GDPR overexposes Shadow IT
Shadow IT is described as IT solutions used within a company without organizational approval. It’s the IT activity that takes place in the shadows without the usual security and control requirements on data placed under the responsibility of the company.
Shadow IT predates the cloud when many employees downloaded and installed their own software to achieve tasks. Since cloud solutions come with an easy-to-consume (starting with freemium account) and easy-to-use paradigm, the potential lack of control is astounding. Symantec states that “organizations use 20 times more cloud apps than they think.”1 Corporate IT security professionals estimate they have 30 to 40 apps in the cloud when the reality is a staggering 928 apps.
Shadow IT does not meet security requirements
The main reason for Shadow IT emerged was usability and price. Security is still not considered by end users and is often seen as a constraint. As a consequence, “only 8.1% of cloud services meet enterprise security and compliance requirements, “2 states a recent Skyhigh networks report.
Shadow IT: the digital workplace and CCPs
In addition to a focus on the digital workplace, Shadow IT also relies on Content Collaboration Platforms (CCP) as defined by Gartner in a recent Magic Quadrant report. “Of the 1,427 cloud services used by the average company, 342 are related to collaboration, file sharing, content sharing”2 (Skyhigh networks report).
In addition, “25% of all files shared in the cloud are broadly shared” 1 (Symantec). According to Symantec, this shared data contains personal data for “3% of those shared files contain current compliance related data (PCI, PII, PHI)”1.
The digital workplace in a GDPR perspective
The European Union’s new GDPR (General Data Protection Regulation) is a game-changing regulation that will bring a new focus to Shadow IT for any company doing business in Europe. When the rules take effect in May 2018, the GDPR will require:
- A focus on shared data, not only broadly shared data
- A further focus on all personal data (anything that identifies someone), not just PCI, PII or PHI
- Reports of personal data leaks within 72 hours
- A stronger assessment and monitoring of the conditions of data transfer between entities and across boundaries
- More rigorous sanctions that can impact a company’s reputation and bottom-line:
- A GDPR violation can generate a penalty up to 4% of the global revenue of the companies involved in the data processing
- This is on top of any damages done to individuals
- A company’s image or brand can be severely damaged
What to do when GDPR overshadows Shadow IT?
No one can stop the move to GDPR. It’s time to standardize existing EFSS solutions into one that works (read about the seven strategic guidelines for an effective EFSS).
- Offers GDPR-aware features (privacy by design)
- Provides the company DPO (Data Protection Officer) with the necessary control of all data, including the location of data
- Provides the user’s expected features and usability, securely, protecting them and their organization
- Delivers expected IT security features. Such as granular-group based policies, remove wipe and others that protect the user. This gives the freedom they require to do their jobs
Besides GDPR compliance, there are other immediate rewards to standardizing on an industry-leading, secure solution. Such as reduced costs and easier collaboration for all employees. GDPR is coming, and it’s coming fast. If your organization is guilty of lots of Shadow IT, take time to get your IT business in order. Your company’s image, revenue and data will thank you.
To learn more about Axway Syncplicity and how we help you compose a secure digital workplace: Modernize Your IT Infrastructure or Innovative User Experiences.
 Symantec: 2H 2016 Shadow Data Report
 Skyhigh networks report: Cloud adoption risk report Q4 2016