[barefoot]

Many small companies take this approach. Usually it’s lower-risk PII.

Some small companies will refuse to use generated data if it takes even a minute more to generate it vs import it from production. In the consulting world I’ve seen multiple examples of companies complaining bitterly about other security minded consultants efforts to improve security and privacy through even small amounts of additional development time.

[baroffoos]

I have seen it done in a small company to check if a query will run too slow in production. Take a copy of the biggest database. Run query, see what happens, delete copy.

[fooey]

It's probably more often that the query is just run against production in the first place.

Making a copy is probably more effort than most developers out in the wild are going to make.

[sroussey]

Not true. If you were to throw up a slow locking query in production, you could take down the site. Restoring a backup should be fast.