Shadow Data — the Copies of Personal Data You Forgot You Made

Shadow Data — the Copies of Personal Data You Forgot You Made

Every organisation knows where its official personal data lives — the CRM, the HR system, the shared drive everyone agrees is “the source of truth.” That’s not where the risk is. The risk is in the copies: the export someone took, the attachment someone saved, the spreadsheet someone duplicated “just to be safe.” That’s shadow data, and on a Mac it multiplies quietly until nobody can say how many copies of a person’s details exist.

Shadow data is the single biggest reason data mapping is hard — and the single most common thing an audit surfaces.

Where shadow data comes from

Nobody sets out to scatter personal data. It happens through ordinary, well-meaning work:

Each step feels harmless. The sum is a personal-data footprint far larger than the official one.

Why shadow data is dangerous

Shadow data breaks GDPR in three specific ways:

  1. It defeats data minimisation. You’re holding far more personal data than you need — you just can’t see it.
  2. It breaks storage limitation. The official record gets deleted on schedule; the shadow copy outlives it indefinitely.
  3. It sabotages every other obligation. A data-subject access request, an erasure request, a breach assessment — all require knowing every place a person’s data lives. Miss the shadow copies and every one of those answers is wrong.

And shadow data is exactly what a breach exploits. When a laptop is lost or an account is compromised, the damage isn’t the governed system behind its access controls — it’s the unencrypted export sitting in someone’s Downloads.

How to find it

You can’t manage shadow data by asking people to remember it — the whole point is that it’s forgotten. You find it by scanning for the content, not the location:

  1. Scan the messy places first. Downloads, Desktop, Documents, mail stores, and shared drives — where copies collect, not where the official system lives.
  2. Look for identifiers, not filenames. A working copy won’t be named “personal data.” It’s found by the national IDs, emails, card numbers and names inside it.
  3. Cluster the duplicates. Five files with the same 200 people in them is one dataset copied five times. Treat it as one problem.
  4. Trace it to a source. For each cluster, find the governed original. That tells you which copies are redundant.

How to collapse it

Once you can see shadow data, reducing it is straightforward:

Doing it on-device

There’s an obvious irony in scanning for scattered personal data by uploading all your files to a cloud service — you’d be creating the largest shadow copy of all. The scan has to stay local.

That’s what GDPR File Audit does: it scans folders, drives and mail stores on your Mac, flags the files that contain personal data, and shows you the clusters — so you can see the copies you forgot you made and collapse them, with nothing uploaded.

Your official data map is the easy half. The shadow half is where the compliance actually lives — and where the next breach is waiting. Go find your copies.