Best GDPR Discovery Tools in 2026 (Find Personal Data Before Regulators Do)
Article 30 of the GDPR requires most businesses to keep records of processing activities (ROPA): what personal data you hold, why, where, and for how long. You cannot write that record — or answer a subject access request, or report a breach within 72 hours — if you do not actually know where personal data lives in your systems. That is the job of data discovery.
The uncomfortable truth for most small companies: personal data is not just in the CRM. It is in exported spreadsheets on someone's laptop, in a Mailchimp list nobody has touched since 2023, in support tickets, in call recordings, and in the backups of all of the above. GDPR discovery tools scan those locations automatically. This guide covers what they actually do, whether your business needs one at all, six options from budget to enterprise, and a free manual method that satisfies Article 30.
What GDPR Data Discovery Tools Actually Do
Vendors label this category inconsistently — data discovery, data mapping, privacy operations — but the useful products do four concrete jobs:
- Scan and inventory. They connect to your data sources — file shares, databases, cloud storage, and (most relevant for SMBs) SaaS apps via API — and build a live inventory of the systems that hold personal data. The better SMB tools discover shadow IT too, by reading OAuth grants and SSO logs to surface apps your team connected without telling anyone.
- Classify. They identify which data is personal data: names, emails, IP addresses, and the special categories (health, biometrics, political opinions) that carry stricter rules. Classification accuracy is the main quality difference between cheap and expensive tools.
- Generate the ROPA. The scan output becomes your Article 30 record — exportable when a regulator or enterprise customer asks for it. This alone replaces the spreadsheet most companies scramble to build the week before an audit.
- Find one person's data on demand. When a data subject access request arrives, discovery tooling searches every connected system for that individual instead of you emailing five department heads and hoping.
Some platforms add DPIA workflows, vendor/DPA tracking, and consent management on top. Treat those as bonuses — buy for the scanning and mapping core.
Do Small Businesses Even Need One?
Honest answer: not always, and vendors will not tell you that. The GDPR requires you to know your processing activities; it does not require you to buy software to know them.
Manual mapping is enough when: you run roughly ten systems or fewer, one person can still name every place customer data goes, and your data flows change a few times a year, not weekly. A freelancer or five-person agency with a CRM, an email tool, accounting software, and Google Workspace can map everything in an afternoon using the spreadsheet method below, then work through our GDPR compliance checklist for small businesses for the rest.
A discovery tool starts paying for itself when:
- You have SaaS sprawl — 15-20+ apps, some connected by employees you never asked. If you cannot list your own stack from memory, a scanner can.
- DSARs take longer than a day because nobody is sure which systems to search.
- Enterprise customers send security questionnaires asking for your ROPA and data flow diagrams, and winning the deal depends on answering fast.
- You process special-category data (health, HR, finance) where a missed system is a reportable incident, not an embarrassment.
If you are under that threshold, skip to the free manual method — it is genuinely sufficient, and regulators accept spreadsheet ROPAs from small companies.
6 Best GDPR Data Discovery Tools Compared
These six span the realistic range: two you can buy with a company card, two mid-market platforms, and two enterprise systems included so you know what you are not missing. Pricing below is directional as of mid-2026 — most vendors quote per data source or per employee count, so confirm current pricing before budgeting.
