Integrating with Purpose: To Scan or Not to Scan

James Grieco
James Grieco
Sep 7, 2023
min read
Integrating with Purpose: To Scan or Not to Scan

Tracking personal identifiable information (PII) is one of both the main challenges and main requirements of many global data privacy regulations. Whether it is through a record of processing activities (RoPA) or a data protection impact assessment (DPIA), tracking PII through and across hundreds of data systems is at the heart of data compliance in today’s age.

Where that task gets challenging–even beyond its immense scope–is the point at which current data privacy software enters the picture. Despite an influx of solutions over the past few years to automate away the painstaking months of work required to manually assemble a data map, it still takes far too much overhead for most companies to discover all the types of sensitive personal data that their data systems process.

Why is this? Because privacy vendors' answer to the challenge of PII tracking is an exhaustive scan of every datapoint on a data source. 

These intensive API-enabled scans lead to highly accurate results that can capture errant data no matter how minute or entropic, but they consume a vast amount of time and resources. Simply put, an exhaustive full API scan is far from the ideal solution to the basic problem of determining what lies inside any data source. 

The MineOS team has long known that, thanks to our company’s unique story and experience on the consumer side of the data privacy industry. Companies want to comply with data regulations, but often do not know how to best execute compliance requirements or lack the resources to do so. In our early years, countless organizations told us this when they received Mine-originated DSRs on behalf of individual users.  

When companies need to quickly understand which systems hold which PII, full scans are rarely the answer, because they are too expensive and too slow. Understanding the purpose for each source and integration is key to changing this idea, because that can allow organizations to focus full integration on data sources that are at risk, and seek a less costly solution for systems where strict data governance isn’t needed - just visibility.

Of course, for any at-risk data source, integrations are encouraged. When you integrate MineOS with a data source to track PII inside of it, it's so Mine can display results directly on the platform from a continuous scan for PII on that data source. And to help identify potential at-risk sources, Mine’s cyber posture matrices make it clear which systems you need to keep an eye on.

When a system’s risk profile doesn’t justify a full scan, Smart Data Sampling by MineOS is the best and most effective compromise. For systems you know don’t require governance, but where accurate PII visibility is the goal, our proprietary tech draws a sample size between .5% and 50% of the data within the data source to retrieve 100% of the data types it contains - with a confidence level of over 99%. 

If you find something within the system that bears more investigation or requires the implementation of policy rules that alert to noncompliant data types, there is nothing stopping you from then running a full scan on a data source. Smart Data Sampling is a quick and effective way of running through the majority of any company’s data systems in a way that both demonstrates compliance for regulatory reasons and provides the organization with invaluable insights into their data environment.

The practicality in how to run a privacy program, a practicality that does not sacrifice oversight or effectiveness, is what powers MineOS and what separates us from the current slate of data privacy software. Opting for the costly process of scanning everything is far from the best way to arrive at the conclusions businesses need to achieve compliance.

In an era of exploding SaaS usage where nearly every company is running more than 100 systems, exhaustive scans and inflexible data privacy solutions fail to elicit one of the first questions organizations should ask when tracking PII: to scan, or not to scan?