Data loss prevention is one of those capabilities that tends to get prioritized reactively, specifically after some compliance violation surfaces, or a data leak makes its way into an incident report. By then, the damage is done; we don’t have any control over the data we lost anymore. The more practical approach is to intercept sensitive data before it leaves our application, at the point where text containing PII or other regulated information is about to be transmitted or stored somewhere downstream.
It’s easier said than done, of course. Building reliable text-based PII detection from scratch is pretty difficult. Sensitive data appears in unstructured text in unpredictable ways, and sensitive data refers to an extremely broad range of data types. The detection logic that works for one data type often doesn’t carry over to others. Health-related data in particular introduces its own layer of complexity, involving PHI categories that require specific recognition logic well beyond what general-purpose NLP approaches handle reliably.