Does shadow IT pose the biggest risk to GDPR compliance?

Think you've covered all your bases when in comes to GDPR? Romy Hughes, director at Bristol-based Brightman, invites you to consider the impact of employees hidden IT services
20th February 2018

“Shadow IT” has been a challenge for organisations for many years now; however, until recently, it has mostly just been a nuisance. But, come 25 May, when the GDPR becomes law across the EU, shadow IT could potentially cost your company up to €20 million or 4% of annual global turnover – whichever is higher.

By introducing such hefty fines for a data breach, the GDPR has helped shadow IT graduate from being a mere nuisance to a potentially company-destroying issue. Every organisation that takes their GDPR obligations seriously must therefore include an investigation into their shadow IT as part of their preparations. Those who choose to ignore shadow IT are simply not compliant with the GDPR.

How is shadow IT connected to the GDPR?

Shadow IT is the growing trend whereby employees either purchase IT services themselves or use their own devices at work without the consent or knowledge of the IT department. This is frustrating for the IT department because it takes them out of the loop, which adds risk to the business (i.e. introducing devices or software into the business that don’t meet the company’s security requirements) and reduces its ability to adequately support the environment; IT departments cannot support what they didn’t install in the first place!

The connection to GDPR comes when shadow IT introduces “unregistered data sources” to the business i.e. data that is unknown to the data controller. The logic here is that if the IT department doesn’t know about this IT, then the Data Controller won’t either. Almost every type of IT, whether it be a piece of software or a device, stores or manipulates data in some way. If the data controller doesn’t know about this data then it is not meeting its GDPR obligations. How can the business honour a customer request to delete all its data if it is unaware that one of its Account Managers has a copy of his file on an app on his iPad?

Just one instance of shadow IT undermines GDPR compliance in an instance, exposing the organisation to the hefty fines mentioned above.

I’m not worried because I don’t have any shadow IT

So you don’t think you have any shadow IT in your organisation? Think again. Most software today is delivered via the cloud. Think of Salesforce, Slack, Dropbox etc., even Microsoft Office is now primarily purchased on a subscription model. All of this software can be procured by anyone with a credit card. Can the IT department confidently say that it knows about all instances of this software? If Amy from marketing decides she wants to give Slack a go, she doesn’t need IT’s approval to do so. She just does it.

Perhaps you’re one of the few organisations that is 100% confident in its procurement procedures, and you know that no piece of software can be installed without IT’s knowledge or consent. Good for you, that’s quite a feat. But can you say the same thing for any devices that might be connected to your network? Is every iPad and smartphone connected to your Wi-Fi vetted and managed by IT?

Ok I get it, I’ll just turn it off. Not so fast

Finding all the instances of shadow IT is only the first step in addressing the problem. The challenge we are finding is that most instances of Shadow IT are not peripheral, incidental pieces of software – they actually run the business. Using one recent customer as an example, we found that 33% of its business-critical functions ran on non-core IT systems (i.e. shadow IT was responsible for 1/3 of the business). Since the data controller cannot just turn these systems off in its pursuit of GDPR compliance, plans must be made to manage the data in these systems instead.

Configuration management to the rescue

Once the data controller has found and documented all of the customer data residing in shadow IT, it is no longer shadow IT. Hooray. But the challenge then is about maintaining an accurate view of all non-core IT systems, since new instances of Shadow IT (and thus unregistered data sources) can pop up at any time. This is where we believe a proactive and cooperative approach to configuration management must become part of the overall GDPR solution.

Traditional configuration management is about IT taking ownership of its domain. But this gatekeeper approach is what leads to shadow IT in the first place, so it’s best avoided. If it takes IT two weeks to provide a new employee with Microsoft Office, what is stopping a departmental head from simply throwing it on the credit card? We therefore suggest that IT works more closely with business heads to become a business enabler, and routinely works with the business to identify needs and deliver solutions proactively.

While this is not a simple or quick solution to implement, this change is needed to address the root cause of shadow IT in the first place. And with GDPR raising the stakes on all data held in shadow IT, the impetus for such ambitious change has never been greater.