Data Discovery: A Comprehensive Guide

They say that every company is a tech company; if that’s true, then every company is also a data company. No matter which industry your organization is in, the odds are good that you collect data—product data, business data, and consumer data.  

That last category is especially crucial for businesses to be aware of. Data privacy regulations impose strict responsibilities on businesses that process consumer’s personal information.  

A crucial component of compliance with these data privacy regulations is data discovery. When data subjects (i.e., the people whom you collect data from) exercise their rights under data privacy regulations, businesses need to be able to find, update, delete, communicate, and manage their relevant data. Without a data discovery capability, it isn’t possible to accomplish this task in a sustainable way. 

So: What is data discovery, really? How is data discovered? And what is the data discovery process? 

What Is Data Discovery? 

Writ large, data discovery is the process of finding and classifying data, making it useful for some purpose. Organizations engage in data discovery for a variety of purposes, often to discover patterns, solve business problems, and inform strategy. 

In terms of data privacy compliance, data discovery refers to the process of finding data that must be managed in some way in order to achieve compliance. That could be identifying systems that collect personal information so you can act on opt-out requests, finding where you send data to downstream vendors, or finding data subject’s personal information and making it available for response to a subject rights request.  

How Does Data Discovery Help With Compliance? 

Under laws such as the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA), data subjects have a right to inquire about the personal information you have on them, request that their personal information be updated or deleted, and make other requests.  

Being able to find that data and respond to the request in a timely manner is a requirement under these laws—typically, businesses have 30 to 45 days (depending on the law) to respond to a DSAR. What’s more, attorney generals, privacy advocacy groups, and data protection authorities use DSAR obligations as a means of testing for a business’s compliance. If a business can’t fulfill a DSAR accurately and on time, they’ll either take action themselves or report the violation to the relevant authorities. 

Thirty days might sound like plenty of time, but only if you underestimate the degree of data sprawl in modern businesses—especially if the rest of your data privacy program isn’t fully mature. On average, businesses use over 130 different SaaS applications. Each of those applications has a high degree of likelihood of containing consumer information, whether that’s collected directly from the consumer, copied from another system, or derived from an upstream third party sending you their consumer’s information (which you also must find if they receive a DSAR).  

Without a data discovery process in place, the only way to diligently fulfill a DSAR is to look through each of those systems manually. And once your organization starts receiving multiple DSARs a month, then that process will quickly become untenable. You could always stick with the main systems you use, but then you will be noncompliant by negligence and will risk enforcement. 

Things can be even more difficult when dealing with sensitive data, which includes any data that reveals the data subject’s:  

• Racial or ethnic origin.  
• Religion.  
• Political opinions.  
• Sexual orientation.  
• Genetic and biometric data.  
• Health data.  
• Financial information.  
• And similar data, depending on a given privacy regulation’s definition. 

In order to manage the flows of sensitive personal information throughout your organization and ensure it receives the protection it deserves, you’ll need to know where it is first. Data discovery and data mapping can help you identify where stores of personal information live, where it is flowing, and whether it’s receiving adequate protection. 

Download our free privacy policy checklist to help guide how you create or update your current privacy policy. 

How Is Data Discovered? 

There is a range of approaches to data discovery, some of which will be more appropriate for a particular use case than others. In organizations with a business intelligence function, it's likely that data discovery will be handled by a data science expert. However, if your goal is data privacy compliance, relying on a data science expert may not be the best data discovery approach. For one, this expert won’t be familiar with the intricacies and requirements of data privacy. They’ll also likely have multiple competing priorities. 

If compliance is your goal, then it’s better to take the following approach to data discovery.   

Steps to the Data Discovery Process 

The data discovery process involves a few simple steps. 

1. Map Your Data Systems

In most cases, data is scattered across multiple systems and departments, from human resources and customer support to marketing and finance. Discovering personal information in a single system isn’t too challenging, but the odds are any given data subject’s information will be transferred to, copied to, and stored in multiple systems. 

Thus, the first step in the data discovery process is to map your organization’s data systems. This isn’t about discovering data per se; rather, it is a preparatory step that will make it easier to discover specific data later on. 

