A global retailer ingests daily sales transactions into BigQuery. Customer email addresses and phone numbers must not be visible to analysts at partner companies, yet those partners need to join multiple days of data on the same customers to calculate repeat-purchase metrics. To satisfy GDPR requirements, the retailer wants a managed solution that irreversibly replaces the sensitive fields while preserving deterministic joinability across data sets. Which approach best meets these needs?
Rely on BigQuery column-level access controls to hide the email and phone columns from partner accounts.
Run Cloud DLP to perform deterministic cryptographic tokenization of the email and phone fields using a customer-managed key before loading each day's files.
Store the PII columns in a separate Cloud SQL instance and share only integer foreign keys with partners.
Enable Customer-Managed Encryption Keys (CMEK) on the BigQuery dataset so the PII remains encrypted when shared with partners.
Cloud Data Loss Prevention (DLP) can de-identify sensitive data by applying deterministic cryptographic transformations. When you configure a CryptoDeterministicConfig with a customer-managed (or external) key, DLP replaces each instance of the identified PII with a stable surrogate token: the same input value always maps to the same output, enabling joins across data sets. Because only the keyed cryptographic function can reverse the process, partners cannot recover the original PII, meeting GDPR data-minimization requirements.
Merely encrypting the BigQuery dataset with CMEK protects data at rest but still exposes clear-text PII to anyone who can query the table. Column-level access controls would block partners from seeing the identifiers entirely, preventing the required joins. Off-loading PII to Cloud SQL and sharing foreign keys would still leave linkage information exposed and complicate operations without providing managed tokenization. Therefore, deterministic tokenization with Cloud DLP and a customer-managed key is the correct solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud DLP?
Open an interactive chat with Bash
How does deterministic cryptographic tokenization work?
Open an interactive chat with Bash
What is the role of Customer-Managed Keys (CMKs) in Cloud DLP?
Open an interactive chat with Bash
What is deterministic cryptographic tokenization?
Open an interactive chat with Bash
How does Cloud DLP ensure GDPR compliance?
Open an interactive chat with Bash
What is the role of customer-managed keys in Cloud DLP?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .