectified without delay
• Kept ina form whichpermits identification of data subjects for nolonger than is necessary for thepurposes for which the personal data
are processed
• Processed in a mannerthat ensures appropriate security of the personal data
88Pages(99Articles) of Detailed DataProtectionRequirements

24. 24
GDPR under "Schrems II" – Lacking “Additional Safeguards”
https://www.jdsupra.com/legalnews/navigating-eu-data-transfers-effects-of-8348955/
X
• InMarch2021,the Bavarian DPA found therewas an unlawfultransfer
of personal data from a Germancontroller to the e-mail marketing
service Mailchimp inthe U.S.
• Failedtoassess whetheranysupplementarymeasures wereneededin
relationtothetransferofpersonaldatatoMailchimp.
• InApril 2021,the PortugueseDPA ordered a public authority to suspend
all transfers of personal data to the U.S. and other thirdcountries.
• Cloudflarewereinsufficienttoprotectthedata(which includedreligiousand
healthdata),andthepartiesdid notimplementany supplementarymeasures
toprovideadequateprotectionforthedata.
• Suspend thetransferofdatatotheU.S. oranyotherthirdcountry without
firstestablishingadequateprotectionforthedata.

25. 25
GDPR under "SchremsII“ – France,March2021
• Notransfer of data but nevertheless a risk of access byU.S. authorities because the EU-based processor is a subsidiaryof a U.S. company.
• Thehostingofhealthdatabya company boundbyU.S.lawwasincompatiblewiththeGDPRunder"SchremsII" andviolatedtheprovisionsoftheGDPR, due ontheone hand,
tothepossibilityofatransfertotheU.S.ofthedatacollectedby Doctolibthroughitsprocessor,andontheotherhand,evenin theabsenceofdatatransfer,totheriskofaccess
requestsbyU.S.authoritiestotheprocessor,AWS.
• Thecourtnotedforthepurposesofhostingitsdata, Doctolibuses theservicesoftheLuxemburg company AWSSarl,thedataishostedin datacenterslocatedin France
and inGermany, andthecontractconcludedbetweenDoctolibandAWS Sarldoesnotprovideforthetransferof datatotheU.S.
• However,becauseitisasubsidiaryofacompany under U.S.law,thecourtconsideredAWS Sarlin Luxemburgmay besubject toaccess requestsby U.S. authoritiesin the
frameworkofU.S.monitoringprogramsbasedonArticle702oftheForeignIntelligenceSurveillanceAct orExecutive Order12333.
• Thelevel of protection offered was sufficient due to the manysafeguards
https://iapp.org/news/a/why-this-french-court-decision-has-far-reaching-consequences-for-many-businesses/

26. 26
https://iapp.org/news/a/why-this-french-court-decision-has-far-
reaching-consequences-for-many-businesses/
GDPR under"SchremsII"
Legal safeguards:
• AWS Sarlguarantees in its contract with Doctolib, a French company, that it will
challenge anygeneral access request froma public authority.
Technical safeguards:
• Technically the data hosted byAWS Sarlis encrypted.
• AWS Sarl,a Luxembourg registeredcompany.
• The key is held by a trusted thirdpartyin France, not by AWS.
Other guarantees taken:
• No health data.
• Thedatahostedrelatesonlyto the identificationof individualsforthepurposeof making
appointments.
• Data is deleted after three months.
Doctolib
AWS Sarl
AWS will challenge any general
access request from a public
authority

27. 27
Big Data Protection with GranularFieldLevel Protection for Google
Cloud Protectionthroughout the lifecycleof data in Hadoop
BigData Protectortokenizes or
encryptssensitivedata fields
Enterprise
Policies
Policiesmaybe managedon-
premorGoogleCloudPlatform
(GCP)
PolicyEnforcementPoint
Protecteddatafields
U
Separation of Duties
EncryptionKeyManagem.
Security Officer

28. 28
MajorFinancialInstitution Global UseCase

29. 29
GDPR SecurityRequirements Framework
Encryption and
Tokenization
Discover Data
Assets
Security by
Design
Source:IBM

30. 30
Organizations needs to look at how the datawas captured,whois accountable for it, where it islocated and who has
access.
Data Flow MappingUnder GDPR
• If there is not already a documented workflow in place in yourorganization,it can be worthwhile for a team tobe sent out toidentify how the data
is being gathered.
• This willenable you tosee how your data flow is different from reality and what needs tobedone
Source:BigID

