hi,
that is quite true but :
- all information are stored encrypted in DLP database. they are accessible only through enforce UI in which you can set a (not too bad) seggregation which will prevent non authorized people to view sensitive information. (they can have access to general information (username, email, date ...) but not content if you want)
- technically speaking, you have to put your DB and enforce server in DMZ, to prevent any non authroized access to server.
You will detect incident in DLP which has to be assessed by some people and in order to do that they will need to identify data sensitivity and context in which the action was performed. Of course these people have to be trusted.
regards.