Shadow IT in the Age of GDPR Compliance
Since the cloud went mainstream, a proliferation of online services and tools have led to the rise of so-called shadow IT, the use of unauthorized third-party services by employees in the workplace. Examples include the use of personal email and cloud storage services, file transfer sites, format conversion websites or popular collaboration platforms such as Wrike or Asana.
Mostly used without ill-intent, through either negligence or for the sake of convenience, these services pose a serious threat to data security because companies are unaware of their use and thus do not know where their data is being processed or whether they are secure channels.
With the EU’s General Data Protection Regulation (GDPR) coming into force on 25 May 2018, companies must now, more than ever, put an end to shadow IT or risk the consequences of being financially penalized under the new regulation.
Why is Shadow IT so prolific?
Employees often resort to shadow IT when companies themselves do not offer adequate modern tools they can carry out their tasks with. A failure to digitize certain aspects of office work will lead employees to seek help in the vast resources of the internet. An employee without Microsoft Office might turn to Google’s online G Suite. Without an internally approved messaging application, employees are sure to wind up using widely available options, from Skype to Facebook Messenger to Slack.
Another frequent reason for the adoption of shadow IT is heavy workloads. If employees feel overwhelmed by the number of tasks they need to finalize in a given time, they are sure to look for ways to automatize processes and cut corners. They inevitably turn to online tools as a consequence.
Sometimes, employees make requests for proper authorized tools via official channels, but often these remain on the backlog of IT departments and are answered only at a much later date. This can understandably lead to frustration and the use of popular online services instead.
Shadow IT and Data Security
Uploading official company documents onto third-party websites or applications implies that those services will process that data. Under the GDPR, this is already cause for alarm, as the legislation clearly prohibits the processing of sensitive information for any other purpose than that for which the company has previously gained consent. Sharing this information with a third-party, which the company has no way of knowing exists and therefore cannot ask customers for consent to process their information, is in clear violation of the GDPR’s rules.
Online services also usually require the acceptance of terms and conditions designed for the personal use of individuals and are not suitable for business use. The agreement or contract thus takes place between the provider of the service and the employee as an individual, leaving out the legitimate data controller and data processor, namely the company.
The security of these services must also be questioned. While perhaps big names such as Amazon, Google or Microsoft can be counted on to keep their online services to the highest standard of security, when we move down to smaller websites with specialized purposes (file transfer, video sharing, file conversion etc.), a large number of them are suspicious, many harbouring malware or collecting data on the sly.
The GDPR and Shadow IT
As previously mentioned, when it comes to the GDPR, companies that process EU data subjects’ personal information have very clear obligations as data controllers and processors. Prior authorization for processing is needed from data controllers and can only be done as per the documented instructions provided by them. Confidentiality is imposed on personnel processing sensitive data. Clear measures to protect personal data must be adopted and sub-processors cannot be engaged without the explicit authorization of data controllers.
The GDPR also requires a very clear and specific statement of consent from EU data subjects. Ticking boxes and endless lists of terms and conditions are no longer an option. Customers must give explicit consent to concisely formulated requests. They also have the right to revoke that consent at any time and request that their data be destroyed by the data controller and, implicitly, the data processor.
Shadow IT, by engaging non-authorized third-parties, clearly circumvents all of these stipulations of the GDPR. By having sensitive data uploaded onto internet services, which may or may not secure, that may be shared with external individuals or stakeholders, employees clearly break their obligation of confidentiality and any company policies aiming to protect that data.
Companies, whether data controllers or processors, never receive consent or authorization for the use of these external services. If personal data is being uploaded onto unknown websites and applications, when a right to be forgotten is requested, companies will not be fully complying with the request and can be held accountable for it.
How to Eliminate Shadow IT
One of the ways in which companies can curb the use of unauthorized services is to ensure that employees have all the tools they might need or want at their disposal through official channels. Digital transformation is one of the ways in which this can be done, by adopting new technologies and automating processes internally. While it can be a long process that requires clear parameters and a gradual implementation if it is to be successful, digital transformation helps companies speed up their operations, gain a competitive edge and ensure that their employees need not look elsewhere for the right tools to perform their duties.
Another way to thwart shadow IT is to use Data Loss Prevention solutions to control how sensitive data is used and who has access to it. Products such as Endpoint Protector allow companies to monitor data based on policies that help with GDPR compliance and ensure that it cannot be uploaded onto popular online sharing services, sent as an attachment or copied onto portable devices. Such tools can also help monitor where sensitive data is and – if it is found on computers not authorized to process it – delete or encrypt it. In this way, companies ensure the security of sensitive data and remain GDPR compliant as they work to eliminate shadow IT.
The existence of shadow IT should be a prime concern to all companies looking to become GDPR compliant as its existence endangers the security of sensitive data vouchsafed under the new legislation. Organizations found to be violating the core principles of the GDPR can incur fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is greater. With just three months and a half to go until the GDPR comes into force, time is running out and companies ignoring the risks shadow IT poses might wind up paying a hefty price for it.