Iubenda logo
Start generating


Table of Contents

Data Discovery and Privacy Laws: What you Need to Know

As a decision-maker, marketing professional or data analyst in your company, you are probably submerged by data, but somehow lack actionable information. Data discovery methods can help uncover precious insights, including things that are essential for your company’s compliance.

👀 In this post we explain what data discovery is, why and how it could be useful for your data compliance. Let’s dive in!

data discovery

We can all agree that having a huge amount of data is pointless if you’re not able to obtain clear information out of it. Well, that’s when data discovery comes in.

What is data discovery?

Data discovery simply means putting various sources of data together, sorting it through, analyzing it and making sense of it in order to get actionable insights.
It is often used for understanding trends, for data modeling (visual representations of data elements and how they are connected to each other), and more.
It is a step-by-step process that you can use as a framework to better understand your data, and help and improve your decision-making.

📌 How to do basic data discovery

A basic data discovery process looks like this:

  1. understand how your different sources of data are connected;
  2. sort, clean and prepare your data;
  3. analyze your data;
  4. organize your data in an easy-to-understand and visual way;
  5. use data and models to gain insights on processes.

Some key insights that discovery data can uncover can be problems linked to products (i.e. returns, defects), promotional flops, decrease in market share due to price competition, and more.

🔍 Similar to data discovery, data mapping is a process that details the types of data and its movements/transfers throughout your business and beyond. Read our article to learn more.

Using data discovery for data privacy compliance

Data discovery can be useful both for organizational processes and for legally mandatory processes. Here you can find 4 use cases for which data discovery has proven handy!

In regard to personal data, data discovery methods can help you:

  • keep track of the personal data your company collects and processes and what categories it belongs to;
  • know who has access to the data;
  • where and how long the personal data is stored;
  • uncover data privacy risks or potential data breaches; and
  • ultimately, handle better quality data in a more compliant way.

📌 Discovery data for data privacy: use cases

Let’s take a look at 4 specific examples in which data discovery methods can prove handy.

1. Data classification

Personal information or sensitive personal information? There’s a difference!

You should be clear on the different categories of personal data you hold, and classify them following the degree of how sensitive they are, and how much risk is associated with them.

💡 Don’t be fooled! Many companies think they know where all their data is, or think they don’t even store sensitive information – when they in fact do. The privacy field is notoriously complex, so it’s in your best interest to use data discovery.

Sensitive data gets special attention from data privacy laws such as California’s CPRA or “special categories of personal data” under the GPDR, and needs to be handled differently. You should have appropriate measures in place for protecting this data and monitoring risks from internal and external threat.

👋 Not sure if you handle sensitive personal information?

🚀 Read our guide to find out!

2. Data Protection Impact Assessment (DPIA)

Having data discovery tools in place can help you with implementing a DPIA, which, under Article 35 of the GDPR, is required when data processing could pose a high risk to the rights and freedoms of users.

A Data Protection Impact Assessment is a process for analyzing and minimizing the risks associated with personal data processing.

  • Full descriptions of the data processed;
  • The purpose of the processing activity;
  • An evaluation of the scope and necessity of the processing activity in relation to the purpose;
  • An assessment of the risk posed to users;
  • Measures in place to address that risk.

🔍 Here is a free template we have on DPIA. Click here to check it out!

3. Data Subject Access Request (DSAR)

Under privacy laws such as the GDPR, CPRA and VCDPA, individuals have a right to access the personal data a company holds about them. They can ask for information about the processing of this data. Under the GDPR, they also have further rights of rectification or erasure.

A Data Subject Access Request (DSAR) is the request that users send to exercise their right to access. Needless to say that having all your data uncovered and mapped out thanks to data discovery tools will definitely be a lifesaver. It will allow you to answer in a timely fashion – under the GDPR, preferably within one month.

4. Data inventory for legally required record-keeping

Under privacy laws like the GDPR, you are required to internally maintain clear records of processing activities. Specifically, you need to keep information about:

  • which categories of user data you collect;
  • how you store and use this data;
  • how long you keep the data for (this is called data retention policy);
  • security measures;
  • legal basis for processing;
  • data transfers outside the EU;
  • parties you share the data with.

Maintaining records of all of the above is quite complicated!

🚀 Software like the Register of Data Processing Activities by iubenda can make this much easier, as it simplifies the technical process of creating and maintaining records of processing activities.

Get started with iubenda’s Register of Data Processing Activities

See how easy it is to get set up!

About us


Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.