> How do you automate personal data discovery, especially for already existing data?
You attach an owner id to every record, and make sure all your systems can dump all information they store according to owner id. To the extent existing systems don't, you fix them.
Hrm, did you expect me to design the output of an entire industry in an HN comment? I didn't say it was easy to do. But it is what must be done. My goal was not to provide code, but an outline, a very rough sketch, rough to the extent that it could fit in a pair of sentences. I guess in that sense the owl metaphor is accurate!
We've had two years to work on this. At my company, we've had entire teams spending significant fractions of their time over the last year prepping. As a result, we'll be ready when the switch flips.
I agree we are not using the same definition of data discovery. In my use case, you know a priori which user provided the data, you just need to plumb the information through to all downstream systems. This seems sufficient for GDPR as I understand it. I had not read your entire comment and did not realize you were promoting a system to try to do something like this automatically. I did not realize the initial question was rhetorical.
FWIW I would be worried about relying on such a system! But based on the description it seems helpful. What does it do about derivative data that doesn't directly contain any PII?
You attach an owner id to every record, and make sure all your systems can dump all information they store according to owner id. To the extent existing systems don't, you fix them.