B
Boring Governance

The Complete Guide to Sensitive Data Discovery Tools

A practical guide to sensitive data discovery tools for small businesses. Find PII across your systems for DSAR compliance and data protection.

Last updated: 2026-02-07

What Are Sensitive Data Discovery Tools?

Sensitive data discovery tools are software that scans your files, databases, cloud storage, emails, and other systems to find personal and sensitive information. They look for patterns — Social Security numbers, credit card numbers, email addresses, phone numbers, names, health records — and tell you where that data lives.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. References to specific software products or services do not constitute endorsements. The regulatory context discussed here is based on the GDPR (Regulation (EU) 2016/679), the CCPA (Cal. Civ. Code §§ 1798.100–1798.199.100), and related regulations, as of the date of publication.

Think of it as a search engine for personal data hiding across your business.

If you have ever tried to respond to a data subject access request (DSAR) and found yourself manually searching through Gmail, Google Drive, your CRM, your accounting software, and seventeen other places, you already know why these tools exist. They automate the painful "where is this person's data?" question.

But here is the thing: not every business needs one. If your data lives in three or four well-organized systems and you handle a handful of DSARs per year, a manual search with a good checklist might be perfectly adequate. This guide will help you figure out which camp you fall into and, if you do need a tool, which one makes sense.

Why Data Discovery Matters

DSAR Compliance

When someone submits a DSAR, you are legally required to find all their personal data across all your systems and provide it within a deadline (30 days under GDPR, 45 days under CCPA). The right to know what data a business holds is codified in CCPA (Cal. Civ. Code § 1798.100) and similarly in GDPR Article 15. Missing data in your response is not just sloppy — it is a compliance failure that a regulator can act on.

Data discovery tools make this search faster and more thorough. Instead of manually logging into every system and running searches, a discovery tool can scan multiple data sources and produce a consolidated report.

Data Mapping

Most privacy regulations require you to know what personal data you hold, where it is stored, and why you have it. This is called data mapping (or a "record of processing activities" under GDPR Article 30). Data discovery tools can build or validate your data map by actually scanning your systems rather than relying on people's best guesses about what is stored where.

Breach Response

If you experience a data breach, the first question is "what data was exposed?" Data discovery tools help you answer this quickly, which is critical because breach notification deadlines are tight — 72 hours under GDPR (Article 33).

Data Minimization

You are supposed to keep only the personal data you need for legitimate purposes — a principle formalized in GDPR Article 5(1)(e) as "storage limitation." Data discovery tools can reveal data you did not know you had — old customer records that should have been deleted, spreadsheets with sensitive information saved in random folders, personal data in places it should not be.

Categories of Data Discovery Tools

Not all data discovery tools work the same way. Here is a breakdown of the main types.

File System and Endpoint Scanners

These tools scan the files on your computers, servers, and network drives. They look through documents, spreadsheets, PDFs, text files, and other file types for patterns that match personal data.

Best for: Finding sensitive data in unstructured storage — shared drives, local files, network folders. This is where a lot of "shadow data" hides, the personal data that nobody remembers saving in a spreadsheet three years ago.

Examples: Spirion (formerly Identity Finder), Varonis, Ground Labs Enterprise Recon.

Cloud Storage Scanners

These connect to cloud services like Google Drive, OneDrive, Dropbox, Box, and AWS S3 to scan files stored in the cloud.

Best for: Businesses that are primarily cloud-based. If your team works in Google Workspace or Microsoft 365, this is where most of your unstructured data lives.

Examples: Microsoft Purview (built into Microsoft 365), Nightfall AI, Google Cloud DLP.

Database Scanners

These tools connect directly to databases (SQL Server, MySQL, PostgreSQL, Oracle, MongoDB, etc.) and scan the data within them for PII patterns.

Best for: Businesses with custom applications or databases that store customer data. If your product has a backend database, a database scanner can tell you exactly which tables and columns contain personal data.

Examples: IBM Guardium, Oracle Data Safe, open-source tools like piicatcher.

Email Scanners

These specifically target email systems — scanning inboxes, sent folders, and archives for personal data.

Best for: Email is one of the biggest repositories of personal data in any organization, and it is also one of the hardest to search manually. Email scanners can identify messages containing sensitive information and help with DSAR data collection.

Examples: Microsoft Purview (covers Outlook/Exchange), Proofpoint, Tessian (now part of Mimecast).

SaaS and API-Based Scanners

These connect to your SaaS applications (CRM, marketing tools, support platforms) through APIs and scan the data within them.

