Are you breaking GDPR? – there’s an app for that
While you might think Shadow IT is a sinister and dark art, you might be surprised to discover just how many people in your organisation may be affected by it. Often, they don’t even know they are part of it. The General Data Protection Regulation (GDPR) is the new legal framework which will run alongside the existing Data Protection Act 1998, and will enforce regulations to tighten the usage and liabilities of “Shadow IT” – using unauthorised, cloud based services to store and share data.
It’s fair to say that popular consumer cloud applications have found their way into all areas of current business practice. Take healthcare, in a recent survey conducted by the BMJ, over a third of NHS doctors who own a smartphone admitted to using app-based messaging (33.1%) and picture messaging (46%) to send patient-related clinical information to their colleagues.
The number of apps and the volume of data across all walks of industry is mostly unquantified and therefore an enormous risk. Five of the biggest and most common cloud application organisations that may fall foul of GDPR when it takes effect are:
- Google Drive
However, not all will necessarily breach the same regulations. Chances are, many applications will create organisational risk for any number of the following reasons:
- The right ‘to be forgotten’ cannot be enforced
- ‘Privacy by design’ – retrospective privacy is not compliant with GDPR, in other words privacy must be built into the app at the time of design and not as a patch or upgrade?
- ‘Storage of data’ is restricted to inside the EU
- ‘Transfer of data’ is restricted outside of the EU
- ‘Pseudonymisation’ – no personal data can be attributable to a specific user
This of course is just the tip of the iceberg. A study by Bluecoat recently noted that only 2% of all enterprise applications are GDPR ready. Ultimately, this means businesses will have to manage and protect their own data and the consequences of failing to do this correctly could be costly.
So, what can and should you do?
Without question, it is vital that you establish exactly what data and applications are in use within your business. The obvious place to start is to poll your staff and users. Ask them to identify what applications they are or have been using for business purposes. Having done this, conduct a thorough network discovery audit. Network discovery audits are common amongst IT support organisations, they will help you assess the data types and volume traversing your network. If you’re not sure what one is, ask your incumbent IT support company for help.
Once you know which apps are being used in your business, you can make decisions around whether they are necessary and should continue to be used. Managing apps is a complex process that naturally introduces increased risk with the more applications you utilise. Review whether you can consolidate your applications to a smaller number to make them easier to manage.
Likewise, identify what data is being used by each app, who is using it and why, how is it being accessed and determine where it needs to be stored moving forward – on-premise, Cloud, or across a hybrid model. Ultimately, you want to be GDPR compliant by design & secure by design.
Your audit and subsequent findings will help you understand your current application and data capacity, utilisation and distribution. Most importantly, it will highlight any gaps in your GDPR compliancy.
If you’ve done all the above, you’ll need to create a roadmap to compliance and that includes making sure you have a strong policy in place for your users. Once again, if you’re struggling with this, there are any number of organisations available to help you here. One potential speed bump however, will likely be getting budget purely for GDPR compliance – no one likes unexpected overheads! One way to potentially overcome such an issue is to look at your existing IT projects and see where you can ‘design in’ any GDPR requirements to those.
There’s a lot of noise going around right now about being GDPR ready, and for good reason. But don’t overlook those so called ‘harmless’ apps in constant use on your smart devices, permitted or otherwise. You won’t feel so smart if you get caught out by something you didn’t know about.
At Thrive, whilst GDPR isn’t our core business, we know how important it is to our customers and their IT infrastructure. It’s why we’re helping our partners conduct necessary audits to avoid potential risks ahead.
If you’re unsure or concerned about the effects of GDPR on the cloud apps your business uses or those potentially in use as Shadow IT, or whether your business is GDPR compliant, get in touch.