| Tool | Best for | Pricing model (as of 2026) | SaaS connectors | ROPA export | DSAR search |
|---|---|---|---|---|---|
| MineOS | SMBs with SaaS sprawl | Published tiers; free trial | Strong — discovers apps via email/SSO signals | Yes | Yes, automated |
| Osano | Small teams wanting consent + mapping in one | Published tiers; free consent tier | Good, on paid plans | Yes | Yes |
| Ketch | Mid-market, marketing-heavy stacks | Quote-based | Strong | Yes | Yes |
| Exterro | Legal/compliance teams, regulated industries | Quote-based | Moderate — deeper on internal systems | Yes | Yes, legal-grade workflow |
| BigID | Enterprises with large data stores | Enterprise quote | Very broad, incl. databases and lakes | Yes | Yes |
| Varonis | File-server and Microsoft 365-heavy environments | Enterprise quote | Focused on files/M365/AD over SaaS | Partial — security-first | Via data classification |
MineOS — best for small businesses with too many SaaS apps
MineOS attacks the exact problem most SMBs have: nobody knows what is connected. Instead of asking you to list systems, it infers your stack from email metadata and SSO records, then maps what personal data each app holds. DSAR automation is built in, and the setup is measured in hours, not consultant-weeks. Limits: it is SaaS-centric — if your personal data lives in self-hosted databases or network file shares, it sees less. For a 10-50 person company running on cloud apps, it is the most practical starting point on this list. Note it also covers CCPA workflows if you sell into California — see how GDPR and CCPA differ before assuming one config covers both.
Osano — best if you want consent management and data mapping in one bill
Osano is better known for cookie consent, but its paid plans add data mapping, DSAR handling, and vendor risk monitoring. The appeal for a small business is consolidation: one vendor for the cookie banner, the ROPA, and subject requests instead of three subscriptions. The mapping is questionnaire-plus-integration rather than deep scanning, so classification depth trails MineOS or BigID. There is a free tier for basic consent, which makes it a low-risk way to start and upgrade into mapping later. Check current tier boundaries — what sits in which plan has shifted more than once.
Ketch — best mid-market pick for marketing-heavy stacks
Ketch positions itself as a "programmatic privacy" platform: discovery plus consent orchestration that actually propagates opt-outs into downstream tools like ad platforms and CDPs. That matters if your risk is not a dusty file server but an aggressive martech stack. Pricing is quote-based and lands above the SMB tools, and implementation assumes someone technical owns it. Pick Ketch when marketing data flows are your main exposure and you have outgrown checkbox-level tools.
Exterro — best for regulated industries and legal-driven privacy
Exterro comes from the e-discovery world, and it shows: defensible workflows, audit trails, and legal-hold thinking applied to privacy. Its data discovery, DSAR, and DPIA modules suit companies where the legal team, not IT, owns GDPR — law-adjacent firms, finance, insurance. It is heavier and costlier than anything an average 20-person business needs, but if your DSARs may end up as evidence, the workflow rigor is the product.
BigID — the enterprise benchmark for discovery depth
BigID is what large enterprises deploy when they need to find personal data across hundreds of databases, data lakes, and file systems with ML-based classification. It is the depth benchmark for the category — and overkill below several hundred employees, with pricing and implementation timelines to match. It earns its slot as a calibration point: this is what actual enterprise-grade discovery looks like.
Varonis — best when the data lives in files and Microsoft 365
Varonis is a data security platform first, a privacy tool second. Its strength is classifying and monitoring unstructured data — network shares, SharePoint, OneDrive, Exchange — and flagging exposed permissions ("this HR folder is open to the whole company"). If your GDPR nightmare is decades of files rather than SaaS apps, it fits; pair it with process work because it will not manage your DSAR workflow the way Osano or Exterro do. Enterprise pricing applies.
Not Sure Which Category of Tool You Need First?
Discovery is one piece. Our GDPR tools hub compares consent, DSAR, policy, and discovery platforms side by side so you buy in the right order.
Compare the Best GDPR Compliance ToolsFree and Manual Alternatives: The Spreadsheet Data Map
No budget, fewer than ~10 systems? Build your data map manually. This produces a legitimate Article 30 ROPA — several regulators (including the UK's ICO and France's CNIL) publish free templates that look almost exactly like this. Here is the walkthrough:
- List every system. Pull your app list from three sources: your card/bank statements (anything with a subscription), your password manager or SSO dashboard, and a 15-minute ask-around ("what tools do you use that I might not know about?"). Expect to find 2-3 surprises.
- Create one row per system with these columns: system name, owner, data categories held (contact details, payment data, HR data, health data), data subjects (customers, employees, prospects), purpose, lawful basis, hosting location (EU / US / unknown), retention period, who it is shared with, and security measures.
