There is a hidden gremlin lurking in the depth of your corporate IT network, both SME and Enterprise, that has the capability of blowing a huge hole through your compliance work.
No matter whether you are governed by an industry body such as the FCA for Financial Services markets or seeking to comply with cross industry regulation such as GDPR, this menace is putting your organisation at risk of financial penalties and damage to reputation.
In the IT industry we call this threat ‘Shadow IT’ – sounds very spooky doesn’t it? So what is it? Read on to find out..,,
Imagine a scenario where you need to send a presentation pack to a new investor or client. There are some lovely high-resolution images in there put together by Marketing. It’s a great presentation but unfortunately the file won’t send by email as your client has an attachment size limit on their email system. Your sales person, desperate to ensure the presentation arrives as soon as possible, decides there is no time to wait for IT to help. They use an online file sharing service like DropBox to send the file which then safely arrives. All is okay then?
Well no. Let’s consider why.. ‘there is no such thing as a free lunch’
- Do you know the type of account that was used to share the file? It is probably unlikely that it was a business account – most likely a free or personal plan. As such it will not have the controls around your data that your business needs. This could be anything from where the data is stored, in which country for example, to the level of encryption used when transmitting it. You are certainly not compliant if you don’t know about. And still unlikely to be even if you do.
- You have no idea how the service will handle your data. It is often said that ‘there is no such thing as a free lunch’ and this is very much the case with IT services. It is likely that any free service will use details of the person using the service, potentially any recipients of the information and possibly even the content you upload to it for marketing purposes. Without detailed analysis of the terms and conditions you will never know.
- You have no control on what data or the type of communication is being transmitted by your staff. Would the data fall under data protection regulations? Or are staff communicating with clients or investors using instant messaging tools such as Skype. Possibly about deals – conversations which must be recorded if your business falls under MiFID II requirements. By allowing staff easy access to these tools you are increasing the risk of a compliance breach – whether unintentional or deliberate.
With increasing regulation and controls governing your business, whether GDPR, FCA regulation or otherwise, you need control of your IT to ensure you remain compliant.
A simple audit can determine the extent of ‘Shadow IT’ within your business. If you need to prepare for implementation of GDPR but are not sure where to start, please contact me about our GDPR Foundation Training Day. Get in touch with me now to find out more.