31. 31
Find Your Sensitive Data in Cloud and On-Premise
31
Source:Protegrity

32. 32
RecommendationNo.1

33. 33
GDPRand CaliforniaConsumer Privacy Act (CCPA)

34. 34
GDPRand CaliforniaConsumer Privacy Act (CCPA)

35. 35
Regulatory
Activities
in Privacy
2021
vs
2020
Gartner
The CCPA Effect

36. 36
The CCPA Effect
California Privacy Rights Act (CPRA)
1. On November 3, 2020, Californians voted to approve Proposition 24, a ballot measure
that creates the California Privacy Rights Act (CPRA).
2. The CPRA amends and expands the California Consumer Privacy Act (CCPA).
3. Most of the CPRA’s substantive provisions will not take effect until January 1, 2023,
providing covered businesses with two years of valuable ramp-up time.
4. Notably, however, the CPRA’s expansion of the “Right to Know” impacts personal
information (PI) collected during the ramp-up period, on or after January 1, 2022.
See https://en.wikipedia.org/wiki/2020_California_Proposition_24

37. 37
37
Use Cases & Standards

38. 38
PrivacyStandards
11Published InternationalPrivacyStandards(ISO)
Techniques
Management
Cloud
Framework
Impact
Requirements
Process
20889 IS Privacyenhancingde-identificationterminologyandclassificationoftechniques
27701 IS Securitytechniques-ExtensiontoISO/IEC27001 andISO/IEC 27002 forprivacyinformationmanagement -Requirementsand
guidelines
27018 IS CodeofpracticeforprotectionofPIIinpubliccloudsacting as PIIprocessors
29100 IS Privacyframework
29101 IS Privacyarchitectureframework
29134 IS GuidelinesforPrivacyimpactassessment
29190 IS Privacycapabilityassessmentmodel
29191 IS Requirementsforpartiallyanonymous,partiallyunlinkableauthentication
29151 IS CodeofPracticeforPIIProtection
19608 TSGuidancefordevelopingsecurityandprivacyfunctionalrequirementsbasedon15408
27550 TRPrivacyengineeringforsystemlifecycleprocesses

39. 39
Different Data Protection Techniques
Data Store
DynamicMasking
2-way 1-way
FormatPreserving Computingonencrypteddata FormatPreserving
Tokenization
FormatPreserving
Encryption
(FPE)
HomomorphicEncryption
(HE)
Hashing
Static
Masking
DifferentialPrivacy
(DP)
K-anonymityModel
Random Algorithmic NoiseAdded
Fast Slow VerySlow Fast Fast
Fastest
ClearText
SyntheticData
Derivation
Fast
Anonymization
Of Attributes
Pseudonymization
Of Identifiers

40. 40
Example of Use-Cases & DataPrivacy Techniques
40
Vault-less tokenization Masking
Vault-less tokenization
Gateway
CallCenterApplication
PaymentApplication
Payment Data
Policy,Tokenization,Encryptionand
Keys
Salesforce
Payment
Network
SecurityOfficer
Data Warehouse
AnalyticsApplication
PI* Data
PI* Data
DifferentialPrivacy
AndK-anonymity
Dev/testSystems
PI* Data
VotingApplication
ElectionData
MicrosoftElectionGuard

41. 41
Tokenization
Data Store
DynamicMasking
2-way
FormatPreserving
Tokenization
FormatPreserving
Encryption
(FPE)
Random Algorithmic
Fast Slow
Fastest
ClearText
Pseudonymization
Of Identifiers

42. 42
Randomized Tokenization
Data Store
DynamicMasking
2-way
FormatPreserving Computingonencrypteddata
Tokenization
FormatPreserving
Encryption
(FPE)
HomomorphicEncryption
(HE)
Random Algorithmic
Fast Slow VerySlow
Fastest
ClearText
Pseudonymization
Of Identifiers
Quantum Computers?
• Quantum computers and other strong
computers can break algorithms and patterns
in encrypted data.
• We can instead use random numbers to secure
sensitive data.
• Random numbers are not based on an
algorithm or pattern that computers can break.
Tech giants are building their own machines and
speeding to make them available to the world as a
cloud computing service. In the competition: IBM,
Google, Microsoft, Intel, Amazon, IonQ, Quantum
Circuits, Rigetti Computing

