Your company, a global retailer subject to GDPR, stores transactional data in a BigQuery table called customer_orders that has the columns order_id, item_id, customer_email, credit_card_hash, and amount. Marketing analysts must be able to run ad-hoc SQL on every column except customer_email and credit_card_hash, while the Risk team needs unrestricted access. The solution must scale so that any new columns later classified as PII are automatically protected without rewriting queries or creating additional tables. How should you implement this in BigQuery?
Move customer_email and credit_card_hash into a separate BigQuery table, restrict access to that table to the Risk team, and let Marketing query the remaining columns in the original table.
Build an authorized view that omits the customer_email and credit_card_hash columns, share the view with Marketing analysts, and share the underlying table directly with the Risk team.
Encrypt only the customer_email and credit_card_hash columns with customer-managed encryption keys (CMEK) and provide the decryption key to the Risk team but not to Marketing analysts.
Create a Data Catalog taxonomy with a PII policy tag, attach the tag to customer_email and credit_card_hash, grant the Risk group permissions to read that policy tag and the dataset, and give Marketing only dataset-level BigQuery read access without tag permission.
BigQuery enforces column-level security through policy tags that live in Data Catalog taxonomies. By tagging each sensitive column with a PII policy tag and granting access to that tag only to the Risk group (via the Data Catalog Fine-Grained Reader or BigQuery Data Policy User role), you ensure they can query the protected columns while Marketing-who has dataset-level read rights but no access to the tag-cannot. When new PII columns are added, attaching the same policy tag immediately protects them, so no views or table restructuring is required. Row-level security filters rows, not columns; splitting tables or using authorized views would work but requires ongoing schema maintenance; per-column encryption with customer-managed keys is not natively enforced by BigQuery for column masking and would block all users without the key, not only Marketing.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is column-level security in BigQuery?
Open an interactive chat with Bash
What are Data Catalog taxonomies and policy tags?
Open an interactive chat with Bash
Why does GDPR compliance matter for managing sensitive data in BigQuery?
Open an interactive chat with Bash
What is a Data Catalog taxonomy in BigQuery?
Open an interactive chat with Bash
How do policy tags enable column-level security in BigQuery?
Open an interactive chat with Bash
What makes column-level security with policy tags scalable for GDPR compliance?
Open an interactive chat with Bash
GCP Professional Data Engineer
Designing data processing systems
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .