The data visibility crisis IT teams aren’t talking about
In May 2025, Ireland’s Data Protection Commission hit TikTok with a €530 million fine after discovering that the company had been storing European user data on Chinese servers. TikTok didn’t even know this was happening until February 2025, three years into the regulatory inquiry. If a company with thousands of engineers can lose track of where its data lives, you can imagine how this plays out in environments with smaller IT teams and dozens of SaaS subscriptions.
According to a December 2025 Veeam survey, nearly 60% of IT leaders report reduced visibility into data locations as multi-cloud and SaaS environments expand. This isn’t a failure of diligence so much as what happens when environments get optimized for productivity and nobody’s minding the data map.
Data you don’t know about is data you can’t defend—and you definitely can’t produce it for auditors when they come asking. The good news is that you don’t need enterprise-grade tools to start getting a handle on it.
Every new integration widens the IT visibility gap
Data escapes your view in more ways than you can count. Cloud apps sync to local devices, users export reports to personal drives, backups create shadow copies that nobody inventoried, and AI tools ingest data that never went through your approval process. And once it’s out there, it multiplies.
For example, that marketing automation platform you approved last year might now connect to customer data you didn’t anticipate. Your accounting software may integrate with a document signing service that indefinitely stores executed contracts, quite possibly in a region you’ve never thought to ask about.
It’s not unusual for companies to discover entire file shares during routine access reviews. Most IT teams find out about these shadow data flows the hard way, whether that’s during an incident, an audit, or when a departing employee’s access review turns up surprises. By that point, whatever map you thought you had is already decidedly out of date.
Your existing licenses include data discovery tools
If you’re on Microsoft 365 E3 or Business Premium, you already have basic DLP capabilities for Exchange, SharePoint, and OneDrive that can identify and flag sensitive content like credit card numbers and Social Security numbers without additional licensing. Once you enable manual sensitivity labeling, users can classify data as they create it—and the Purview compliance portal shows you where that labeled content ends up and who’s accessing it.
If you’re a Google Workspace shop on Business Standard or higher, you may not realize you have a similar option. Data Protection Insights reports automatically scan Drive and Gmail for sensitive content without any DLP rules to configure. You can find quarterly reports in Admin Console > Security > Data Protection that show which sensitive files are shared externally.
When you export the list of connected applications from Okta, Azure AD, or Google Workspace, you might be surprised by what turns up. Apps that aren’t in your SSO represent visibility gaps worth investigating. If you don’t have centralized identity management yet, a browser extension audit across a sample of machines will likely reveal OAuth connections you never approved.
Of course, some of this work can’t be automated, but that might not be a deal-breaker. Talking to the people who use the data often surfaces things no scan would catch. Rather than asking department heads where their data lives, which tends to produce shrugs, try asking them specifically where they store customer contact information, signed contracts, or financial reports. When what people say doesn’t line up with what your systems show, you’ve found where to focus first.
Purpose-built visibility tools for regulated environments
If you’re in a regulated industry or have outgrown manual tracking, you may need more specialized tools. Microsoft Purview Premium adds automatic classification and machine learning-based detection, while third-party options like Varonis and Spirion scan across cloud and on-prem environments to build data maps that continuously update. CASBs like Netskope or Microsoft Defender for Cloud Apps can surface shadow SaaS and monitor what’s flowing through approved applications.
You’ll need a decent budget and ongoing tuning to get the most from these tools. If you’ve done the manual work first, though, you’ll have a stronger case to make. Imagine walking into a budget meeting and being able to say you found 340 files containing customer SSNs in places nobody knew about, using tools that were sitting in your licensing agreement the whole time. That’s the kind of concrete finding that opens doors.
Whether or not you eventually get the green light to buy an enterprise solution, the manual work pays for itself. You’ll either make a compelling case for better tooling, or discover that what you already have is enough.
Prioritize the data regulators will ask about first
Perfect visibility probably isn’t achievable, and that’s okay. What matters is useful visibility, starting with data that carries real consequences if you lose track of it. If you’re in a regulated industry, or if you handle European customer data, knowing where sensitive information lives isn’t optional—but it’s also where visibility efforts pay off most clearly.
Map these data types first:
- Personally identifiable information (PII): Customer names, addresses, contact information
- Protected health information (PHI): (health records, insurance information)
- Payment card information (formally payment card industry data security standard, or PCI DSS): payment card data, transaction records
- Access credentials: passwords, API keys, certificates
- Compliance-covered data: anything subject to GDPR, HIPAA, SOX, or industry regulations
Once you find sensitive data in places it shouldn’t be, you’ll need to decide what to do about it—sometimes moving files, sometimes deleting copies, sometimes having uncomfortable conversations with business units. Whatever you decide, you’ll want to document what you found and what you did about it in case you need to demonstrate due diligence later.
Build IT visibility into onboarding and offboarding
Last quarter’s inventory is likely already stale since most IT environments change too fast for one-time audits. So, instead of treating visibility as a standalone project, build it into processes you’re already running.
Onboarding and offboarding are natural places to start. When someone joins the company, document what they’ll have access to. When they leave, trace where their data handoffs go. These transitions are often when you discover the spreadsheets and local files that never made it into official systems.
How do you know when you’ve done enough? If you can confidently answer three questions for your top five data categories, you’re ahead of most shops your size:
- Where is our most sensitive data located?
- Who has access to it?
- How would we find it if we needed to produce it under time pressure?
Better data visibility is achievable, and it pays off
TikTok’s €530 million problem started with a visibility gap nobody noticed for three years. With a little preparation, you can avoid that path. Pick one data category—customer PII is usually a good starting point—and spend a few hours this month tracing where it actually lives.
Each category you map will give you more confidence about where your data is and who can reach it. That clarity makes everything else easier, from incident response to compliance audits to the next chat with the C-suite.
