@sarahjamielewis doing privacy analysis for living, this is a daily dilemma for me. I rather see the data not processed at all, but some has to be processed for functionality. Ideally an organization acknowledges the sensitivity of the data with both legal (policy) and technological mitigations. And I often see encryption deployed in an ineffective way.