When you really start considering all the possibilities, it starts spiralling quickly.

What will really need to occur, is a shift in the way the applications are written. They will need to use as little SPII data as possible to pull result sets, and then users should have varying levels or rights, limiting the exposure to the SPII data and minimizing the Audit footprint. But that would be a HUGE shift in the coding of applications.

SPII - Sensitive Personally Identifiable Information