Is that for someone going through the user interface, or is it a fundamental feature of the database (or whatever)? In other words, is there no case where someone could log into a server and see some PII in a debugger or a direct query without being detected?
This is both for people using tools and people accessing servers and databases directly.
Logging into production servers is audited and triggers alarms. There's basically no-one who has "root" level access to a large number of boxes (when I left in 2013 there were only a handful of people who could login to arbitrary boxes and systems were being built so that their access would no longer be necessary). Logging into a server that holds live data would be investigated and so would running a custom query against a production database. The goal was to have it basically impossible for an engineer or admin to directly access data on boxes to force people to use the tools.
The tools themselves had a great permission system as well as a way for users to elevate their permissions in emergency (triggering an investigation). It worked well because it was also easy to create dummy databases to develop on (for example by requesting a database extract of your own location data).
In my career to date I have yet to see a more privacy conscious / secure approach to handling customer data.