Best for: Businesses that rely heavily on SaaS tools. Instead of logging into each tool separately, these scanners pull data from multiple sources through their APIs.

Examples: Transcend, Ketch, BigID, Egnyte.

All-in-One Discovery Platforms

Some platforms combine multiple scanner types into a single product, covering files, databases, cloud storage, and SaaS applications.

Best for: Larger organizations with complex data environments that need a comprehensive view.

Examples: BigID, Spirion, Varonis, OneTrust.

Free and Open-Source Options

You do not always need to buy expensive software. There are several free and open-source tools that can handle sensitive data discovery for small businesses.

Microsoft Purview (Free Tier)

If you use Microsoft 365, you already have access to basic data discovery capabilities through Microsoft Purview (formerly Microsoft Information Protection). The free tier includes:

  • Sensitive information type detection across Microsoft 365 services
  • Basic data classification for files in OneDrive, SharePoint, and Exchange
  • Content search across your Microsoft 365 environment

The free version is limited compared to the premium tier, but for a small business on Microsoft 365, it is a solid starting point at no additional cost.

Presidio by Microsoft

Presidio is an open-source tool maintained by Microsoft for detecting and anonymizing PII in text. It can scan text content, identify dozens of PII types (names, phone numbers, credit card numbers, SSNs, email addresses, etc.), and optionally anonymize or redact what it finds.

Pros:

  • Free and open-source
  • Supports multiple PII types out of the box
  • Can be extended with custom recognizers
  • Available as a Python library or Docker container

Cons:

  • Requires technical knowledge to set up and use
  • Processes text content, not structured databases
  • No built-in scanning of file systems or cloud services (you need to feed it the text)

Best for: Businesses with developers who want a free tool for PII detection in text data, documents, or logs.

piicatcher

piicatcher is an open-source tool that scans databases for PII. It connects to your database, examines column names and sample data, and flags columns that likely contain personal information.

Pros:

  • Free and open-source
  • Supports major databases (PostgreSQL, MySQL, SQL Server, Oracle, etc.)
  • Quick to run — scans metadata and samples rather than full table scans
  • Generates reports showing which columns contain PII

Cons:

  • Database-only (does not scan files or cloud storage)
  • Requires command-line comfort
  • Detection is based on column names and data patterns, so it can miss creatively named fields

Best for: Businesses with databases that need a quick PII audit without spending money.

Google Cloud DLP

Google Cloud's Data Loss Prevention API can inspect and classify sensitive data. It offers a free tier that includes 1 GB of content inspection per month, which is enough for basic discovery tasks.

Pros:

  • Supports over 150 built-in detectors for global PII types
  • Can scan text, images, and structured data
  • Integrates with Google Cloud services and BigQuery
  • Free tier available

Cons:

  • Works best within the Google Cloud ecosystem
  • Requires technical knowledge to set up API calls
  • Costs can scale quickly beyond the free tier

Bulk Extractor

Bulk Extractor is a forensic tool that scans disk images, files, and directories for PII patterns (email addresses, phone numbers, credit card numbers, URLs, etc.).

Pros:

  • Free and open-source
  • Fast — processes data in parallel
  • Does not require parsing file systems (works on raw data)
  • Useful for forensic investigations and breach assessment

Cons:

  • Forensic tool — not designed for regular business use
  • Command-line only
  • Output requires interpretation

Commercial Options Worth Knowing About

If your needs outgrow free tools, here are commercial options across different price ranges.

For Small Businesses (Under $5,000/Year)

Nightfall AI — Cloud-native DLP that integrates with Slack, Google Drive, GitHub, Jira, and other SaaS tools. It scans content in real-time and can also be used for discovery. Pricing starts at a few hundred dollars per month for small teams.

Egnyte — Primarily a file sharing and governance platform, but includes data classification and discovery features. Good for businesses that also need cloud file storage. Pricing starts around $20 per user per month.

For Mid-Market ($5,000 to $25,000/Year)

Spirion (formerly Identity Finder) — One of the most established data discovery tools. Scans endpoints, file servers, databases, and cloud storage. Strong pattern matching for PII. Pricing is per endpoint or per user.

Ground Labs Enterprise Recon — Scans a wide range of data sources (file systems, databases, cloud, email) for PII. Known for accuracy in detecting regulated data types. Mid-market pricing.

Varonis — Focused on data security and governance, with strong discovery capabilities. Scans file systems, email, and cloud services. Better suited for businesses with significant unstructured data.

