Data Privacy Conference

Data Privacy Conference

On building privacy in engineering and product processes.

Make a submission

Submissions are closed for this project

The first edition of the Data Privacy Conference was held between 23 and 29 April 2021.

The conference featured talks and discussions around:

  1. Processes for doing compliance and building privacy features in large and growing organizations.
  2. Case studies of compliance, mainly GDPR and related practices of data anonymization and data deletion.
  3. Using technology to handle processes for handling Personally Identifiable Information (PII); evaluation of developer tools that organizations use for governing access to PII and sensitive data - and whether to build, rent or buy these.
  4. End-to-end encryption - technology and policy debates; practical applications.
  5. Privacy preserving practices in consumer technology - netbanking and Android and mobile.
  6. Cloud security practices; multi-geography compliance with cloud.

Speakers from LinkedIn, Whatsapp, Hotstar, Mozilla, Zerodha, ThoughtWorks, Appsecco, Gojek and other organizations shared their experiences, and demonstrated how the combination of ‘intent, process, resources and technology’ come together to help companies build privacy-respecting products.

Watch the talks on https://hasgeek.com/rootconf/data-privacy-conference/videos

Participants in the conference included:

  1. SRE, DevSecOps and DevOps teams working with legal and compliance teams to heavy-lift operations around privacy and compliance.
  2. Product managers building secure and compliant systems.
  3. Business and engineering heads of organizations which deal with large volumes of consumer data on a regular basis.
  4. Representatives early to mid-stage fintech companies which are evolving systems to handle petabytes of data securely in compliance with larger governance laws.
  5. Consultants working on cloud and security; pricacy and compliance.

Contact information: Join the Rootconf Telegram group on https://t.me/rootconf or follow @rootconf on Twitter.
For inquiries, contact Rootconf on rootconf.editorial@hasgeek.com or call 7676332020.

Hosted by

Rootconf is a forum for discussions about DevOps, infrastructure management, IT operations, systems engineering, SRE and security (from infrastructure defence perspective). more

Supported by

Zeta® is in the business of providing a full-stack, cloud-native, API first neo-banking platform including a digital core and a payment engine for issuance of credit, debit and prepaid products that enable legacy banks and new-age fintech institutions to launch modern retail and corporate fintech p… more

Promoted

We’re the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. As a hyperscale cloud service provider, AWS provides access to highly advanced computing tools on rent for startups and SMEs at affordable prices. We help t… more
Omidyar Network India invests in bold entrepreneurs who help create a meaningful life for every Indian, especially the hundreds of millions of Indians in low-income and lower-middle-income populations, ranging from the poorest among us to the existing middle class. To drive empowerment and social i… more
about.fb.com
Deep dives into privacy and security, and understanding needs of the Indian tech ecosystem through guides, research, collaboration, events and conferences. Sponsors: Privacy Mode’s programmes are sponsored by: more

Rohan Prabhu

@rohanprabhujupiter

Our approach to PII/SPDI redaction

Submitted Mar 2, 2021

Abstract By regulation and more so by a moral obligation, Jupiter is required to safeguard the privacy of its customers. As providers of financial services, we are often entrusted with information that could be extremely private to users, of a sensitive nature and at the same time can be used to personally identify them by a single data element. Dealing with an engineering stack that builds upon a number of microserves and subsystems, reliant on an equally large number of data storage systems - brings about its own challenges when it comes to governance of customer’s private data. In this talk we would like to give a walkthrough of the solution that Jupiter implemented to solve this problem and to massively reduce the number of systems that would interact with actual, raw PII/SPDI (Personally Identifying Information/Sensitive Personal Data or Information) so that monitoring of access and data control could be achieved with a higher degree of operational confidence.

We would be talking about the basic requirements around PII/SPDI protection as an industry requirement:
1. What does the law/regulation say about PII/SPDI
2. What did our partners need from us when it came to protecting customer data

In terms of engineering:
1. How can we implement a solution that induces little to no developer friction - the aim here was not just making it easy for developers to integrate PII/SPDI redaction; having an intrusive process with multiple touchpoints would make a human error that much more likely, which could end up being a potential point of breach
2. The same code should work with PII/SPDI redaction switched off as it does with redaction switched on
3. How are we ensuring that we are still able to maintain semantics of lookup, uniqueness of certain data elements, specifically the ability to use certain data elements as primary keys for user centric data
4. How we are handling multiple partners wanting their customers data to be stored isolated from other partners, with encryption using keys that are provisioned specifically for them
5. Why we chose to work at the serialization layer to implement PII/SPDI redaction

And in terms of where we see this going:
1. What are the limitations and caveats of the current system
2. Ideas to explore - Is it possible to do this at a service mesh level? Proxy level? At a gateway, maybe - our thoughts and musings on this topic

Slide Deck https://docs.google.com/presentation/d/1Kb5AZZoEazKoRPx6N2FLe3fAb9mFlhZziU_A8z-ICbk/edit?usp=sharing

Comments

{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Suman Kar

Netbanking fails

Security is hard. Designing user experience (UX) around security is harder. Yet almost everyday, we are forced to make security related decisions across multiple connected devices we own. Sometimes we make these choices for ourselves, and sometime we impose our choices subtly on others with whom we share these devices. Proliferation of personal IoT devices exacerbates this problem, and in some ca… more

08 Feb 2021