How do I find and inventory all the PII my company stores across different systems?
Finding and inventorying personally identifiable information (PII) is a discovery and documentation exercise, not a one-time scan. The goal is a defensible map of what PII you hold, where it lives, why you have it, and how long you keep it. This effort is often called data mapping or a PII inventory, and it underpins nearly every privacy and records-management program.
Start with people and processes, not just technology
The most reliable way to find PII is to follow how it enters and moves through your organization. Interview the business units that collect personal data — HR, finance, customer service, marketing, IT — and ask what they gather, from whom, and where it ends up. This human-centered discovery surfaces data that automated tools miss, such as spreadsheets on shared drives, email attachments, and third-party services.
Inventory across all system types
PII rarely sits in one place. Plan to look across:
- Structured systems: databases, HR and payroll platforms, CRM and ERP systems.
- Unstructured stores: file shares, document repositories, email, collaboration tools, and backups.
- Endpoints and shadow IT: laptops, removable media, and cloud apps adopted without IT approval.
- Third parties: vendors, processors, and partners who hold data on your behalf.
Automated discovery and classification tools can help locate patterns like Social Security or account numbers, but treat their output as a starting inventory to be validated, not a complete answer.
Record what matters for each data element
For every collection of PII, document the data categories, the source, the systems and locations, the business purpose, the lawful basis or policy authority, who can access it, retention period, and disposition. Mapping data flows — including transfers to third parties and across borders — completes the picture.
Keep it living and tie it to retention
A PII inventory loses value the moment it goes stale. Assign ownership, review it on a schedule, and update it when systems or processes change. Linking each entry to a records retention schedule lets you defensibly dispose of PII you no longer need, which reduces both risk and storage cost.
Frameworks such as the NIST Privacy Framework and the records-management practices in ISO 15489-1 offer structured methods for identifying, mapping, and governing this information. For related guidance, see the privacy and PII topic hub.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). How do I find and inventory all the PII my company stores across different systems?. Records Management University. https://www.recordsmgmt.org/questions/how-to-find-and-inventory-pii-across-systems/
MLA
RM University Editorial. "How do I find and inventory all the PII my company stores across different systems?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-to-find-and-inventory-pii-across-systems/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?