GDPR brings Shadow IT under the spotlight

Less than 12 months to go and nowhere to hide as potential fines could reach tens of millions for large firms by next year.  Many IT departments in large firms are increasingly concerned with business units contracting directly with service providers, as opposed to relying on internal resources to address their needs.

In some instances, it happens by mutual agreement as a result of resource constraints; in most, it reflects a deeper difference of approach, the internal IT practice being perceived as unnecessarily expensive, bureaucratic or old fashioned.

None of this is new and, in fact, it has been happening for the best part of the last 10 years in some areas. A great deal of it is rooted in cloud and consumerisation mega trends which have been transforming the nature of IT.

One small piece after another, significant chunks of the data processing needs of an organisation end up being externalised, without any over-arching strategy, and often without the knowledge of any control function. Individual contract values are low, so every deal remains under procurement radars irrespective of the potential sensitivity of the processing involved, and almost always standard vendor terms are accepted (even if they are invariably and shamelessly one-sided).

The forthcoming GDPR (coming into force on 25 May 2018) will bring this “Shadow IT” under the spotlights, as HR and Marketing functions have been historically the main exponents of such practices, and are by essence heavily dependent on personal data.

With potential fines reaching tens of millions for large firms from next year, many are starting to assemble compliance roadmaps and projects, but they will have to confront the reality of the data processing as it is really happening within their departments, and it may add significant costs and complexity to their GDPR alignment programme.

Digital Transformation Consultation

To start with, a real inventory will have to take place across the firm, without complacency, involving each business unit, support function and geography. It is a real mapping of all personal data treatment that must be drawn, encompassing all aspects, structured data as well as unstructured data, “proper” IT as well as “shadow” IT.

It will be easier for firms where the CIO has already built channels to listen to business communities and talk to them in their own language, but it cannot be ignored.

Behind that inventory, contracts will have to be checked and updated where necessary and assurance will have to be built around the presence of appropriate security measures in the vendors’ environments, taking into account the real sensitivity of the data being processed, not just the contract value.

All this embodies the real nature of the cultural change GDPR heralds: Just by the level of fines regulators can enforce (without considering reputational damage, adverse publicity, and potential damage or compensation claims), it places many legacy practices into a different perspective and by forcing executive management to look beyond short-termism, it can be a true catalyst to drive real action around Privacy and Security.

Arrange a Conversation 


Article by channel:

Read more articles tagged: Featured, GDPR