GDPR Data Discovery

Map personal data across your organisation's endpoints to fulfil GDPR obligations. Region-aware, DSAR-linked, audit-ready.

  • Identify personal data across endpoints — names, IDs, health records, financial data
  • Region-specific detection rules for EU member states
  • DSAR-ready: link findings to data subject access requests
  • Map findings to GDPR Articles 5, 30, and 32
  • OCR scanning for personal data in images and scanned documents

GDPR fine structure alignment

Every finding maps directly to GDPR obligations. Here's how EmberHound supports the articles most relevant to data discovery.

Article 5 — Principles

Data minimisation & accuracy

EmberHound maps where personal data lives so you can demonstrate that storage is proportionate and accurate — a prerequisite for Article 5(1)(c) and 5(1)(d) compliance.

Read the full article on GDPR.eu →

Article 30 — Records of Processing

Maintain processing records

Findings and evidence exports serve as machine-generated records of what personal data categories exist, on which devices, and when they were last observed.

Read the full article on GDPR.eu →

Article 32 — Security of Processing

Appropriate technical measures

Endpoint scanning with masked metadata, encrypted transit, and tenant isolation demonstrate that you've implemented appropriate technical and organisational measures.

Read the full article on GDPR.eu →

How it works — technical detail

From agent deployment to evidence export in five steps.

1. Deploy the agent

Install a lightweight agent on endpoints (Windows, macOS, Linux). The agent scans the local file system using configurable rule packs — no data leaves the device until it's been redacted.

2. Scan & classify

Pattern matching, keyword proximity, checksum validation, and optional OCR run locally. Each match produces a masked preview (e.g. j***.d**@***.com) and a salted SHA-256 fingerprint.

3. Review findings

The cloud console aggregates findings by data category, device, and risk level. Drill into occurrences, view evidence timelines, and assign remediation owners.

4. Link to DSARs

When a data subject submits an access or erasure request, the platform cross-references normalised identifier hashes against findings to surface all relevant locations.

5. Export evidence

Generate audit-ready PDF and CSV reports mapped to GDPR articles. Reports are SHA-256 hashed for tamper-evidence and stored in encrypted object storage.

DSAR workflow

Data Subject Access Requests are handled end-to-end — from identifier normalisation to evidence export.

1

DSAR received

Data subject submits access/erasure request via your preferred channel.

2

Identifier normalised

The identifier (email, name, ID) is normalised and hashed using a peppered SHA-256 algorithm.

3

Cross-reference findings

Hashed identifier is matched against finding_identifiers to surface all personal data locations.

4

Review & respond

Privacy officer reviews matched findings, exports evidence, and completes the request within the 30-day deadline.

Frequently asked questions

Ready to map your GDPR exposure?

Deploy the agent, run your first scan, and get audit-ready findings — typically in under an hour.

We use cookies to improve your experience and analyse site usage. Privacy policy.