Skip to main content

Why track your sensitive data

As a company, you should find your files with sensitive information for several important reasons:

  • Compliance: Many countries and regions have laws and regulations that require companies to protect the sensitive information they have. In the EU, there is GDPR, which requires companies to protect personal data. If a company cannot find and protect this information, it risks breaking the law and being exposed to fines and legal consequences.
  • Customer trust: Losing or leaking sensitive information can damage customer trust and reputation. If you do not know where this information is, you cannot protect it effectively against hacker attacks or data loss.
  • Data governance: Finding and organising sensitive information helps improve a company’s overall data governance. This makes it easier to know what data you have, where it is, who has access to it and how it is being used.
  • Security: Knowing how sensitive your information is, you can implement appropriate security measures, such as access control and encryption, to protect it from unauthorised access and misuse.
  • Effective response to security breaches: If a security breach occurs, it is crucial to be able to respond quickly and effectively. If you don’t know where your sensitive information is, it can be difficult to determine what data has been compromised and how to respond.

Ultimately, it is important for companies to find and protect sensitive information as a fundamental part of processing personal data responsibly. As a business, you have a responsibility to protect customer information, comply with laws to maintain sound business practices.

Did you know that organisations that do not comply with regulations like GDPR face significantly higher costs when data breaches occur? (

How to find your sensitive personal data manually

When you need to find your files, emails and pictures with personal information, you should follow these 3 steps:

1. Know what to look for
The number of different types of personal information is huge. Therefore, it is a good idea, before you start finding your personal data, to define exactly what information you are looking for. Here is a list.

2. List your storage locations
Where do you and your team store all the data you collect? Here are a few types of locations that must be checked for sensitive data: 

  • Local drives 
  • Network drives  
  • Cloud storage  
  • Email folders
  • Online services

Most companies do not just use one type of cloud storage, and most employees (unfortunately) do not always use their work computer or email. Therefore, the list of individual locations you will need to check for sensitive data will quickly become much longer. 

Need help finding your company's sensitive data?

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

3. Choose your method of finding data
Now you know what to search for, and where you might find it.  

However, this only shows what a big job you have in front of you. How can you be sure you identify every ID number, credit card number, medical condition, political opinion, etc., that has made its way into your storage locations? 

Here are three options for data discovery: 

  • DIY. Assign someone from your own team to sort through files. This option is expensive because it is so time-consuming. It is also prone to errors and the process may expose you to breach in and of itself if it is not handled properly. 
  • Hire a service. Hiring a data discovery service to find your sensitive high-risk files is another option, but it still does not eliminate the risk of human error, it exposes sensitive data to more eyes, and it is very expensive. 
  • Get smart software. Using smart data discovery software to automatically find sensitive data in your systems is an easy, cost-effective way to perform regular data inventories and evaluate your risk exposure. 
DataMapper can find your company's sensitive data

What to do once you have found your sensitive data?

Some companies may hesitate to perform a data inventory because they are afraid of the issues they might find. But in fact, just having the data inventory done will give you a huge advantage if you are audited by the authorities, as visibility and documentation are an important part of compliance. And if you are exposed to a cyber attack, a data inventory will help you hide the values - in this case sensitive personal data – out of the way.

Here are a few additional things you can do once you have your data inventory: 

  • Make sure you have consent or another lawful basis to keep data you store 
  • Delete sensitive data you no longer use or if you do not have a legal basis to store it 
  • Restrict access to certain files to only those who need it 
  • Protect sensitive data at rest and in transit
  • Prepare an impact assessment (DPIA) for your data. Download a free template here.

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.

A smarter way to find your sensitive data

Instead of spending hours each month finding your data, which contains personal data, you can solve the task much faster and more precise with a digital tool. In Safe Online, we have developed DataMapper, which is a browser-based data discovery tool that uses artificial intelligence to find files, emails and images that contain personal data across the company’s data systems.

Sebastian Allerelli

Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →

Contact me today


How to handle sensitive personal data


How to find personal data with datamapping tool


How to prepare for a data audit