Since 25 May, the new EU basic data protection regulation, the EU General Data Protection Regulation (GDPR) has been mandatory for all companies. Because we are repeatedly asked at events what effects shadow IT has on the new law, we present them briefly in this blog post.

As is well known, the GDPR regulates the handling of personal data in companies. The new regulations focus on the new obligations of companies and the higher penalties for violations of duty. For example, experts see that an effective data protection management system is now necessary. This system should cover, among other things, corresponding risk analyses. There are also claims regarding the impact analysis of new systems. In addition, companies must be able to implement the rights of the affected persons (mostly customers), e.g. the right to be forgotten or the portability of their data. Finally, however, companies must also consider the handling of the data of one's own employees; this includes, for example, the data minimization as well as their appropriation.

This certainly incomplete list of requirements shows that there are numerous points of contact between data protection and shadow IT. This results in three different problem areas for shadow IT, which are briefly described below:

  • Lack of transparency
  • By definition, shadow IT lacks transparency: this also means that risk analyses are generally incomplete. Moreover, companies cannot disclose these unknown systems to their customers.
  • Lack of planning
  • Shadow IT often develops over time, and has an experimental character, especially at the beginning. This lack of planning, however, repeatedly leads to problems with GDPR, as business units do not pay attention to the economical and regulated handling of data. In addition, they rarely carry out a complete risk analysis before the introduction of a shadow IT solution.
  • Technical defects
  • The developers of shadow IT from the specialist areas usually have less technical know-how, which also applies to the secure development and operation of systems. Accordingly, such systems may make it easier to steal personal data. Companies can also have more difficulties to implement the required portability.

These short examples clearly show that shadow IT does not meet the changed GDRP in many ways. As a result, companies have an immediate need for action: to comply with the new legal standards, they should identify personal data in shadow IT and examine it for problems under GDPR. A self-assessment by the business units is a first starting point for the identification of such systems. Thereby, companies can register all shadow IT applications and classify them according to their risk.

Based on the results, companies must adapt or replace the systems if necessary.

Author: Prof. Dr. Christopher Rentrop