GDPR Data Discovery
Map personal data across your organisation's endpoints to fulfil GDPR obligations. Region-aware, DSAR-linked, audit-ready.
- Identify personal data across endpoints — names, IDs, health records, financial data
- Region-specific detection rules for EU member states
- DSAR-ready: link findings to data subject access requests
- Map findings to GDPR Articles 5, 30, and 32
- OCR scanning for personal data in images and scanned documents
GDPR fine structure alignment
Every finding maps directly to GDPR obligations. Here's how EmberHound supports the articles most relevant to data discovery.
Article 5 — Principles
Data minimisation & accuracy
EmberHound maps where personal data lives so you can demonstrate that storage is proportionate and accurate — a prerequisite for Article 5(1)(c) and 5(1)(d) compliance.
Read the full article on GDPR.eu →Article 30 — Records of Processing
Maintain processing records
Findings and evidence exports serve as machine-generated records of what personal data categories exist, on which devices, and when they were last observed.
Read the full article on GDPR.eu →Article 32 — Security of Processing
Appropriate technical measures
Endpoint scanning with masked metadata, encrypted transit, and tenant isolation demonstrate that you've implemented appropriate technical and organisational measures.
Read the full article on GDPR.eu →How it works — technical detail
From agent deployment to evidence export in five steps.
1. Deploy the agent
Install a lightweight agent on endpoints (Windows, macOS, Linux). The agent scans the local file system using configurable rule packs — no data leaves the device until it's been redacted.
2. Scan & classify
Pattern matching, keyword proximity, checksum validation, and optional OCR run locally. Each match produces a masked preview (e.g. j***.d**@***.com) and a salted SHA-256 fingerprint.
3. Review findings
The cloud console aggregates findings by data category, device, and risk level. Drill into occurrences, view evidence timelines, and assign remediation owners.
4. Link to DSARs
When a data subject submits an access or erasure request, the platform cross-references normalised identifier hashes against findings to surface all relevant locations.
5. Export evidence
Generate audit-ready PDF and CSV reports mapped to GDPR articles. Reports are SHA-256 hashed for tamper-evidence and stored in encrypted object storage.
DSAR workflow
Data Subject Access Requests are handled end-to-end — from identifier normalisation to evidence export.
DSAR received
Data subject submits access/erasure request via your preferred channel.
Identifier normalised
The identifier (email, name, ID) is normalised and hashed using a peppered SHA-256 algorithm.
Cross-reference findings
Hashed identifier is matched against finding_identifiers to surface all personal data locations.
Review & respond
Privacy officer reviews matched findings, exports evidence, and completes the request within the 30-day deadline.
Frequently asked questions
From our blog
Practical GDPR guidance for IT administrators and security teams.
Related resources
- Data Breach Notification Under GDPR: The First 72 Hours
Step-by-step obligations from discovery to regulator notification.
- GDPR Article 30: Build a ROPA Without a Spreadsheet
How to maintain processing records using automated data discovery.
- What is a DSAR and How Do You Respond in 72 Hours?
Everything you need to handle data subject access requests on time.
- How to Prepare for a GDPR Audit: 10-Point Checklist
A practical audit preparation guide for IT administrators.
Ready to map your GDPR exposure?
Deploy the agent, run your first scan, and get audit-ready findings — typically in under an hour.