This is a legal question. DLP solutions will collect data such as state, HIPAA, PCI, Bank routing numbers, etc. I was told that one is REQUIRED to have the compliance model of anything you collect. This seems wrong. There is storage of data. There is transmit of data within the DLP system, but it seems like just to monitor for possible data means you are bound by it - that it is better to put your head in the sand and not know about it. It seems wrong to me to take this approach, but I have little legal background to argue this. The amount of data (hopefully) would be very low. Such instances are not used in transactions (hopefully). It just sits in the DLP system. Thoughts are appreciated.