First off, great post, really enjoyed reading it. Regarding Rafal's comment around production and dev/test environments... this is something that has always been a battle for me strictly around the functional design in some of the applications to provide users the ability to load their own data into Dev/QA. Although users are educated to not load production data into these systems, we all know things get rushed, not properly reviewed, etc... and production data tends to leak into these systems. I am now looking/hoping to have the dev teams construct an administrative option in the application's to specify whether data masking is to be performed during the data load/massage stage. For me, this would be the best solution so that even if applications are moved from production back to dev/qa then the switch can be simply turned on and off. Now there is also data that is "automatically" loaded into the dev/qa environments by these applications with no user-intervention. For these processes data masking is automatically performed before the data even reaches the application, so the moment it reaches the dev/qa environment then you can be sure it's masked. I also fully support and agree with the point around having a defined process in place on how to sanitize existing data, not just new data, as it traverses backward and forward. It should be part of the spec that is used when training users on data management.