- Flag special-category and high-risk rows. Health records, background checks, children's data, anything biometric. These rows get stricter lawful-basis answers and are your DPIA candidates.
- Fill the "unknown" cells honestly. An unknown hosting location or a blank retention period is a finding, not a failure — it tells you exactly what to fix. Our website privacy audit checklist covers the website-facing rows (analytics, forms, embedded scripts) in detail.
- Review quarterly and on every new tool. A data map that is 18 months old is close to worthless. Put a recurring calendar entry on it — the review takes 30 minutes.
Where this method breaks: it records what people remember, not what exists. It will not find the forgotten CSV export or the app someone connected to Google Workspace last year. That gap is precisely what the paid tools close — which is why the honest upgrade trigger is stack size, not company revenue.
On open source: there is no credible open-source data discovery suite for this job. Open-source privacy tooling clusters around adjacent tasks — Klaro for cookie consent, self-hosted analytics, DSAR letter templates. If a "free GDPR scanner" promises full discovery, read what it actually scans (usually just your public website, not your systems).
How Discovery Fits Your Wider GDPR Stack
Data discovery is the foundation layer, not the whole building. A sane order of operations for a small business:
- Map first (this article). Everything else depends on knowing what you hold.
- Fix the visible surface. Cookie banner, privacy policy, forms — the things regulators and visitors see first. Compare options in our cookie consent tools guide.
- Stand up a DSAR process. The deadline is one month and the clock starts at the request, not when you notice it. The DSAR guide covers identity verification, exemptions, and response templates.
- Then consider platforms. Once the basics run manually, a combined platform from the GDPR compliance tools hub can consolidate the moving parts under one roof.
Doing it in this order means any tool you eventually buy automates a process you already understand — instead of hiding a process you never built.
Frequently Asked Questions
What is a GDPR data discovery tool?
A GDPR data discovery tool scans your systems — file servers, databases, SaaS apps, email — to find and classify personal data automatically. Most also generate the Article 30 records of processing (ROPA) and can locate an individual's data when you receive a subject access request.
How do I find all personal data my business holds?
Start by listing every system that touches customer, employee, or supplier information — CRM, email, accounting, HR, analytics, backups. For each, record what personal data it holds, why, and how long you keep it. Under roughly ten systems a spreadsheet works; beyond that, a discovery tool that connects to your SaaS stack saves days of manual auditing.
Are there free or open-source GDPR data mapping tools?
There is no polished free tool that automates discovery end to end. Free options are mostly templates: a spreadsheet ROPA like the walkthrough in this guide, the free ROPA templates several EU regulators publish, and limited free tiers from vendors such as Osano. Open-source projects cover adjacent jobs — Klaro for cookie consent, for example — rather than data discovery itself.
Who offers DSAR tools for EU-based companies processing personal data?
Most platforms in this guide — Osano, MineOS, Ketch, and Exterro — bundle DSAR handling with data discovery, which matters because you cannot answer an access request without knowing where the data lives. For the request workflow itself, deadlines, and identity checks, see our DSAR guide.
What are GDPR assessment tools, and are they the same thing?
GDPR assessment tools evaluate how compliant you are — questionnaires, gap analyses, DPIA templates — while discovery tools find the actual data. The assessment tools market overlaps heavily with discovery: most platforms in this comparison include assessment or DPIA modules. If you only need a self-assessment, start with a free checklist before paying for software.
Do small businesses need GDPR data discovery software?
Usually not at first. If you run fewer than about ten systems, a manual data map satisfies Article 30 and costs nothing but an afternoon. Buy a tool when you can no longer name every place customer data lives — typically past 15-20 SaaS apps, or once subject access requests start taking longer than a day to answer.
Map Your Data This Week, Not "Someday"
The spreadsheet method above plus our step-by-step checklist gets a small business from zero to a defensible GDPR baseline without buying anything.
Get the GDPR Compliance Checklist