As cloud-based technology infrastructure has become the norm and not the exception, XaaS (anything-as-a-service) terms such as software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) are now part of everyday technology lexicon. XaaS is based on the recognition that setting up, running, and maintaining in-house the infrastructure, systems, processes, and policies, is less efficient than running them from the cloud. It’s not surprising that privacy-as-a-service is now a thing and increasingly looked upon as a smart alternative for managing privacy risks. Privacy-as-a-service is also referred to as data-privacy-as-a-service (DPaaS) to avoid confusion with the more established acronym for platform-as-a-service.
Unlike most other XaaS, DPaaS can have a technology and non-technology component. On the technology side, DPaaS may comprise a SaaS platform where compliance software, consent management, and disclosure notices are combined to give individuals or organizations a managed privacy service that improves transparency and user control.
On the non-technology end, an organization may contract third-party privacy experts that serve as a data protection officer and provide guidance on privacy matters through privacy impact assessments and privacy by design. Note that a privacy-as-a-service solution can be technology only or non-technology only. It doesn’t have to have both.
Data privacy more important than ever
Data privacy has always been a big deal, but the ubiquity of information technology in the workplace and at home has brought privacy into sharper focus than ever before. This has been further compounded by the growing sophistication of cyberattacks that threaten the confidentiality of user information. Now consumers, regulators, shareholders, and other stakeholders have high expectations of businesses in the protection of user data.
Many organizations and individuals have come to the realization that they cannot continue with their current privacy protection model if they want to adhere to the highest standards of privacy compliance. The digital footprint of an organization or individual is complicated, thus making it increasingly difficult to keep track of privacy risks manually. One could have user accounts on various platforms, thus making managing and keeping track of their privacy concerns a precarious endeavor. Privacy-as-a-service is thus on track to be the preferred approach to privacy management.
Regulators driving higher privacy standards
Regulators have stated and signaled that organizations must evolve their data protection regime and give greater power to users. The EU has been most explicit thanks to the General Data Protection Regulation (GDPR) that came into force in May 2018.
The U.S. is making its own push for new data protection legislation at the federal and state level. For instance, the California Consumer Privacy Act (CCPA) gives consumers the right to hire a privacy advocate who would serve as their authorized agent on data privacy matters.
Data protection officers via DPaaS
The GDPR has pushed multinational organizations to engage data protection officers (DPOs) with the requisite experience. The DPOs are tasked with driving an enterprise-wide privacy program in line with the regulation’s Article 37.
Whereas an organization could opt to either hire DPOs or designate internal staff to run the privacy program, the pace at which data collecting, processing, and sharing occur is often too fast to accommodate the gradual learning curve of someone without the appropriate experience.
In addition, the GDPR requires that the person tasked with data protection not hold another role that could introduce a conflict of interest in the discharge of their duties. Third-party DPOs are a form of non-technological DPaaS and a practical solution in this regard.
The privacy startup Jumbo, for instance, charges individual or corporate users a small fee to access its privacy management app. The app allows users to manage their privacy settings on major platforms such as Google, Facebook, and Amazon. It scans accounts you log into via its app and then analyzes what the current privacy settings are. Step by step, it walks you through the process and gives you the option to leave data unchanged, delete histories, revoke permissions, and more.
Right to privacy at a price?
Privacy-as-a-service is not without critics. Some privacy and civil rights advocates worry that premium DPaaS could soon become another playground that highlights the stark contrast between the haves and have-nots. Privacy is a human right as acknowledged by the United Nations even though the right to privacy is of varying strength in a different jurisdiction. The U.S., for instance, doesn’t have substantial privacy law at the federal level, whereas state laws vary considerably.
With premium DPaaS services like Jumbo requiring a subscription fee for full access to its spectrum of privacy management features, the fear of DPaaS critics is that freedom from government and corporate surveillance could cease being free. Putting a price tag on privacy control is unsettling for people who view privacy as primarily the responsibility of the organizations entrusted with the information as opposed to the users themselves.
Premium DPaaS just one example of the money divide
The divide between haves and have-nots isn’t something that is being introduced by DPaaS technology as such. Consumers and organizations have for decades paid to access certain security services such as virtual private networks (VPNs). Premium password managers have allowed users to stay on top of their login credentials across a wide range of platforms.
There has always been a financial barrier to access certain security-enhancing technologies, and dealing with this would have to go well beyond just addressing DPaaS on its own.
Privacy-as-a-service bound to become a central part of future privacy management
Technology platforms are collecting growing volumes of data in order to improve customer service, customize marketing, and enhance their product offering. Users will provide this information with the expectation that it will better their experience.
However, users are demanding greater transparency of these platforms’ privacy policies and may need external help to stay on top of their privacy concerns. DPaaS is bound to be a key avenue in the future as organizations seek to rebuild or maintain customer trust caused by data breaches, data sharing, or data usage.
Featured image: Shutterstock