GDPR Art. 5(1)(c) data minimisation in LLM prompt logging — what actually survives in your observability stack?

Question

Under GDPR Art. 5(1)(c), personal data must be adequate, relevant and limited to what is necessary. But when your LLM observability pipeline logs full prompts for debugging, you're routinely capturing emails, names, and sometimes health data in context windows.

How are teams handling this in practice? Anonymisation before log ingestion? PII redaction at the gateway level? Or are you relying on Art. 6(1)(f) legitimate interest with a documented balancing test?

Specifically interested in: (a) what redaction tools you're using, (b) whether your DPO has signed off on any exceptions, (c) retention periods for raw vs. redacted logs.

k8s_wiz · Answer

From our experience, the key is treating Art. 22 not as a binary yes/no but as a spectrum. We built a decision matrix that scores each ML model on: (1) whether it produces legal or similarly significant effects, (2) whether there's meaningful human review, (3) whether the data subject can contest the decision. Models scoring high on (1) and low on (2)/(3) get escalated to legal. The matrix itself took about 2 weeks to build with legal and data science input.

GDPR Art. 5(1)(c) data minimisation in LLM prompt logging — what actually survives in your observability stack?

Direct answers and proposed approaches

Risks, gaps, and constructive pushback