EU GDPR Data Discovery

EU GDPR Data Discovery

EU GDPR Data Discovery plays a critical role not only in preparation for EU GDPR compliance with but ensuring a business will continue to remain compliant.

The ability to comprehensively identify and locate Personal Data held across your business systems is a key capability, also enabling and simplifying a number of other core requirements of the EU GDPR such as:

  • Right To Erasure– The ability for a data subject to request their Personal Data is removed, when a data controller no longer has a legitimate interest.
  • Data Breach Notification– The ability to understand which Personal Data is affected, and ensure the Data Controller can notify all affected individuals are contacted within 72 hours.
  • Data Subject Access Requests– The ability for a data subject to request a copy of all Personal Data w held on them from a Data Controller, and to receive a response within 1 calendar month with no fee chargeable to the requester.
  • Data Portability– The ability for a data subject to transfer and migrate their personal data from one data controller to another, in a machine-readable format.
  • Anonymisation/Pseudonymisation– Ensure personal data minimised or redacted where not required, for example within development and test environments, and how anonymisation and pseudonymisation can assist.

Without an established capability to identify all Personal Data, businesses remain unable to demonstrate they are in control and meet those requirements above.

Whether an Enterprise, Mid-Level business or SME, businesses of all sizes use a combination of both structured and unstructured data repositories on a daily basis including File-shares, Email, Databases, Document Management Systems and Cloud Storage.

With multiple data repositories across the business, it is easy for personal data to lay unidentified, unprotected and out of compliance with the EU GDPR, with Unstructured Data Stores such as File Shares and Email proving highly problematic for many businesses.

Our EU GDPR Data Discovery service aims to identify personal data which may have been missed during the establishment of a Data Inventory, highlighting additional areas of high-risk requiring remediation.

Using our specialised Personal Data Discovery Software, our Data Protection & Privacy consultants will perform a deep EU GDPR Data Discovery scan across your entire environment, identifying non-compliant storage of personal data.

EU GDPR Data Discovery allows you to not only prepare for EU GDPR but identify your requirements for an established capability required for on-going Data Discovery/eDiscovery capability.

Fast Track Your Compliance with the EU GDPR

Request a free GDPR Data Discovery Consultation



Our consultants begin by holding an EU GDPR Data Discovery workshop with your business, articulating those requirement obligations of the EU GDPR which may be assisted by Data Discovery such as Data Inventory & Mapping, Data Subject Access Requests, Right to Erasure etc.

We will work closely with you to gain a shared understanding of current personal data held by your business and data repositories where it is believed to be held, reviewing any existing Data Inventory or CMDB which may be available.

With an understanding of the key data repositories in scope, our Data Protection & Privacy Consultants will then conduct a comprehensive technical data discovery scan across all agreed structured and unstructured data repositories with our specialist Personal Data discovery software, including but not limited to; File-shares, Email, Databases, Document Management Systems and Cloud Storage.

Following this review, we then present back our EU GDPR Data Discovery scan findings in a clear business level executive report highlighting the Personal Data found,  current data repository compliance level, short-term recommendations, and high-level strategic recommendations for how Data Discovery/eDiscovery may be used to support your on-going compliance requirements for the EU GDPR.

Key Benefits

  • Comprehensively identify all Personal Data across your business environment
  • Identify and Prioritise Data Repositories with high risk of non-compliance with EU GDPR
  • Supports EU GDPR Data Inventory & Mapping and a comprehensive register of processing activity
  • Covers both structured (databases, DMS) and unstructured (Fileshares, Email) environments.
  • Outline key data management risks and recommendation in executive level terms
  • Find additional information for your Data Inventory such as number of records
  • Support business case definition for planning for DSAR (Data Subject Access Request), Right to Erasure and Data Subject Portability Process Planning, and Breach Notification.

Our Methodology

Step 1: Pre-Assessment Phase (Off- Site)

  • Meeting with key staff members
  • Walk-through of engagement activities, and agree roles.
  • Review of existing EU GDPR Data Inventory/ Register of Processing Activity (if available)
  • Review of current systems architecture
  • Review of current Subject Access Request Procedures (if available)
  • Provide workshop questions to support information gathering in advance of on-site workshop

Step 2: Discovery (On-Site Workshop)

  • Hold scoping workshop with key individuals from  IT, Development Team, Data Architecture and Information Security
  • Walkthrough of all known Data Repositories (On-Prem/Cloud)
  • Walkthrough of Test & Development Environments
  • Walkthrough of End-User Environments
  • Walkthrough of existing Data Subject Access Request Procedure (if available)
  • Discuss extent of current personal data holding knowledge and usage for business purposes
  • Identify technical requirements to support the EU GDPR Data Discovery Scan

Step 3: EU GDPR Data Discovery Planning (On-Site)

  • Agree the Data Repositories in-scope of the EU GDPR Data Discovery Scan
  • Agree and confirm the technical requirements for EU GDPR Data Discovery Scan

Step 4: EU GDPR Data Discovery Scan (On-Site)

  • Conduct detailed technical scan to identify Personal Data/Sensitive Personal Data across your network environment including but not limited to Operating Systems, Email Servers, Databases and Cloud Storage.

Step 5: EU GDPR Data Discovery Scan Reporting (Off-Site)

  • Offline analysis of the EU GDPR Data Discovery Scan results performed by our Data Protection & Privacy Consultants.
  • Creation of comprehensive EU GDPR Data Discovery Report

Step 6: EU GDPR Data Discovery Scan Debrief (On-Site or Off-Site)

  • Walkthrough of EU GDPR Data Discovery Scan Report including high-risk findings and recommendations.


  • Total:       Dependant on Scope
  • Onsite:    Dependant on Scope
  • Remote:  Dependent on Scope


  • EU GDPR Data Discovery Workshop- A workshop with key stakeholders to ensure a clear understanding of obligations, current usage of personal data for business purposes and overview of approach.
  • EU GDPR Data Discovery Report– a high-level executive report outlining results of the EU GDPR Data Discovery scan, including overall key risks, and outlining compliant and non-compliant data repositories across the environment.
  • EU GDPR Data Discovery Scan Report-  – A summarised technical report containing a list of all identified Personal Data including Data Types, File Formats, Volume and other attributes listing Compliant and Non-Compliant Data Repository Status.
  • EU GDPR Data Discovery Maturity Assessment– A High-Level Risk Assessment of current organizational ability to support DSAR, Right to Erasure, Data Subject Access Portability and Breach Notification with a set of clear recommendations.

Optional Related services

Learn how Data Discovery can help you gain visibility and control of both the structured and unstructured Personal Data across your environment and cloud, enabling compliance with EU GDPR and the UK DPA (Data Protection Act).

Contact Us.