In order to comply with GDPR, companies have to take measures to protect the data they process. But first they have to actually find the data.