Consumer data privacy, the cloud, and common pitfalls: Q&A with Aiven CTO
When it comes to consumer data privacy issues, how secure are cloud-based solutions versus on-premise? What are common pitfalls where businesses might slip up?
We spoke with Heikki Nousiainen, CTO and co-founder of advanced cloud management provider Aiven to discuss recent developments in the consumer data privacy space, benefits, and misconceptions about the cloud, and where businesses are at risk of slipping up.
CZ: Why are we seeing such a sudden rise in consumer data privacy regulations?
HN: I think the main reason for calls on consumer data regulation is two-fold:
First, the most direct and reactive one: there have been very high profile cases of data breaches where massive amounts — millions and millions — of consumer identifiable and sensitive data has been leaked: names, addresses and perhaps most worrying, credit card information as well.
The second, deeper, and longer-running thread is the growing unease of people as they start to realize just how much data about their individual behavior is collected and used as well as the power of the algorithms and profiling around that data. As if everything that you do online is recorded and shapes the advertisements and posts you see; every choice, good or bad, adds to the record that is pulled into employment, credit card ratings and so forth.
CZ: Given the wealth of data out there, do you think that the CCPA and GDPR are cases of “too little, too late”?
HN: I think the privacy regulation is extremely important in setting the policy: how corporate and consumer interests are weighed against one another.
The regulation will define the boundaries of the expectations on just how data can be collected and used, and give important rights back to consumers in relation to their right to privacy.
CZ: Do you think these regulations will be rigorously policed or is it more about having good intentions?
HN: As we’ve seen with the GDPR in Europe, the strongest push for enforcing the new regulation will come from consumer advocacy groups. Those groups push to ensure companies have the right policies, processes and clear consent for data usage in place.
But of course, such advocacy groups focus on the most high profile companies first. On another track, should we see any high profile data breaches, those would of course be investigated thoroughly.
In any case, it will take some years until the legal landscape settles and we have the courts’ interpretation on the details of the enacted regulation.
On the other hand, companies that actively promote consumer rights do have a distinct opportunity to differentiate themselves in the market, and to gain a competitive advantage.
CZ: Many people we’ve spoken to still think that the cloud is less secure than other alternatives. Why does this perception still exist? And why is it false?
HN: I believe that time has already passed: I would claim cloud is more secure than running your workloads on-premise or in private data centers.
And this is mostly a resourcing issue: cloud and SaaS providers — such as Aiven — consider Information Security a true first-class strategic asset, and invest significant amounts in ensuring the operations are secure. To demonstrate that commitment to security, Aiven and the major cloud providers operate under attested SOC 2 and certified ISO 27001 compliance.
CZ: What other benefits do cloud-based solutions offer over on-premise hardware?
HN: The most obvious benefit is the operational flexibility: you can spin up services as needed, and scale the same resources up and down within minutes based on actual consumption.
Your services come with 24/7 monitoring, and a team that will pick up and fix any faults that would impact the availability and reliability of your services. Cloud-based solutions truly allow organizations to focus on building their core applications instead of spending time and effort on the items that can be consumed as utility services.
CZ: Should businesses have an active role in determining what happens to their data if they partner with an external database provider?
HN: CCPA still has some thresholds on companies that it applies to, but I think it would be safe to say that every company should take note.
The call for privacy rules is arising from consumer demand, and it would be wise for all companies to be proactive on this front. GDPR, for example, applies to all companies and all use of data that can be classified as personal information regardless of revenue, number of users or use of the data.
I think it is essential that companies at least discuss and address these issues, but I’d be keen to recommend a progressive stance on adopting the changes required for the customer’s benefit.
CZ: Where do you think businesses might slip up? What are some of the common pitfalls to be avoided?
HN: It’s impossible to prevent slip-ups, but I think it’s important to differentiate the ones that stem from mistakes and negligence. Good corporations address changes such as CCPA via regular corporate governance and risk assessment. Bad apples just ignore things until the issues catch up.
In the end, I think the tech landscape changes do continue to profoundly alter our way of living; we didn’t realize how drastically the rise of computing power and networking impacted our lives and we’re just learning how to cope with it.
Privacy issues are one aspect of this change, and I’m personally advocating for consumer — and my own — rights to set some limits on how I decide to share data on my activities and preferences.
Thanks to Heikki for his thought-provoking answers. What do you think about these issues? Leave a comment below.
