Blog Post:

Container-as-a-Service in the age of Privacy and GDPR

4 minutes

Colette Goodyear

The implementation of the EU’s General Data Protection Regulation (GDPR) in May, 2018 led many companies to examine their data collection and use practices and their relationships with third parties to whom they give data.
Among the items waking data protection officers in the middle of the night in adrenaline-fueled panic attacks were the risks involved in the transfer of personally identifiable information (PII) to third parties.  While GDPR outlined acceptable principles for doing so under appropriate legal agreements, the fact remains that, even with legal protections in place, transferring PII to a third party is a risky business, involving as it does a loss of control of the data.
At the same time, companies are sitting on masses of useful consumer data (a great deal of which is PII) which can guide their marketing and advertising decisions.  This data may have been collected as a result of consumer transactions, visits to a company webpage or YouTube channel, or replies to a company’s tweets.
While GDPR made the headlines, privacy laws in other countries follow the “privacy by design” principles underpinning GDPR.  They too contain provisions for the appropriate collection, use and transfer of data, including ones which mandate that the company is responsible for ensuring that any third parties to whom it transfers data has signed a robust legal agreement which will protect such data.  Highly regulated verticals such as health, finance and education sectors also place strict controls over the transfer of PII to third parties and its use.
Typically, in a pure SaaS arrangement, the customer hands over its data, including any PII, to the data analytics firm.  The customer’s authorized users may be the only individuals accessing the data but it is entered into the data analytic firm’s application and is stored on its platform, which leads to privacy and security concerns.  The data is no longer completely under the control of the customer.  In addition to ensuring that it has handed over this data to a reputable firm which will treat it with the appropriate safeguards, the customer is still accountable for this information to the individuals from whom it has collected it.
What if a company didn’t have to transfer the data?  What if the data remained where it was, secure within a company’s own platform?  What if the analytics application came to the company?
Enter CaaS: container-as-a-service.
With CaaS, the application (in this case, the Affinio Services) may be containerized and dropped anywhere the customers wants it to be dropped—in a customer’s private or public cloud, or behind a customer’s firewall for example.
While containerization at first sounds like the old-fashioned on-premise solution, with all of its attendant problems of support, maintenance, upgrading etc., there are significant differences.  Containerized applications are more agile and upgrade easily.  They are portable and unlikely to “break” no matter what cloud or hosting provider is used—or what they get moved to.  They are flexible and sometimes offer the ability to use only certain tools and features of an application.
But just as importantly, CaaS may be a solution to a company’s very real concerns about the privacy and security of the PII it has collected, while at the same time allowing the company to realize the value of such information.
So what is the difference from a data privacy perspective?  In a word:  control.   The containerized application runs on the company’s choice of platform, not the vendor’s.  The data does not leave the company’s platform.
Companies retain control over who has access to their data and how it is used. Companies can ensure that they are using their data only for the purposes for which it has been collected, and that it is not being re-sold or aggregated with data belonging to other customers of their vendors.  This enables better and more accurate responses to data subject requests, whether the request concerns use of the data, with whom it had been shared, or the quality and accuracy of the data.
Companies retain control over the accuracy and eventual deletion of their data—whether that deletion occurs because of a data subject request or because the data is no longer needed for the purpose for which it has been collected.
Companies retain control over the security of their data.  The application is behind their firewall or in their cloud.  The data doesn’t leave their environment and is not transferred to a third party.
These are all important considerations under GDPR and other privacy laws, including the California Consumer Privacy Act.
With control comes greater compliance and less risk.   And CaaS offers the same scalability and ease-of-use as a SaaS-based application, without the drawbacks of on-premise software or a pure hosted SaaS solution.
At Affinio, we understand that our customers are concerned about their data in a rapidly changing, more onerous legal and regulatory environment.  We have been looking at ways to help our customers lessen their data protection risk and comply with more stringent requirements surrounding use of data while also enabling them to unlock the value in their data.  We expect that CaaS will pave the way to a highly efficient, easily deployable and scalable Affinio Service which gives the customer peace of mind and continued control over their data.
Stay tuned.