43. 43
Data Store
DynamicMasking
1-way
FormatPreserving
Hashing
Static
Masking
DifferentialPrivacy
(DP)
K-anonymityModel
NoiseAdded
Fast Fast
Anonymization
Of Attributes
Example of Data Generalization
Non-reversable Data Transformations

44. 44
Secure AI– Use Case withSyntheticData
44

45. 45
Original Data
Fully Synthetic Data
Partially Synthetic Data
Artificially generated
new data points
Artificially generated
new data points
Synthetic Data

46. 46
6 Differential PrivacyModels
In differential privacy,the
concern is about privacyas
the relative difference in the
result whether aspecific
individual or entity is
includedin the input or
excluded
Random Differential Privacy
Probabilistic Differential Privacy
Concentrated Differential
Privacy
Approximate Differential Privacy
Computational Differential
Privacy
Multiparty Differential Privacy
Noiseisverylow.
Usedinpractice.
Moreusefulanalysiscanbeperformed.
Well-studied.
Widelyused
Canensuretheprivacyofindividualcontributions.
Aggregationisperformedlocally.
Strongdegreeofprotection.
Highaccuracy
Apuremodelprovidesprotectionevenagainstattackers withunlimitedcomputationalpower.
Canleadtounlikelyoutputs.
Tailoredtolargenumbersofcomputations.

47. 47
Area Timing Focus Comments Use Case: Bank
Requirements Short Internal requirements International regulations
Cloud Short Machine Learning Startwithbasic ML trainingand inference on sensitivedata in cloud
Competition Short Competitive advantage MLand NLP-powered servicescan give banks a competitiveedge
Data
Short Encrypted data Important
Long Synthetic data Computing cost?
Analytics
Medium AML/KYC Whatare otherLarge banks doing?
Short Analytics Initial focus
Short Operational on encrypted data Computing on sensitivedata tothe cloud. Trade-offswithperformance, protection and utility?
Industry Short Industry dialog Workinggroups instandard bodies (ANSI X9, Cloud Security Alliance,Homomorphic Encryption Org)
Model Short Encrypted model Important
Pilot
Short Experimentation Whatare otherLarge banks doing?
Short ScotiaBankCase Study QuerysolutionforAML/KYC
Proven Medium Fastfollower Whatare some proven solutions?
Quantum
Short Homomorphic Encryption post-
Lattice-basedcryptography isa promising post-quantumcryptography family,both in termsof foundational propertiesaswell as itsapplicationto both traditionaland homomorphic
encryption
Medium Quantum Plan forquantum safealgorithms
Long Quantum Plan forquantum MLalgorithms
Sharing Short Secure Multi-partyComputing (SMPC)
Withoutrevealingtheir ownprivateinputsand outputs. Encrypteddata and encryptionkeys never comingledwilecomputationon the encrypted dataisoccurringor an encryption key is
splitintoshares
Solutions
Short Vendor positioning
Nonlinear MLregressionneeded? LinearRegressionisone of the fundamental supervised-ML. Linearand non-linearcreditscoring by combininglogisticregressionand support vector
machines
Short Frameworkintegration Important
3rd Party Long 3rd party integration Miningfirst
TrainingML
Long Federated learning Complicated
Long TEE Emerging

48. 48
Data Protection Techniques:Deploying On-premisesand Clouds
Privacy enhancing data de-identification terminology
and classification of technique
DataWarehouse Centralized Distributed On-premises PublicCloud PrivateCloud
De-identification
techniques
Tokenization
Vault-basedtokenization Y Y
Vault-lesstokenization Y Y Y Y Y Y
Cryptographic Tools
Format preservingencryption Y Y Y Y Y
Homomorphic encryption Y Y Y
Suppression techniques
Masking Y Y Y Y Y Y
Hashing Y Y Y Y Y Y
Formalprivacy
measurementmodels
DifferentialPrivacy
ServerModel Y Y Y Y Y Y
LocalModel Y Y Y Y Y Y
K-anonymity model
L-diversity Y Y Y Y Y Y
T-closeness Y Y Y Y Y Y

49. 49
Example of Cross Border Data-centric Securityusing tokenization
SecurityOfficer
• ProtectingPersonally Identifiable Information (PII), includingnames,
addresses,phone,email, policyand accountnumbers
• Compliance with EU CrossBorderDataProtectionLaws
• UtilizingDataTokenization, andcentralizedpolicy, key management,
auditing,and reporting
Data
Warehouse
Completepolicy-enforcedde-
identificationofsensitivedata
acrossall bankentities
DataSources
AustrianData
GermanData
OtherSource
Data
Austrian
Data
German
Data
Other
Source
Data

