Is shadow IT opening you up to GDPR risk?

Storing data on a personal database doesn't make the company any less liable

Data duplication plagues companies, and it extends past officially-sanctioned databases: your employees are probably keeping sensitive information on personal accounts.

"I actually had a company who I asked to remove my details from their marketing database and got a phone call a couple of weeks later," said an attendee at Computing's most recent IT Leaders' Club, sponsored by Informatica. "I said, ‘Well this is odd, because you confirmed that you deleted my details', and he said, ‘Yeah, but I've got my own personal copy'!"

As well as being a massive breach of trust, using shadow IT in this way definitely opens you up to fines under the GDPR. Finding that duplicated data is crucial, but difficult - and that applies to both internal and external data stores.

A delegate from a large public sector agency, who admitted that his department was "data-rich but insight-poor," said, "We collect data and save it multiple times… We ask [our clients] to fill out the same data, through many departments, through many interactions, many times…

"We don't have an end-to-end view of how much money is available to a provider; they might be consuming multiple funds, through multiple departments. The fragmentation of the data itself creates that challenge."

Another IT leader, in the finance industry, said that her firm collects more than 60 different instances of the same data. Almost every attendee admitted that they also had problems with data duplication, whether through purposeful data backups or shadow IT.

"If you get into the privacy space and assert the right to be forgotten," one delegate said, "they come back and say, ‘We deleted the primary copy', but there's all the secondary working copies - the ones you know about and the ones you don't….

The answer for internal systems is to collate your databases to create a single golden data record - and hope that no others "mushroom up" elsewhere while you're doing so.

The challenge of shadow IT doesn't have an easy solution. Trying to ban its use is an exercise in futility, and controlling it is almost as difficult. The CIOs attending our event agreed that the best answer is to educate staff on where it is safe to use external solutions, and what data absolutely should not be there.