What Personal Data Do You Actually Hold? A Small Business Audit Guide

You Hold More Personal Data Than You Think

Every small business owner we have spoken to says some version of the same thing: "We do not really hold that much personal data." And every time they actually sit down and map it out, they are surprised by how much there is.

Personal data is not just names and email addresses. Under the GDPR, the UK GDPR, the CCPA, and virtually every modern privacy law, personal data is any information that identifies or can identify a living individual. That includes obvious things like names and addresses, but also IP addresses, employee performance reviews, customer support transcripts, CCTV footage, and the metadata in every email you have ever sent or received.

If you have ever had to respond to a DSAR (data subject access request) without knowing where all your data lives, you know the problem. You end up searching system by system, discovering data you forgot you had, and spending far more time than necessary. A data inventory solves this. It does not need to be complicated, and it does not need to take weeks. Here is how to do it.

Why Businesses Underestimate Their Data

There are three main reasons businesses hold more personal data than they realize:

1. Data Accumulates Silently

Every tool you sign up for, every form you create, every email you send — data accumulates. You added a CRM three years ago and imported your contacts. You switched email providers and the old mailbox is still sitting there. A former employee's Google Drive still contains client files. Nobody deliberately hoarded data; it just built up over time.

2. SaaS Tools Multiply the Problem

The average small business uses between 20 and 40 SaaS applications. Each one holds some personal data — sometimes obvious (your email marketing platform has names and email addresses), sometimes less so (your project management tool has client names, deadlines, and communication records). Data does not just live in your systems; it lives in every vendor's systems too.

3. People Forget About Informal Channels

Personal data does not stay in the neat boxes you set up for it. Customers email their personal details to your general inbox. Employees share files via personal cloud storage. Someone saves a spreadsheet of client phone numbers to their desktop. A contractor keeps project notes in their own system. These informal channels are some of the hardest to account for, and some of the most likely to contain personal data.

A Systematic Walkthrough: Where Personal Data Hides

Work through each of these categories. For each one, note what personal data it contains, whose data it is (customers, employees, suppliers, prospects), and roughly how much.

Email

Your email system is almost certainly your largest repository of personal data, and it is the one most businesses overlook. Every email you have sent or received that involves a real person contains personal data — the sender's name, email address, and often far more in the body of the message.

Check:

• Current email accounts — all staff inboxes, shared mailboxes, and distribution lists
• Archived email — old mailboxes, exported PST files, archived accounts
• Attachments — contracts, invoices, CVs, and documents containing personal details
• Deleted items — depending on your retention settings, "deleted" emails may still be recoverable

CRM and Sales Tools

Your CRM is designed to hold personal data, so this one is usually obvious. But check the details:

• Contact records — names, email addresses, phone numbers, job titles, company names
• Communication history — logged emails, call notes, meeting notes
• Deal and pipeline data — often references specific individuals
• Custom fields — look at any custom fields your team has added; they may contain data you did not expect
• Imported data — old CSV imports that brought in data you may have forgotten about

HR and People Systems

If you have employees (or have ever had employees), you hold significant amounts of personal data about them:

• Employee records — names, addresses, dates of birth, National Insurance or Social Security numbers, bank details for payroll
• Recruitment data — CVs, application forms, interview notes, reference checks
• Performance data — reviews, disciplinary records, training records
• Former employee data — how long are you retaining records after someone leaves?
• Contractor and freelancer records — contracts, payment details, tax information

Finance and Accounting

Your accounting software holds personal data even if it does not feel like a "personal data system":

• Customer invoices — names, addresses, possibly bank details
• Supplier records — individual contact details for suppliers and their employees
• Payroll data — bank details, tax information, salary history
• Expense claims — employee expenses often contain personal details (travel bookings, receipts with names)

Marketing

Marketing systems are built around personal data:

• Email marketing platforms — subscriber lists with names, email addresses, and engagement data (opens, clicks, preferences)
• Advertising platforms — audience lists, custom audiences uploaded from your customer data, pixel and tracking data
• Social media accounts — follower lists, direct messages, comment data
• Lead generation — form submissions, downloaded content, webinar registrations
• Analytics — website analytics tools that collect IP addresses, location data, device information, and browsing behavior

Cloud Storage and File Sharing

Cloud storage is where unstructured personal data accumulates:

• Google Drive, OneDrive, Dropbox, etc. — documents, spreadsheets, presentations containing personal data
• Shared drives — team folders that may contain client information, employee files, or project data
• Personal storage — individual employees' cloud storage that contains work-related personal data

Customer Support

Support systems contain detailed personal data, often including sensitive information:

• Help desk tickets — customer names, email addresses, account details, and the content of their queries
• Live chat transcripts — full conversation histories
• Phone call recordings — if you record support calls, these are personal data
• Knowledge base interactions — if your knowledge base tracks users, that data counts

Physical Records

Do not forget the physical world:

• Paper files — contracts, invoices, HR files, client records
• Business cards — that drawer of business cards is personal data
• CCTV — if you have security cameras, the footage is personal data
• Visitor logs — sign-in sheets at reception
• Handwritten notes — meeting notes, client notes

Website and Applications

Your own digital properties collect personal data:

• Contact forms — submissions stored in your CMS or email
• Account data — if users create accounts, everything in their profile
• Cookies and tracking — analytics cookies, advertising pixels, session recordings
• Server logs — IP addresses, user agents, and request data

Mapping Data Across Third-Party Tools

Once you have identified where data lives internally, map it across your third-party tools. For each SaaS application your business uses, ask:

1. What personal data does this tool hold? — Check the tool's data export or privacy settings to see what categories of data it stores.
2. Whose data is it? — Customers, employees, prospects, suppliers?
3. Where is the data stored? — What country are the servers in? This matters for cross-border data transfer compliance.
4. How long is data retained? — Does the tool automatically delete old data, or does it keep everything forever?
5. Can you export data? — If you receive a DSAR, can you easily extract one person's data from this tool?
6. Can you delete data? — If you receive a deletion request, can you remove one person's data without affecting everything else?

Make a list of every SaaS tool your business uses. A practical way to do this is to check your company credit card or bank statements for recurring software subscriptions. You will probably find tools you forgot you were paying for — and those tools may still hold personal data.

The Simple Data Inventory Approach

You do not need expensive software to create a data inventory. A spreadsheet works. Here is a practical structure:

Column Headings

| System/Tool | Data Categories | Data Subjects | Approx. Volume | Location | Retention Period | DSAR Accessible? | Deletion Possible? | |---|---|---|---|---|---|---|---|

How to Fill It In

• System/Tool: The name of each system, tool, or data source (e.g., "HubSpot CRM," "Gmail," "Paper HR files")
• Data Categories: What types of personal data it contains (e.g., "names, emails, phone numbers, purchase history")
• Data Subjects: Whose data it holds (e.g., "customers," "employees," "prospects")
• Approx. Volume: A rough count — is it 50 records or 50,000? This helps you prioritize.
• Location: Where the data is stored (e.g., "EU servers," "US cloud," "office filing cabinet")
• Retention Period: How long the data is kept, and whether there is automatic deletion
• DSAR Accessible? Can you search and extract one individual's data from this system?
• Deletion Possible? Can you delete one individual's data on request?

Work through each system in your business. This exercise typically takes a few hours for a small business, and the result is a single document that tells you exactly where personal data lives.

How a Data Inventory Speeds Up DSAR Responses

When you receive a data subject access request, the first question is always: "Where is this person's data?" Without a data inventory, you are searching blind — checking each system one by one, hoping you have not missed anything. With an inventory, you have a checklist.

A data inventory directly improves your DSAR process in three ways:

1. Faster Searches

You know exactly which systems to search. Instead of spending days figuring out where data might be, you work through your inventory, checking each system that might hold the requester's data. This can reduce search time from days to hours.

2. Complete Responses

An inventory reduces the risk of missing data. If you know you hold personal data in 12 systems, you check all 12. Without an inventory, you might check the obvious five and miss the other seven.

3. Defensible Process

If a requester complains to a regulator that your response was incomplete, you can demonstrate the process you followed — which systems you searched, what you found, and how you compiled the response. An inventory turns your DSAR process from ad hoc to systematic.

Keeping Your Inventory Current

A data inventory is only useful if it is up to date. You do not need to review it daily, but schedule a review at least every six months, or whenever you:

• Add a new SaaS tool or system
• Change a major business process
• Hire new employees or contractors who will handle personal data
• Receive a DSAR that reveals data in a system not on your inventory

Assign ownership of the inventory to one person. If no one is responsible for it, it will be out of date within months.

References

• General Data Protection Regulation (GDPR): Article 30 — records of processing activities. GDPR Article 30
• ICO guidance: Documentation and records of processing. ICO accountability and governance
• CCPA: Cal. Civ. Code § 1798.100 — businesses' obligations to know what personal information they collect. California Legislative Information

Related Guides

• Data Mapping for DSAR Readiness — connecting your inventory to your DSAR process
• Building a DSAR Workflow — workflow design
• Automate Data Privacy Compliance — reducing manual effort