50. 50
TheCustomerisResponsiblefor
theDataacrossallCloudService
Models
Shared ResponsibilitiesAcross Cloud Service Models
Source:Microsoft

51. 51
GTP Cloud SecurityCore Topic Coverage

52. 52
AcronymsDefined

53. 53
CloudSecurityLogical Architecture

54. 54
CASBs Are to SaaS as FirewallsAre to Data Centers

55. 55
A Data SecurityGatewayCan Protect Sensitive Data in Cloud and On-
premise

56. 56
Protection of Data in AWS S3 with Separation of Duties
Protect data before
landing
Enterprise
Policies
Appsusingde-identified
data
Sensitivedatastreams
Enterprise
on-prem
Data lifted to S3 is
protected before use
S3
SecurityOfficer
• Applications can use de-identified
data ordata in the clear based on
policies
• Protection ofdata in AWS S3 before
landing in a S3 bucket
PolicyEnforcementPoint(PEP)
Separation of Duties
EncryptionKeyManagement

57. 57
Multi-Cloud Considerations
Source:Securosis,2019
Consistency
• Mostfirmsarequitefamiliarwiththeiron-premises encryptionand key
managementsystems,sotheyoftenprefertoleveragethe same tooland
skills across multipleclouds.
• Firmsoftenadopta “best of breed”cloud approach.
Trust
• Some customerssimplydo nottrusttheirvendors.
Vendor Lock-in and Migration
• A commonconcern is vendorlock-in, andan inabilitytomigratetoanothercloud
serviceprovider.
• Some nativecloudencryptionsystemsdo not allow customer keys to move outside
the system, andcloudencryptionsystemsare basedonproprietaryinterfaces.
• Thegoal is to maintainprotection regardless of where data resides, moving between
cloud vendors.
Cloud Gateway
Google Cloud AWS Cloud Azure Cloud

58. 58
References
1. California ConsumerPrivacyAct, OCT4, 2019, https://www.csoonline.com/article/3182578/california-consumer-privacy-act-what-you-need-to-know-to-be-compliant.html
2. GDPR andTokenizing Data,https://tdwi.org/articles/2018/06/06/biz-all-gdpr-and-tokenizing-data-3.aspx
3. GDPR VS CCPA, https://wirewheel.io/wp-content/uploads/2018/10/GDPR-vs-CCPA-Cheatsheet.pdf
4. GeneralDataProtection Regulation, https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
5. IBMFrameworkHelps Clients Preparefor theEU's GeneralDataProtection Regulation, https://ibmsystemsmag.com/IBM-Z/03/2018/ibm-framework-gdpr
6. INTERNATIONALSTANDARDISO/IEC20889,https://webstore.ansi.org/Standards/ISO/ISOIEC208892018?gclid=EAIaIQobChMIvI-k3sXd5gIVw56zCh0Y0QeeEAAYASAAEgLVKfD_BwE
7. MachineLearningandAI in a BraveNewCloud World https://www.brighttalk.com/webcast/14723/357660/machine-learning-and-ai-in-a-brave-new-cloud-world
8. EmergingDataPrivacy andSecurity forCloud https://www.brighttalk.com/webinar/emerging-data-privacy-and-security-for-cloud/
9. NewApplication andDataProtection Strategieshttps://www.brighttalk.com/webinar/new-application-and-data-protection-strategies-2/
10. The DayWhen3rd PartySecurityProviders Disappearinto Cloud https://www.brighttalk.com/webinar/the-day-when-3rd-party-security-providers-disappear-into-cloud/
11. AdvancedPII/PI DataDiscovery https://www.brighttalk.com/webinar/advanced-pii-pi-data-discovery/
12. EmergingApplication andDataProtection forCloud https://www.brighttalk.com/webinar/emerging-application-and-data-protection-for-cloud/
13. Practical DataSecurity andPrivacy forGDPR andCCPA, ISACAJournal,May2020
14. DataSecurity:OnPremise orin theCloud, ISSAJournal,December 2019,ulf@ulfmattsson.com
15. DataPrivacy: De-IdentificationTechniques, ISSAJournal, May2020

59. 59
59
Thank You