The next morning, on the train heading to the office, you remember something you wanted to try with the data. You access that cloud folder on your phone, do a little more analysis and then save the files.
When you get back to your desk, you download that file to your work desktop machine and continue working on the latest files.
Think of the ways that data can go astray and be out of reach for IT. Your home computer uses a consumer-grade backup service, and overnight, those files were copied to that service. That consumer-grade backup service has its own offsite backup mechanisms, along with a separate disaster recovery service. That file with sensitive PII about customers is now in all those locations.
That sensitive data was also on your phone. That data also gets automatically backed up to that handset manufacturer, which also has its own backup and disaster recover arrangements.
Two days later, an EU citizen (who happens to be one of your customers) submits a right to be forgotten request and your team eventually learns of it. They delete the references they can locate on key enterprise systems, including a half-dozen corporate cloud environments they know about.
But what about all of those other locations?