PII Scan and Summary
June 23, 2023
Release Notes
We're pleased to announce the release of our new integration with RapidFire Tools' Compliance Manager GCM. This integration allows us to offer sensitive data scanning, a sensitive data summary, and visual indicators identifying where, among Workplace files, personal identifiable information (PII) is stored. This report is the result of a Compliance Manager GRC sensitive data scan of all Workplace-stored data.
If you are a Workplace and Compliance Manager customer, your service provider can enable this integration by mapping your Workplace team to your Compliance Manager site. If they do, you'll see some new icons in your Workplace interface, and a new special report will be available to anyone on your team who has access to the Reports page.
Why is it important to report on sensitive data?
Certain standards, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), require identification of where PII is stored. Other standards, such as the Payment Card Industry Data Security Standard (PCI DSS) require that some types of information, such cardholder data, be limited to the Cardholder Data Environment and segmented from the rest of the network. Depending on the level of PCI compliance, storage of cardholder data (such as credit card numbers) on drives is strictly prohibited. And the Health Insurance Portability and Accountability Act (HIPAA) require that electronically stored, protected health information (ePHI) be protected in specific manners.
How does integrating Workplace and Compliance Manager GCM help?
Datto Workplace is, among other things, a secure, version controlled, and logged file storage mechanism. As files (.doc, .docx, .xls, .xlsx, .txt) are uploaded from Windows, Mac, iPhone/Android devices, or via web upload, they are processed, scanned, and logged before they're stored in Datto Workplace.
Compliance Manager GRC includes sensitive data scanning; it looks for PII (for GDPR and CCPA), ePHI (for HIPAA), and cardholder data (for PCI DSS).
How does it work?
The Compliance Manager Integration and the PII Scan and Summary that it provides augment the Datto Workplace pre-upload scanner with the Compliance Manager GRC deep file scanner. That scanner looks for PII, ePHI, and cardholder data in files uploaded to Workplace. If any such information is found, the file is tagged, in Workplace, with the specific information type, e.g. Date of Birth, License Number, etc.
When performing a compliance assessment, Workplace users can provide proof of data classification and protection. The integration queries Datto Workplace for all locations of sensitive data as well as which user uploaded the data. Then Compliance Manager GRC presents the findings to the Internal Auditor to determine if there are violations that should be addressed. Any issues will appear in the Plan of Action and Milestones.
With this integration, only newly created, modified, or downloaded files are scanned. The scan occurs when files are changed and/or uploaded to Datto Workplace. This means that during the compliance assessment process, the deep scan is unnecessary and the location and owner of sensitive data is available immediately; you'll have deep scan data available on demand.
How are Workplace files that contain PII identified in Workplace?
Any file in which Compliance Manager has found PII information will be flagged with a red icon with a fingerprint on it. Hover over the icon to see the type of sensitive information the file contains, as well as a count of how many times that type of data appears in the file.
How do I run the new report?
If it's available to you, just go to Workplace > Reports > Special, then select PII Report from the dropdown menu. And as with all reports, you have the option to export and/or schedule this report.
