Skip to main content

How to find your company’s sensitive data

Why track your sensitive data

Your company collects and stores an abundance of sensitive information about your customers every day. Carelessness in tracking and protecting it may leave it vulnerable to costly data breaches.

According to IBM’s Cost of a Data Breach Report, the average cost of a data breach came in at $4.24 million (over 3 billion DKK) in 2021, with that number rising to USD $4.35 million in 2022.

Reduce your risk of a data breach. Find your company’s sensitive data now, determine if you really need to keep it, and make sure you protect it. 

If you are like most companies, the personal and sensitive data you’ve collected about customers and others is spread across many systems and employees. Doing a proper inventory of all that data is a daunting task, but an essential one.  

Let’s talk about how to conduct a data inventory:  

  • What exactly you should be looking for 
  • Where you might find sensitive data 
  • What method you should choose for the data discovery/inventory process 
  • What to do next to comply with data privacy regulations 

Identify sensitive data

A person’s sensitive data should get special protection. This is a special category of personal data. If someone’s sensitive data were to fall into the wrong hands, it would violate that person’s privacy and could cause them harm. 

Data privacy regulations were designed to protect people’s data, and they are especially stringent when it comes to “sensitive data”. Global regulations may vary slightly in their definition of sensitive personal data, but it is safe to say that sensitive data will include things like: 

  • Medical history 
  • Financial information 
  • ID numbers 
  • Race or ethnic background 
  • Political opinions 
  • Religious beliefs 
  • Philosophical beliefs 
  • Police records 
  • Membership of a trade union 
  • Sex life or sexual orientation 
  • Genetic data and biometric data, and more… 

You and your employees will potentially collect sensitive data with every transaction and interaction.  


  • Your website collects credit card info during online checkout 
  • People casually share private information with one of your customer service representatives 
  • Your HR department collects police records (and much more!) from potential employees 

Where is all the data kept? If any of this sensitive data were to be exposed, you could have a serious problem that could cost you millions of dollars, and even shut your business down for good.  

List your storage locations

Where do you and your team store all the data you collect?  

Here are a few types of locations that must be checked for sensitive data: 

  • Local drives 
  • Network drives  
  • Cloud storage  
  • Email folders
  • Online services
Find sensitive data across many locations

Most companies do not just use one type of cloud storage, and most employees (unfortunately) do not always use their work computer or email. Therefore, the list of individual locations you will need to check for sensitive data will quickly become much longer. 

Want more free data privacy tips?

Get the latest data privacy management news, trends and expert tips delivered straight to your inbox.

    Choose your inventory method

    Now you know what to search for, and where you might find it.  

    However, this only shows what a big job you have in front of you. How can you be sure you identify every ID number, credit card number, medical condition, political opinion, etc., that has made its way into your storage locations? 

    Here are three options for data discovery: 

    • DIY. Assign someone from your own team to sort through files. This option is expensive because it is so time-consuming. It is also prone to errors and the process may expose you to breach in and of itself if it is not handled properly. 
    • Hire a service. Hiring a data discovery service to find your sensitive high-risk files is another option, but it still does not eliminate the risk of human error, it exposes sensitive data to more eyes, and it is very expensive. 
    • Get smart software. Using smart data discovery software to automatically find sensitive data in your systems is an easy, cost-effective way to perform regular data inventories and evaluate your risk exposure. 
    DataMapper can find your company's sensitive data

    What to do once you have your data inventory

    Some companies may hesitate to perform a data inventory because they are afraid of the issues they might find. But in fact, just having the data inventory done will give you a huge advantage if you are audited by the authorities, as visibility and documentation are an important part of compliance. And if you are exposed to a cyber attack, a data inventory will help you hide the values - in this case sensitive personal data – out of the way.

    Here are a few additional things you can do once you have your data inventory: 

    • Make sure you have consent or another lawful basis to keep data you store 
    • Delete sensitive data you no longer use or if you do not have a legal basis to store it 
    • Restrict access to certain files to only those who need it 
    • Protect sensitive data at rest and in transit 

    Next step: Prepare a Data Protection Impact Assessment (DPIA)

    The insights you gain from your data inventory will also make it easy to prepare regular DPIAs in compliance with regulations. 

    We’ll discuss how to make a DPIAs in another article, but a basic DPIA can be drafted based on the answers to the following questions: 

    • Do you process personal data?
    • Do you process sensitive data? 
    • Do you process data about minors/children? 
    • Do you have a lawful basis (usually consent) for processing the data? 
    • What do you use the data for? 
    • Do you share or sell data? 
    • What potential harm would be caused by data leaks? 
    • Who has access to the data? 
    • How do you protect data? 
    • When do you delete data? 

    These answers will also help you improve your privacy policy, another key element of compliance. 

    How we can help you

    With a smart Data Discovery tool, you can easily find your sensitive personal data. DataMapper is a browser-based, data discovery tool that uses AI (Artificial Intelligence) and ML (Machine Learning) algorithms to find personally identifiable information across company employees, cloud storage, emails, systems and apps. Just open DataMapper in your browser, select the storage locations you want to search, and invite employees to join. DataMapper scans your locations, then generates a list of all risk files that contain sensitive data, organized by risk level and category.  

    An admin can review all results from their dashboard and risk documents tabs, while each user can review just their own results to improve their practices.

    Try DataMapper for free here

    Sebastian Allerelli

    Governance, risk, and compliance specialist