The data mapping process has numerous benefits beyond enabling data discovery for, say, fulfilling DSARs—it's actually a key component to fulfilling other compliance requirements, such as data minimization, privacy risk assessments, generating Records of Processing Activities (RoPAs), and more. 

However, given the sheer number of systems in a given organization’s ecosystem, manually mapping your data systems can be prohibitively time-consuming. Fortunately, there are data privacy compliance platforms like Osano that automate the process. In the case of Osano, the platform discovers systems connected to your organization’s Single-Sign-On (SSO) provider, generating a map that you can use to direct your data discovery efforts. 

2. Identify Irrelevant or Deprecated Data Stores

Over the course of your organization’s growth, it’s likely that you’ll accumulate systems that could be used to store personal information but do not contain any such data, systems that are no longer used, and so on. You’ll want to flag these as such so you don’t waste any effort later on exploring and re-exploring these irrelevant or deprecated data stores. 

3. Generate Metadata for Mapped Data Stores

Once you’ve mapped your data stores and identified stores that don’t need to be explored, you’ll want to start tagging your data stores with metadata that will facilitate the data discovery process. 

This could include things like: 

• Which data stores are connected to one another and what the direction and nature of their data flows look like. 
• The owner and/or responsible party associated with the data store—this could be an internal stakeholder or an external vendor, for instance. 
• The number and type of data fields in the data store, as well as the expected classification of data they will contain. For example, a data store might contain several data fields meant to store demographic information, fields that store sensitive personal information, and so on. Conducting this exercise will not only help you track down important data for compliance activities more quickly, but you’ll also be able to see which data stores have yet to be classified and thus may be a source of additional risk. 

Again, it is possible to do all of this manually in a spreadsheet, but most organizations will benefit from using an automated solution. Osano Data Mapping is one such solution that automates and streamlines the mapping and tagging workflow. 

4. Discover Target Data

Having mapped, filtered, and tagged your organization’s data stores and the data fields they contain, it will be relatively straightforward to search for the data you need to work with.  

Often, you’ll perform data discovery in order to fulfill a DSAR—you might search through your data stores for all fields associated with a given contact. Because you’ll have identified which data stores are sending what information to where, you’ll know which down- and upstream data stores to investigate for relevant information. 

Osano performs this process for you and has the added benefit of automating common DSAR types. If “John Smith” requests the deletion of their data, for instance, Osano will search through your data map, discover all of John Smith’s data, and then delete it for you (upon human verification). 

5. Record Your Findings and Repeat the Process

In the end, make sure you record your findings and challenges. Data discovery and mapping isn’t a one-time process. It is something you should do on a continuous basis, refining your process or analyzing data from different angles. 

How Does Data Discovery Help With Data Mapping? 

Data mapping helps lay the foundations of your data discovery process. Many regulations now require businesses to have records of all their processing activities. Data mapping, while not specifically mandatory, makes the compliance process much easier. It helps you identify key elements of your data processing flow, such as legal basis, transfer methods, access, and more. 

Automated data discovery tools, which we’ll talk about more in the next section, can also ensure the identification of essential information by circumventing issues that manual discovery methods come with. 

Used together, data discovery and mapping help a company create unified data inventories. These make compliance much easier by:  

• Helping you run DPIAs whenever necessary. 
• Facilitating quicker responses in the case of DSARs. 
• Ensuring you have clear RoPAs. 
• And more. 

Automated Data Discovery Tools 

Data discovery and classification tools are an essential part of the process. 

Manual discovery can be tedious and almost impossible, especially when you have data scattered across dozens of systems. Even without dozens of systems, smaller companies that feel like they can cope without any discovery tools risk overlooking certain data sets. 

The data discovery tools you use should be focused on compliance first and foremost. These tools will truly help you with DSARs and other regulation-specific requirements, thus taking some of the stress off of your shoulders. 

Ready to check out an intuitive data discovery and classification solution that saves you hundreds of hours and helps you on your journey to compliance? Osano Data Mapping might be the best place to start. Schedule a demo with us today to learn how we can help you.