Ghosts in the machine: The hidden dangers of legacy data
Posted: March 12, 2025
Hidden data. Secret systems. Forgotten databases.
These all sound like the storyline of the newest thriller novel. In reality, these are components of any compliance, security, or privacy professional’s nightmare. These are also the reality of many organizations, even well-intentioned and careful organizations that pay attention to data and data security.
These responsible organizations record new systems as they come online and integrate those systems into the individual rights process. They regularly assess security risks and overlay systems with appropriate safeguards.
These organizations also limit access to data and review access controls on a routine basis. Any requests by business functions wishing to use the data go through a rigorous review and approval process. The privacy operational team documents data flows through a data inventory and, if the data set includes sensitive personal data, they conduct a Data Protection Impact Assessment (DPIA). If the team finds additional risks that require controls to mitigate, the team implements the controls and tracks remaining action items.
However, even given this rigorous attention to privacy and security concerns, an organization still can easily find itself with so-called shadow systems and shadow data – risking data security and privacy compliance despite best efforts.
Shadow technology, or shadow systems, are systems that employees use (or have used but later forgotten) that the company has not approved or controlled. Similarly, shadow data is data that the company has not controlled – frequently unauthorized, unaccounted for copies of data. There are multiple causes of shadow systems/data, and an understanding of these causes and how to remedy them will be useful to any data protection team.
Shadow systems
Most employees want to do a respectable job. They also want to do a decent job along the path of least resistance – efficiently and under budget. The good news is that there are plenty of no-cost and low-cost Software as a Service (SaaS) tools that can help people analyze, make sense of, and report on data (including personal data).
The bad news is that there are plenty of no-cost and low-cost SaaS tools available. Many companies set up Purchasing as the gate keeper for privacy and security processes. For example, which Purchasing sees a Purchase Order request for a SaaS tool involving personal data, the Purchasing function will know to trigger a Data Protection Agreement that passes on appropriate data use limitation, security, breach notification, and data deletion requirements to the vendor.
Purchasing may also inform Security for normal security reviews and Privacy to identify whether the company must create a new data inventory record, whether the risk warrants a DPIA, and which individual rights will apply to the new data source or recipient.
However, because the SaaS tool may not go through the Purchasing process, the employee may bypass all these checks and safeguards. This means that the employee can find and use a tool without going through the normal security and privacy review and approval processes. The vendor may not have appropriate security protocols.
The vendor may also not delete the data, extending the risk of data breach. Even worse, the vendor may have presented terms that allow that vendor to use and even sell the personal data in service of its own interests. There will be no data inventory record, DPIA, or integration with individual rights processes.
Shadow data (copies)
To do a better job more efficiently or conveniently, employees will also save copies of data in alternate locations, both on authorized and unauthorized devices and cloud services. In this way, Excel can be the enemy of privacy and security.
Even well-intentioned individuals will download data into an Excel document to work on the data more efficiently. They may store copied data on their company device or even email it to themselves to work on it at home on their own device. In other cases, the individual may store the copied data in the cloud for the convenience of working on it (at home or at work) in the future. Again, individual rights, data mapping/DPIA, security controls, and deletion processes will certainly not apply to these data copies.
Additionally, organizations often fail to consider backup procedures related to data when integrating data inventory/individual rights/DPIA, and other privacy/security activities. Backup processes will create copies of data, and without careful consideration the company may find itself with uncontrolled and unrecognized data copies.
Shadow risks, and how to control them
Research suggests that breaches related to shadow data/systems are 26.6% longer to detect and 20.2% longer to contain. Regulators also enthusiastically enforce accurate and complete implementation of company promises related to deletion schedules, individual rights handling, third party management and data protection agreements, records of processing, DPIAs, security protocols, and data uses/sharing limitations.
The way to control shadow data/system risk is a multi-path approach:
- People: Training and awareness
- Technology: Centralized Consent Management
People: Training and awareness
Well-intentioned employees are often the weak link in shadow data and system prevention. A vigorous training and awareness program can help individuals understand the risks and prevent unintended consequences of employees ‘just doing their job.’
Moreover, a company that thoughtfully considers roadblocks to employee efficiency and which tools and resources may be helpful in removing those roadblocks. By providing helpful, but approved, technologies, a company can head off the motivation to create shadow data and use shadow systems.
Technology: Centralized consent management
Today’s consent management systems recognize approved data flows and integrations and help prevent unauthorized data flows and integrations. Centralized consent management systems also automatically apply the right rules to data, including preventing unauthorized flows. In this way, a strong and centralized consent management system will help prevent shadow systems and data.
Additionally, more companies are using data leakage prevention tools that identify and prevent attempts to send data outside of the company environment, such as through email and thumb drives. Together, consent management and other data leakage prevention technologies can help automate control over shadow tech/data.
Summary
In summary, shadow systems and data – uncontrolled/unmanaged or forgotten systems and copies of data – present a significant risk even to organizations that take privacy and security seriously. Not only are breaches more likely and harder to detect, but privacy compliance activities like individual rights handling and application of data retention schedules are almost impossible. However, a combination of employees training and awareness efforts, plus consent management and data leakage technologies, can vastly improve the shadow picture of any organization.
Data privacy metrics: How to measure the ROI of privacy programs
Privacy programs are a hugely important business function and are rarely faced with the need to justify their existence in strict Return on Investment (ROI) terms – however, any privacy program needs to track its own projects and trends. Organizations want to know what they are getting for their money and how the privacy program is succeeding!
With this in mind, check out our new guide Data privacy metrics: How to measure the ROI of privacy programs to discover useful metrics to measure against. This guide includes:
- What data privacy metrics can you track?
- A common metrics chart
- How do you develop a set of privacy metrics?