What is Shadow IT? — UK Software Development Guide
Direct Answer
Shadow IT refers to software systems, devices, cloud services, or applications used within an organisation without the knowledge or approval of the IT department. Common examples: employees using personal Dropbox or Google Drive for work documents, teams using Slack when the company standard is Teams, or departments subscribing to SaaS tools on corporate cards without IT procurement.
Shadow-it in the UK
Shadow IT has significant UK GDPR implications. GDPR holds the data controller responsible for all processing of personal data — including by shadow IT systems. If employees process customer data in an unapproved SaaS tool, the organisation is still liable for that processing. The ICO has taken enforcement action where shadow IT created unlawful personal data processing. UK GDPR requirements: organisations must maintain Article 30 Records of Processing Activities — shadow IT makes this impossible if IT does not know about the processing. NCSC guidance warns against shadow IT as a Cyber Essentials compliance risk (unapproved software may not be patched within the 14-day CE requirement).
Related Glossary Terms
UK GDPR
UK GDPR explained for UK software developers and business owners. UK GDPR (UK General Data Protection Regulation) is the post-Brexit version of EU GDPR, retained into UK law via the Euro... UK context, examples, and related services.
SAAS
SaaS explained for UK software developers and business owners. SaaS (Software as a Service) is a software distribution model where applications are hosted centrally and delivered to c... UK context, examples, and related services.
Cyber Essentials
Cyber Essentials explained for UK software developers and business owners. Cyber Essentials is a UK government-backed cybersecurity certification scheme developed by NCSC (National Cyber Security... UK context, examples, and related services.
DEVOPS
DevOps explained for UK software developers and business owners. DevOps is a set of practices, principles, and culture that combines software development (Dev) and IT operations (Ops) t... UK context, examples, and related services.
Penetration-testing
Penetration Testing explained for UK software developers. Penetration testing (pen testing) is a simulated cyber attack against a software system, network, or application to disc... UK context and related services.
Terraform
Terraform explained for UK software developers. Terraform is an open-source Infrastructure as Code (IaC) tool by HashiCorp that allows you to define, provision, and man...
Get Expert Advice on Shadow-it
Speak with our UK software development experts about Shadow-it. Free consultation, transparent pricing, no obligation.