What is GDPR?
GDPR – the General Data Protection Regulation – is a major new data protection/privacy law for all individuals within the European Union.
Any company that stores or processes personal information about EU citizens within EU states must comply with GDPR, even if they do not have a business presence within the EU.
So GDPR will probably affect any large firm in the USA or anywhere in the world that does any business with EU citizens.
What is Shadow IT?
Shadow IT is when an employee uses their own apps for work without the knowledge or approval of the IT department.
The problem is they are bypassing the company’s IT governance.
This has always been a significant issue for firms not least because of the security risks. For example there might be malicious code in an app that normal users are unlikely to notice.
The arrival of GDPR has introduced a whole new level of risk because shadow IT almost always contains data.
To comply with GDPR a firm’s nominated Data Controller needs to know every data repository.
If an employee has data on their personal device, at home or in the office, then that data is almost certainly considered data held by the firm – which makes the firm liable for its existence.
The problem for the firm is that fines for breaching GDPR could cost up to €20 million or 4% of annual global turnover – whichever is higher. (There’s your 2 reasons…)
What are the chances of being caught out?
In the nature of things, the bigger the firm the more likely it is to be put under the spotlight by campaigners or rivals – or GDPR regulators themselves.
A single instance of Shadow IT being discovered by the regulator could expose your firm to huge fines.
“The average European enterprise is using 608 cloud apps. Despite increased awareness on the part of IT over the last year or so, organisations underestimate this figure by about 90 percent. This is shadow IT in a nutshell, and of course, raises the question of how cloud-consuming organisations can ever hope to comply with the GDPR if they don’t know 90 percent of the apps people are using.” Netskope
So Now We Know The Problem We Can Sort It Out… Right?
Yes and no: The problem is that IT departments have been trying to control Shadow IT for years, not least because it exposes the firm to serious risks of hacking/security breaches, as mentioned above.
Plus there have always been other serious issues like loss of Intellectual Property – if documents are stored in an unauthorized way – on an employee’s personal app – they will probably get “lost” when the employee leaves.
Despite all the attempts to control it, employees have continued to use shadow IT.
The chances are that, regardless of the severity of any warnings a firm issues to its staff about GDPR, it won’t make any difference.
Here’s a three-pronged strategy:
1) Educate staff on how to handle data correctly – that brainstorm they did using a cool, cloud-based whiteboard app… well all those notes might be seen by others.
2) Monitor what staff are using – but that can be a bit like herding cats.
3) Provide what staff want, decreasing their need to look elsewhere, and making sure the app is in a secure setting.
One solution is for firms to license or buy in existing software to self-manage / host on their own servers.
For example one of the most popular cloud applications used by staff are productivity tools.
Our app, Dooster.net, a task and project manager, has had a significant increase in inquiries in the past months.
“We’ve been approached several times recently, sometimes by surprisingly large firms, to get the software “off the shelf” and host themselves. We’ve already made one significant licensing deal. We’re not widely known but they’ve hear about us then seen excellent testimonials from the likes of Yale University and have reached out” Edward Parry, Dooster.net founder.
There are a surprisingly large number of privately held productivity tools like Dooster out there. Plus many other “small apps” that cover the features and even outperform better-known apps like Basecamp, WhatsApp and Facebook.
IT executives have a surprisingly wide choice.
The alternative to bringing apps in-house could be expensive.