Finding Personal Data for DSAR Responses: Discovery Tools Guide
How to find personal data across your systems when fulfilling a DSAR. Discovery tools, manual search methods, and building a repeatable data map.
Last updated: 2026-02-08
The Hardest Part of Fulfilling a DSAR
You received a data subject access request. Now you need to find every piece of personal data you hold about this person, across every system. This is where most businesses struggle.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
Where Personal Data Hides
Personal data is rarely in just one place. A typical small business holds personal data across:
- Primary database/application — customer records, account data
- CRM — contact details, interaction history, notes
- Email marketing — subscriber lists, engagement data, preferences
- Email inboxes — messages containing names, addresses, requests
- Customer support — tickets, chat logs, call notes
- Cloud storage — documents, spreadsheets, exports containing personal data
- Analytics — individual-level browsing data, event tracking
- Accounting/billing — invoices, payment records
- HR systems — employee records (for employee DSARs)
- Spreadsheets and local files — exports, one-off lists, ad hoc reports
- Paper records — printed forms, signed documents
Missing any of these means an incomplete response — which is a compliance failure.
Two Approaches
Manual Search (For Low Volume)
If you receive fewer than a few requests per month, search each system manually:
- Build a data map first. List every system that holds personal data. Do this once; update when you add or remove systems.
- Create a search checklist. For each DSAR, work through the list system by system.
- Search by identifiers. Use the requester's name, email, phone number, account ID, and any other identifiers to search each system.
- Document what you find. For each system, note what data was found and where.
- Check for third-party data. If the results contain other people's personal data (e.g., names in email threads), redact before responding.
Discovery Tools (For Higher Volume)
Data discovery tools automate the search across connected systems. They scan files, databases, cloud storage, email, and other systems for patterns that match personal data (names, email addresses, SSNs, phone numbers, etc.).
What to look for:
- Pre-built connectors for your systems (Google Workspace, Microsoft 365, Salesforce, HubSpot, AWS, databases)
- Pattern matching — recognizes PII patterns (email, phone, SSN, credit card) across unstructured data
- Search by individual — can search for all data related to a specific person, not just scan for PII generally
- Export capability — can produce a report of all data found for a specific individual
Categories of tools:
- DSAR-specific platforms (e.g., DataGrail, Ethyca, Mine) — built specifically for request fulfillment with system connectors and workflow management
- Data discovery platforms (e.g., BigID, Spirion, Varonis) — broader data classification tools that can also support DSAR fulfillment
- Cloud-native tools — Google Workspace and Microsoft 365 have built-in search that covers email, documents, and drive
Building a Reusable Data Map
Whether you use tools or manual search, build a data map that you maintain over time:
- List every system that holds personal data
- For each system, document: what personal data it contains, how data enters (collected directly, synced from another system, imported), and how to search it
- Note access method — who has credentials, how to run a search, any export limitations
- Update when systems change — new tools, decommissioned systems, new integrations
This map turns every future DSAR from a scavenger hunt into a checklist.
Common Gaps
- Email — people forget to search email inboxes, which often contain personal data in message bodies and attachments
- Spreadsheets — ad hoc exports, one-off customer lists, and manual reports are easy to miss
- Third-party tools — data shared with vendors, contractors, or partners that you need to account for
- Backups — you need to know backup retention periods even if you cannot selectively search them
Related Guides
- PII Scanning for DSAR Compliance — scanning tools for finding personal data
- How to Respond to a DSAR — the full response process
- Building a DSAR Workflow — workflow design
- DSAR Software Comparison — tool comparison