Being based in Europe, I cannot avoid thinking about how to factor in GDPR. The log approach sounds great but if the log is immutable and contains the truth, how are people handling the deletion of PII without re-writing the entire history of the log? I just finished building a database integration for a new project and I have 2-3 layers to ensure compliance