For Enterprise ($25,000+/Year)

BigID — The heavyweight. AI-powered data discovery and intelligence across virtually any data source. Overkill for most small businesses, but the gold standard for complex environments.

OneTrust Data Discovery — Part of the OneTrust privacy platform. Comprehensive scanning across cloud, on-premises, and SaaS environments. Enterprise pricing.

How to Evaluate Data Discovery Tools

If you decide you need a dedicated tool, here is what to look for.

Data Source Coverage

The most important factor. The tool needs to scan the systems where your data actually lives. Before evaluating any tool, make a list of your data sources:

  • What cloud services do you use? (Google Workspace, Microsoft 365, Dropbox, etc.)
  • Do you have databases? (What type?)
  • Where do you store files? (Local drives, network shares, cloud storage?)
  • What SaaS applications hold customer data?

Then check whether the tool supports those sources. A tool that scans databases but not Google Drive is useless if most of your data is in Google Drive.

Detection Accuracy

All discovery tools will have some false positives (flagging non-PII as PII) and false negatives (missing actual PII). The question is how much. Look for tools that:

  • Use multiple detection methods (pattern matching, context analysis, machine learning)
  • Allow you to tune detection rules
  • Let you review and confirm findings before taking action

Ask vendors for accuracy benchmarks and, ideally, run a proof-of-concept on your own data before buying.

Ease of Use

Some tools require a data engineer to set up and run. Others are point-and-click. Be honest about your team's technical capabilities. A powerful tool that nobody knows how to use is worse than a simple tool that everyone can run.

Reporting

The output of a discovery scan is only useful if you can understand it. Look for tools that produce clear reports showing:

  • Where PII was found (system, location, file/table)
  • What type of PII it is
  • How much was found
  • Risk-level classifications

Cost

Pricing models vary widely. Some tools charge per user, some per data source, some per GB scanned, and some per endpoint. Make sure you understand the total cost for your specific environment, not just the starting price on the website.

The Small Business Approach: Start Manual, Graduate to Tools

Here is our honest recommendation for small businesses.

Phase 1: Manual Discovery (Free)

Before you buy anything, do a manual data inventory:

  1. List every system that stores personal data (CRM, email, cloud storage, accounting software, HR tools, etc.)
  2. For each system, document what types of personal data it holds
  3. Note who has access to each system
  4. Record retention periods (how long data stays in each system)

This exercise takes a few hours and gives you 80% of what a discovery tool would find, because you know your business better than any scanner does. The scanner's advantage is finding the data you forgot about — the spreadsheet buried in a subfolder, the old database backup, the personal data in log files.

Phase 2: Targeted Scanning (Free to Low Cost)

Once you have your manual inventory, use free tools to scan the areas most likely to have hidden PII:

  • Use Microsoft Purview (if on Microsoft 365) to scan your cloud files and email
  • Use piicatcher (if you have databases) to audit your database columns
  • Use Presidio (if you have technical capability) to scan text-heavy data sources

This catches most of the data your manual inventory missed.

Phase 3: Commercial Tools (When Needed)

If you find that manual discovery plus free tools is not sufficient — usually because you have a large number of data sources, high DSAR volume, or complex data environments — then evaluate commercial options. Start with tools in the small business price range (Nightfall, Egnyte) before considering mid-market or enterprise solutions.

Key Takeaways

Data discovery does not have to be expensive or complicated. Here is the summary:

  • You need to know where personal data lives in your business. This is foundational for DSAR compliance, breach response, and data protection.
  • Start with a manual inventory. List your systems, document what data each one holds, and identify gaps.
  • Use free tools to fill the gaps. Microsoft Purview, Presidio, and piicatcher cover a lot of ground at no cost.
  • Invest in commercial tools only when the manual approach breaks down — usually due to data volume, system complexity, or high DSAR frequency.
  • No tool replaces understanding your own data. The best discovery tool in the world is useless if you do not know what to do with its findings.

References

  • General Data Protection Regulation (GDPR): Regulation (EU) 2016/679. Full text
  • California Consumer Privacy Act (CCPA): Cal. Civ. Code §§ 1798.100–1798.199.100. Full text
  • NIST Privacy Framework: NIST Privacy Framework

Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.

Take the Next Step

Understanding where personal data lives is the foundation of privacy compliance. If you want a comprehensive framework for handling DSARs — from receiving a request through searching for data to delivering a response — download our DSAR Compliance Guide. It includes data search checklists, system inventory templates, and step-by-step workflows designed for small businesses.

Download the DSAR Compliance Guide