[jcraft]

If the data contains sensitive information about individuals (PII), you can't replicate that across all environments if you're in a regulated industry. There are ways to anonymize the data, eliminating the PII risks while preserving data utility so testing is accurate.

[ratorx]

Anonymisation has always seemed to me to be a reduction in the probability of exposure rather than a complete guarantee of safety.

Arguably you should need compliance on both staging and prod, but you do the anonymisation to reduce the risk of exposure from (less tested) code in staging.

I’ve always viewed staging as the environment that gets prod data (maybe anonymised), but has ideally no exposure to actually affecting prod, rather than a completely fake environment.

[ryanSrich]

Well, you can, but you need to ensure every environment to which it’s replicated is also compliant. That’s my entire point.

[maerF0x0]

And in 15 yrs of my experience I've never seen a company keep a compliant pre-production environment. It's pretty hard work to do with one env, let alone many.